go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-11-29 22:48:19 +02:00
Code Issues Releases Activity

Feature/configurable userid claim minimal (#499)

Browse Source 
* Add -user-id-claim to support other claims than email

Fix #431 - This is a minimal change to allow the user to configure which claim is
the source of the "user ID".

- Add the option `user-id-claim` (defaults to email)
- OIDC extracts this claim into session.Email (to be renamed later)
- providers: add `CreateSessionStateFromBearerToken` with a default impl taken from
  `GetJwtSession` and overridden by oidc to respect `user-id-claim`

Once #466 is merged, I can continue to rename SessionState.Email to .UserID
and add HTTP headers with a corresponding name.

* Apply suggestions from code review

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Review feedback: Don't extract claims manually

Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves.

* Fix indentation

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
This commit is contained in:
Jakub Holy
2020-04-28 08:46:46 +02:00
committed by GitHub
parent 4d21b8a04f
commit 1961424561
9 changed files with 144 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
providers/provider_default.go
View File

@@ -10,6 +10,8 @@ import (
"net/url"
"time"
"github.com/coreos/go-oidc"
"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions"
"github.com/oauth2-proxy/oauth2-proxy/pkg/encryption"
)
@@ -144,3 +146,37 @@ func (p *ProviderData) ValidateSessionState(s *sessions.SessionState) bool {
func (p *ProviderData) RefreshSessionIfNeeded(s *sessions.SessionState) (bool, error) {
return false, nil
}
func (p *ProviderData) CreateSessionStateFromBearerToken(rawIDToken string, idToken *oidc.IDToken) (*sessions.SessionState, error) {
var claims struct {
Subject string `json:"sub"`
Email string `json:"email"`
Verified *bool `json:"email_verified"`
PreferredUsername string `json:"preferred_username"`
}
if err := idToken.Claims(&claims); err != nil {
return nil, fmt.Errorf("failed to parse bearer token claims: %v", err)
}
if claims.Email == "" {
claims.Email = claims.Subject
}
if claims.Verified != nil && !*claims.Verified {
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
}
newSession := &sessions.SessionState{
Email: claims.Email,
User: claims.Email,
PreferredUsername: claims.PreferredUsername,
}
newSession.AccessToken = rawIDToken
newSession.IDToken = rawIDToken
newSession.RefreshToken = ""
newSession.ExpiresOn = idToken.Expiry
return newSession, nil
}