Add support for adding 'groups' (group memberships) to user entries in 'staticPasswords'

larsw · larsw · commit 268fb70f2faa · 2025-12-19T10:30:22.000+01:00
diff --git a/cmd/dex/config.go b/cmd/dex/config.go
@@ -95,11 +95,12 @@ type password storage.Password
 
 func (p *password) UnmarshalJSON(b []byte) error {
 	var data struct {
-		Email       string `json:"email"`
-		Username    string `json:"username"`
-		UserID      string `json:"userID"`
-		Hash        string `json:"hash"`
-		HashFromEnv string `json:"hashFromEnv"`
+		Email       string   `json:"email"`
+		Username    string   `json:"username"`
+		UserID      string   `json:"userID"`
+		Hash        string   `json:"hash"`
+		HashFromEnv string   `json:"hashFromEnv"`
+		Groups      []string `json:"groups"`
 	}
 	if err := json.Unmarshal(b, &data); err != nil {
 		return err
@@ -108,6 +109,7 @@ func (p *password) UnmarshalJSON(b []byte) error {
 		Email:    data.Email,
 		Username: data.Username,
 		UserID:   data.UserID,
+		Groups:   data.Groups,
 	})
 	if len(data.Hash) == 0 && len(data.HashFromEnv) > 0 {
 		data.Hash = os.Getenv(data.HashFromEnv)
diff --git a/cmd/dex/config_test.go b/cmd/dex/config_test.go
@@ -116,8 +116,13 @@ staticPasswords:
   # bcrypt hash of the string "password"
   hash: "$2a$10$33EMT0cVYVlPy6WAMCLsceLYjWhuHpbz5yuZxu/GAFj03J9Lytjuy"
   username: "admin"
+  groups:
+    - "administrators"
   userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
 - email: "foo@example.com"
+  groups:
+    - "developers"
+    - "testers"
   # base64'd value of the same bcrypt hash above. We want to be able to parse both of these
   hash: "JDJhJDEwJDMzRU1UMGNWWVZsUHk2V0FNQ0xzY2VMWWpXaHVIcGJ6NXl1Wnh1L0dBRmowM0o5THl0anV5"
   username: "foo"
@@ -134,7 +139,7 @@ logger:
   format: "json"
 
 additionalFeatures: [
-	"ConnectorsCRUD"
+    "ConnectorsCRUD"
 ]
 `)
 
@@ -207,12 +212,14 @@ additionalFeatures: [
 		StaticPasswords: []password{
 			{
 				Email:    "admin@example.com",
+				Groups:   []string{"administrators"},
 				Hash:     []byte("$2a$10$33EMT0cVYVlPy6WAMCLsceLYjWhuHpbz5yuZxu/GAFj03J9Lytjuy"),
 				Username: "admin",
 				UserID:   "08a8684b-db88-4b73-90a9-3cd1661f5466",
 			},
 			{
 				Email:    "foo@example.com",
+				Groups:   []string{"developers", "testers"},
 				Hash:     []byte("$2a$10$33EMT0cVYVlPy6WAMCLsceLYjWhuHpbz5yuZxu/GAFj03J9Lytjuy"),
 				Username: "foo",
 				UserID:   "41331323-6f44-45e6-b3b9-2c4b60c02be5",
@@ -331,11 +338,17 @@ connectors:
 enablePasswordDB: true
 staticPasswords:
 - email: "admin@example.com"
+  groups:
+    - "administrators"
   # bcrypt hash of the string "password"
   hash: "$2a$10$33EMT0cVYVlPy6WAMCLsceLYjWhuHpbz5yuZxu/GAFj03J9Lytjuy"
   username: "admin"
   userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
 - email: "foo@example.com"
+  groups:
+    - "developers"
+    - "testers"
+  # hash is read from environment variable DEX_FOO_USER_PASSWORD
   hashFromEnv: "DEX_FOO_USER_PASSWORD"
   username: "foo"
   userID: "41331323-6f44-45e6-b3b9-2c4b60c02be5"
@@ -421,12 +434,14 @@ logger:
 		StaticPasswords: []password{
 			{
 				Email:    "admin@example.com",
+				Groups:   []string{"administrators"},
 				Hash:     []byte("$2a$10$33EMT0cVYVlPy6WAMCLsceLYjWhuHpbz5yuZxu/GAFj03J9Lytjuy"),
 				Username: "admin",
 				UserID:   "08a8684b-db88-4b73-90a9-3cd1661f5466",
 			},
 			{
 				Email:    "foo@example.com",
+				Groups:   []string{"developers", "testers"},
 				Hash:     []byte("$2a$10$33EMT0cVYVlPy6WAMCLsceLYjWhuHpbz5yuZxu/GAFj03J9Lytjuy"),
 				Username: "foo",
 				UserID:   "41331323-6f44-45e6-b3b9-2c4b60c02be5",
diff --git a/config.dev.yaml b/config.dev.yaml
@@ -30,6 +30,10 @@ enablePasswordDB: true
 
 staticPasswords:
   - email: "admin@example.com"
+    groups:
+      - "administrators"
+      - "developers"
+      - "testers"
     hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
     username: "admin"
     userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
diff --git a/storage/storage.go b/storage/storage.go
@@ -354,6 +354,9 @@ type Password struct {
 
 	// Randomly generated user ID. This is NOT the primary ID of the Password object.
 	UserID string `json:"userID"`
+
+	// Groups associated with the password entry.
+	Groups []string `json:"groups"`	
 }
 
 // Connector is an object that contains the metadata about connectors used to login to Dex.

Original file line number	Diff line number	Diff line change
`@@ -354,6 +354,9 @@ type Password struct {`
`354`	`354`
`355`	`355`	`// Randomly generated user ID. This is NOT the primary ID of the Password object.`
`356`	`356`	UserID string `json:"userID"`
	`357`	`+`
	`358`	`+ // Groups associated with the password entry.`
	`359`	+ Groups []string `json:"groups"`
`357`	`360`	`}`
`358`	`361`
`359`	`362`	`// Connector is an object that contains the metadata about connectors used to login to Dex.`