Merge pull request #200 from aroskanalen/feature/1127-oidc-documentation

tuj · web-flow · commit 91d8bc24cdb0 · 2024-04-18T10:45:35.000+02:00
1127: Updated oidc internal documentation
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+- [#200](https://github.com/os2display/display-api-service/pull/200)
+  - Updated oidc internal documentation.
 - [#205](https://github.com/os2display/display-api-service/pull/205)
   - Fixed redirecting post requests.
 
diff --git a/README.md b/README.md
@@ -128,9 +128,16 @@ The internal oidc provider gets that user's name, email and tenants from claims.
 
 The claim keys needed are set in the env variables:
 
-- INTERNAL_OIDC_CLAIM_NAME
-- INTERNAL_OIDC_CLAIM_EMAIL
-- INTERNAL_OIDC_CLAIM_GROUPS
+- `INTERNAL_OIDC_CLAIM_NAME`
+- `INTERNAL_OIDC_CLAIM_EMAIL`
+- `INTERNAL_OIDC_CLAIM_GROUPS`
+
+The value of the claim with the name that is defined in the env variable `INTERNAL_OIDC_CLAIM_GROUPS` is mapped to
+the user's access to tenants in `App\Security\AzureOidcAuthenticator`. The claim field should consist of an array of
+names that should follow the following structure `<TENANT_NAME><ROLE_IN_TENANT>`.
+`<ROLE_IN_TENANT>` can be `Admin` or `Redaktoer` (editor).
+E.g. `Example1Admin` will map to the tenant with name `Example1` with `ROLE_ADMIN`.
+If the tenant does not exist it will be created when the user logs in.
 
 ### External
 
