Merge pull request #14 from PSNAppz/develop

Added client_roles to AuthPrincipal

Author: shibu-narayanan

.github/workflows/docker-build.yml

@@ -16,8 +16,8 @@ jobs:
       matrix:
         iam_api:
           - iam-staff-portal-api
-          - iam-agent-portal-api
-          - iam-bene-portal-api
+          # - iam-agent-portal-api
+          # - iam-bene-portal-api
     env:
       NAMESPACE: ${{ secrets.docker_hub_organisation || 'openg2p' }}
       SERVICE_NAME: ${{ matrix.iam_api }}

iam-agent-portal-api/README.md

@@ -0,0 +1 @@
+OpenG2P IAM Agent Portal API package.

iam-bene-portal-api/README.md

@@ -0,0 +1 @@
+OpenG2P IAM Bene Portal API package.

iam-core/src/iam_core/schemas/auth_principal.py

@@ -16,5 +16,6 @@ class AuthPrincipal(BaseModel):
     iat: datetime | None = None
     exp: datetime | None = None
     roles: list[str] = Field(default_factory=list)
+    client_roles: dict[str, list[str]] | None = None
     provider: str | None = None
     raw_claims: dict[str, Any] = Field(default_factory=dict)

iam-core/src/iam_core/user_auth/dependencies.py

@@ -67,6 +67,18 @@ def _extract_roles(claims: dict) -> list[str]:
     return sorted(realm_roles | client_roles)
 
 
+def _extract_client_roles(claims: dict) -> dict[str, list[str]] | None:
+    resource_access = claims.get("resource_access") or {}
+    if not resource_access:
+        return None
+    result = {}
+    for client, value in resource_access.items():
+        roles = (value or {}).get("roles") or []
+        if roles:
+            result[client] = sorted(roles)
+    return result or None
+
+
 def _resolve_user_type(claims: dict) -> str | None:
     return claims.get("user_type") or claims.get("userType")
 
@@ -85,6 +97,7 @@ async def auth_principal(
         iat=claims.get("iat"),
         exp=claims.get("exp"),
         roles=_extract_roles(claims),
+        client_roles=_extract_client_roles(claims),
         provider=claims.get("identity_provider") or claims.get("iss"),
         raw_claims=claims,
     )