You've already forked oauth2-proxy
mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2025-06-15 00:15:00 +02:00
Feature/configurable userid claim minimal (#499)
* Add -user-id-claim to support other claims than email Fix #431 - This is a minimal change to allow the user to configure which claim is the source of the "user ID". - Add the option `user-id-claim` (defaults to email) - OIDC extracts this claim into session.Email (to be renamed later) - providers: add `CreateSessionStateFromBearerToken` with a default impl taken from `GetJwtSession` and overridden by oidc to respect `user-id-claim` Once #466 is merged, I can continue to rename SessionState.Email to .UserID and add HTTP headers with a corresponding name. * Apply suggestions from code review Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Review feedback: Don't extract claims manually Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves. * Fix indentation Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
This commit is contained in:
Jakub Holy
GitHub
@ -19,6 +19,7 @@
|
|||||||
|
|
||||||
## Changes since v5.1.0
|
## Changes since v5.1.0
|
||||||
|
|
||||||
|
- [#499](https://github.com/oauth2-proxy/oauth2-proxy/pull/469) Add `-user-id-claim` to support generic claims in addition to email
|
||||||
- [#486](https://github.com/oauth2-proxy/oauth2-proxy/pull/486) Add new linters (@johejo)
|
- [#486](https://github.com/oauth2-proxy/oauth2-proxy/pull/486) Add new linters (@johejo)
|
||||||
- [#440](https://github.com/oauth2-proxy/oauth2-proxy/pull/440) Switch Azure AD Graph API to Microsoft Graph API (@johejo)
|
- [#440](https://github.com/oauth2-proxy/oauth2-proxy/pull/440) Switch Azure AD Graph API to Microsoft Graph API (@johejo)
|
||||||
- [#453](https://github.com/oauth2-proxy/oauth2-proxy/pull/453) Prevent browser caching during auth flow (@johejo)
|
- [#453](https://github.com/oauth2-proxy/oauth2-proxy/pull/453) Prevent browser caching during auth flow (@johejo)
|
||||||
|
|||||||
@ -119,6 +119,7 @@ An example [oauth2-proxy.cfg]({{ site.gitweb }}/contrib/oauth2-proxy.cfg.example
|
|||||||
| `-tls-cert-file` | string | path to certificate file | |
|
| `-tls-cert-file` | string | path to certificate file | |
|
||||||
| `-tls-key-file` | string | path to private key file | |
|
| `-tls-key-file` | string | path to private key file | |
|
||||||
| `-upstream` | string \| list | the http url(s) of the upstream endpoint, file:// paths for static files or `static://<status_code>` for static response. Routing is based on the path | |
|
| `-upstream` | string \| list | the http url(s) of the upstream endpoint, file:// paths for static files or `static://<status_code>` for static response. Routing is based on the path | |
|
||||||
|
| `-user-id-claim` | string | which claim contains the user ID | \["email"\] |
|
||||||
| `-validate-url` | string | Access token validation endpoint | |
|
| `-validate-url` | string | Access token validation endpoint | |
|
||||||
| `-version` | n/a | print version string | |
|
| `-version` | n/a | print version string | |
|
||||||
| `-whitelist-domain` | string \| list | allowed domains for redirection after authentication. Prefix domain with a `.` to allow subdomains (eg `.example.com`) | |
|
| `-whitelist-domain` | string \| list | allowed domains for redirection after authentication. Prefix domain with a `.` to allow subdomains (eg `.example.com`) | |
|
||||||
|
|||||||
2
main.go
2
main.go
@ -147,6 +147,8 @@ func main() {
|
|||||||
flagSet.String("pubjwk-url", "", "JWK pubkey access endpoint: required by login.gov")
|
flagSet.String("pubjwk-url", "", "JWK pubkey access endpoint: required by login.gov")
|
||||||
flagSet.Bool("gcp-healthchecks", false, "Enable GCP/GKE healthcheck endpoints")
|
flagSet.Bool("gcp-healthchecks", false, "Enable GCP/GKE healthcheck endpoints")
|
||||||
|
|
||||||
|
flagSet.String("user-id-claim", "email", "which claim contains the user ID")
|
||||||
|
|
||||||
flagSet.Parse(os.Args[1:])
|
flagSet.Parse(os.Args[1:])
|
||||||
|
|
||||||
if *showVersion {
|
if *showVersion {
|
||||||
|
|||||||
@ -1115,6 +1115,7 @@ func (p *OAuthProxy) ErrorJSON(rw http.ResponseWriter, code int) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// GetJwtSession loads a session based on a JWT token in the authorization header.
|
// GetJwtSession loads a session based on a JWT token in the authorization header.
|
||||||
|
// (see the config options skip-jwt-bearer-tokens and extra-jwt-issuers)
|
||||||
func (p *OAuthProxy) GetJwtSession(req *http.Request) (*sessionsapi.SessionState, error) {
|
func (p *OAuthProxy) GetJwtSession(req *http.Request) (*sessionsapi.SessionState, error) {
|
||||||
rawBearerToken, err := p.findBearerToken(req)
|
rawBearerToken, err := p.findBearerToken(req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -1122,7 +1123,6 @@ func (p *OAuthProxy) GetJwtSession(req *http.Request) (*sessionsapi.SessionState
|
|||||||
}
|
}
|
||||||
|
|
||||||
ctx := context.Background()
|
ctx := context.Background()
|
||||||
var session *sessionsapi.SessionState
|
|
||||||
for _, verifier := range p.jwtBearerVerifiers {
|
for _, verifier := range p.jwtBearerVerifiers {
|
||||||
bearerToken, err := verifier.Verify(ctx, rawBearerToken)
|
bearerToken, err := verifier.Verify(ctx, rawBearerToken)
|
||||||
|
|
||||||
@ -1131,35 +1131,7 @@ func (p *OAuthProxy) GetJwtSession(req *http.Request) (*sessionsapi.SessionState
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
var claims struct {
|
return p.provider.CreateSessionStateFromBearerToken(rawBearerToken, bearerToken)
|
||||||
Subject string `json:"sub"`
|
|
||||||
Email string `json:"email"`
|
|
||||||
Verified *bool `json:"email_verified"`
|
|
||||||
PreferredUsername string `json:"preferred_username"`
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := bearerToken.Claims(&claims); err != nil {
|
|
||||||
return nil, fmt.Errorf("failed to parse bearer token claims: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
if claims.Email == "" {
|
|
||||||
claims.Email = claims.Subject
|
|
||||||
}
|
|
||||||
|
|
||||||
if claims.Verified != nil && !*claims.Verified {
|
|
||||||
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
|
|
||||||
}
|
|
||||||
|
|
||||||
session = &sessionsapi.SessionState{
|
|
||||||
AccessToken: rawBearerToken,
|
|
||||||
IDToken: rawBearerToken,
|
|
||||||
RefreshToken: "",
|
|
||||||
ExpiresOn: bearerToken.Expiry,
|
|
||||||
Email: claims.Email,
|
|
||||||
User: claims.Email,
|
|
||||||
PreferredUsername: claims.PreferredUsername,
|
|
||||||
}
|
|
||||||
return session, nil
|
|
||||||
}
|
}
|
||||||
return nil, fmt.Errorf("unable to verify jwt token %s", req.Header.Get("Authorization"))
|
return nil, fmt.Errorf("unable to verify jwt token %s", req.Header.Get("Authorization"))
|
||||||
}
|
}
|
||||||
|
|||||||
@ -107,6 +107,7 @@ type Options struct {
|
|||||||
Scope string `flag:"scope" cfg:"scope" env:"OAUTH2_PROXY_SCOPE"`
|
Scope string `flag:"scope" cfg:"scope" env:"OAUTH2_PROXY_SCOPE"`
|
||||||
Prompt string `flag:"prompt" cfg:"prompt" env:"OAUTH2_PROXY_PROMPT"`
|
Prompt string `flag:"prompt" cfg:"prompt" env:"OAUTH2_PROXY_PROMPT"`
|
||||||
ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt" env:"OAUTH2_PROXY_APPROVAL_PROMPT"` // Deprecated by OIDC 1.0
|
ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt" env:"OAUTH2_PROXY_APPROVAL_PROMPT"` // Deprecated by OIDC 1.0
|
||||||
|
UserIDClaim string `flag:"user-id-claim" cfg:"user_id_claim" env:"OAUTH2_PROXY_USER_ID_CLAIM"`
|
||||||
|
|
||||||
// Configuration values for logging
|
// Configuration values for logging
|
||||||
LoggingFilename string `flag:"logging-filename" cfg:"logging_filename" env:"OAUTH2_PROXY_LOGGING_FILENAME"`
|
LoggingFilename string `flag:"logging-filename" cfg:"logging_filename" env:"OAUTH2_PROXY_LOGGING_FILENAME"`
|
||||||
@ -179,6 +180,7 @@ func NewOptions() *Options {
|
|||||||
PreferEmailToUser: false,
|
PreferEmailToUser: false,
|
||||||
Prompt: "", // Change to "login" when ApprovalPrompt officially deprecated
|
Prompt: "", // Change to "login" when ApprovalPrompt officially deprecated
|
||||||
ApprovalPrompt: "force",
|
ApprovalPrompt: "force",
|
||||||
|
UserIDClaim: "email",
|
||||||
InsecureOIDCAllowUnverifiedEmail: false,
|
InsecureOIDCAllowUnverifiedEmail: false,
|
||||||
SkipOIDCDiscovery: false,
|
SkipOIDCDiscovery: false,
|
||||||
LoggingFilename: "",
|
LoggingFilename: "",
|
||||||
@ -500,6 +502,7 @@ func parseProviderInfo(o *Options, msgs []string) []string {
|
|||||||
p.SetRepository(o.BitbucketRepository)
|
p.SetRepository(o.BitbucketRepository)
|
||||||
case *providers.OIDCProvider:
|
case *providers.OIDCProvider:
|
||||||
p.AllowUnverifiedEmail = o.InsecureOIDCAllowUnverifiedEmail
|
p.AllowUnverifiedEmail = o.InsecureOIDCAllowUnverifiedEmail
|
||||||
|
p.UserIDClaim = o.UserIDClaim
|
||||||
if o.oidcVerifier == nil {
|
if o.oidcVerifier == nil {
|
||||||
msgs = append(msgs, "oidc provider requires an oidc issuer URL")
|
msgs = append(msgs, "oidc provider requires an oidc issuer URL")
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
@ -14,12 +14,15 @@ import (
|
|||||||
"github.com/oauth2-proxy/oauth2-proxy/pkg/requests"
|
"github.com/oauth2-proxy/oauth2-proxy/pkg/requests"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const emailClaim = "email"
|
||||||
|
|
||||||
// OIDCProvider represents an OIDC based Identity Provider
|
// OIDCProvider represents an OIDC based Identity Provider
|
||||||
type OIDCProvider struct {
|
type OIDCProvider struct {
|
||||||
*ProviderData
|
*ProviderData
|
||||||
|
|
||||||
Verifier *oidc.IDTokenVerifier
|
Verifier *oidc.IDTokenVerifier
|
||||||
AllowUnverifiedEmail bool
|
AllowUnverifiedEmail bool
|
||||||
|
UserIDClaim string
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewOIDCProvider initiates a new OIDCProvider
|
// NewOIDCProvider initiates a new OIDCProvider
|
||||||
@ -148,24 +151,15 @@ func (p *OIDCProvider) findVerifiedIDToken(ctx context.Context, token *oauth2.To
|
|||||||
|
|
||||||
func (p *OIDCProvider) createSessionState(token *oauth2.Token, idToken *oidc.IDToken) (*sessions.SessionState, error) {
|
func (p *OIDCProvider) createSessionState(token *oauth2.Token, idToken *oidc.IDToken) (*sessions.SessionState, error) {
|
||||||
|
|
||||||
newSession := &sessions.SessionState{}
|
var newSession *sessions.SessionState
|
||||||
|
|
||||||
if idToken != nil {
|
if idToken == nil {
|
||||||
claims, err := findClaimsFromIDToken(idToken, token.AccessToken, p.ProfileURL.String())
|
newSession = &sessions.SessionState{}
|
||||||
|
} else {
|
||||||
|
var err error
|
||||||
|
newSession, err = p.createSessionStateInternal(token.Extra("id_token").(string), idToken, token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("couldn't extract claims from id_token (%e)", err)
|
return nil, err
|
||||||
}
|
|
||||||
|
|
||||||
if claims != nil {
|
|
||||||
|
|
||||||
if !p.AllowUnverifiedEmail && claims.Verified != nil && !*claims.Verified {
|
|
||||||
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
|
|
||||||
}
|
|
||||||
|
|
||||||
newSession.IDToken = token.Extra("id_token").(string)
|
|
||||||
newSession.Email = claims.Email
|
|
||||||
newSession.User = claims.Subject
|
|
||||||
newSession.PreferredUsername = claims.PreferredUsername
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -176,6 +170,52 @@ func (p *OIDCProvider) createSessionState(token *oauth2.Token, idToken *oidc.IDT
|
|||||||
return newSession, nil
|
return newSession, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (p *OIDCProvider) CreateSessionStateFromBearerToken(rawIDToken string, idToken *oidc.IDToken) (*sessions.SessionState, error) {
|
||||||
|
newSession, err := p.createSessionStateInternal(rawIDToken, idToken, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
newSession.AccessToken = rawIDToken
|
||||||
|
newSession.IDToken = rawIDToken
|
||||||
|
newSession.RefreshToken = ""
|
||||||
|
newSession.ExpiresOn = idToken.Expiry
|
||||||
|
|
||||||
|
return newSession, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p *OIDCProvider) createSessionStateInternal(rawIDToken string, idToken *oidc.IDToken, token *oauth2.Token) (*sessions.SessionState, error) {
|
||||||
|
|
||||||
|
newSession := &sessions.SessionState{}
|
||||||
|
|
||||||
|
if idToken == nil {
|
||||||
|
return newSession, nil
|
||||||
|
}
|
||||||
|
accessToken := ""
|
||||||
|
if token != nil {
|
||||||
|
accessToken = token.AccessToken
|
||||||
|
}
|
||||||
|
|
||||||
|
claims, err := p.findClaimsFromIDToken(idToken, accessToken, p.ProfileURL.String())
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("couldn't extract claims from id_token (%e)", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
newSession.IDToken = rawIDToken
|
||||||
|
|
||||||
|
newSession.Email = claims.UserID // TODO Rename SessionState.Email to .UserID in the near future
|
||||||
|
|
||||||
|
newSession.User = claims.Subject
|
||||||
|
newSession.PreferredUsername = claims.PreferredUsername
|
||||||
|
|
||||||
|
verifyEmail := (p.UserIDClaim == emailClaim) && !p.AllowUnverifiedEmail
|
||||||
|
if verifyEmail && claims.Verified != nil && !*claims.Verified {
|
||||||
|
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.UserID)
|
||||||
|
}
|
||||||
|
|
||||||
|
return newSession, nil
|
||||||
|
}
|
||||||
|
|
||||||
// ValidateSessionState checks that the session's IDToken is still valid
|
// ValidateSessionState checks that the session's IDToken is still valid
|
||||||
func (p *OIDCProvider) ValidateSessionState(s *sessions.SessionState) bool {
|
func (p *OIDCProvider) ValidateSessionState(s *sessions.SessionState) bool {
|
||||||
ctx := context.Background()
|
ctx := context.Background()
|
||||||
@ -190,15 +230,25 @@ func getOIDCHeader(accessToken string) http.Header {
|
|||||||
return header
|
return header
|
||||||
}
|
}
|
||||||
|
|
||||||
func findClaimsFromIDToken(idToken *oidc.IDToken, accessToken string, profileURL string) (*OIDCClaims, error) {
|
func (p *OIDCProvider) findClaimsFromIDToken(idToken *oidc.IDToken, accessToken string, profileURL string) (*OIDCClaims, error) {
|
||||||
|
|
||||||
// Extract custom claims.
|
|
||||||
claims := &OIDCClaims{}
|
claims := &OIDCClaims{}
|
||||||
if err := idToken.Claims(claims); err != nil {
|
// Extract default claims.
|
||||||
return nil, fmt.Errorf("failed to parse id_token claims: %v", err)
|
if err := idToken.Claims(&claims); err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to parse default id_token claims: %v", err)
|
||||||
|
}
|
||||||
|
// Extract custom claims.
|
||||||
|
if err := idToken.Claims(&claims.rawClaims); err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to parse all id_token claims: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if claims.Email == "" {
|
userID := claims.rawClaims[p.UserIDClaim]
|
||||||
|
if userID == nil {
|
||||||
|
return nil, fmt.Errorf("claims did not contains the required user-id-claim '%s'", p.UserIDClaim)
|
||||||
|
}
|
||||||
|
claims.UserID = fmt.Sprint(userID)
|
||||||
|
|
||||||
|
if p.UserIDClaim == emailClaim && claims.UserID == "" {
|
||||||
if profileURL == "" {
|
if profileURL == "" {
|
||||||
return nil, fmt.Errorf("id_token did not contain an email")
|
return nil, fmt.Errorf("id_token did not contain an email")
|
||||||
}
|
}
|
||||||
@ -223,15 +273,16 @@ func findClaimsFromIDToken(idToken *oidc.IDToken, accessToken string, profileURL
|
|||||||
return nil, fmt.Errorf("neither id_token nor userinfo endpoint contained an email")
|
return nil, fmt.Errorf("neither id_token nor userinfo endpoint contained an email")
|
||||||
}
|
}
|
||||||
|
|
||||||
claims.Email = email
|
claims.UserID = email
|
||||||
}
|
}
|
||||||
|
|
||||||
return claims, nil
|
return claims, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
type OIDCClaims struct {
|
type OIDCClaims struct {
|
||||||
|
rawClaims map[string]interface{}
|
||||||
|
UserID string
|
||||||
Subject string `json:"sub"`
|
Subject string `json:"sub"`
|
||||||
Email string `json:"email"`
|
|
||||||
Verified *bool `json:"email_verified"`
|
Verified *bool `json:"email_verified"`
|
||||||
PreferredUsername string `json:"preferred_username"`
|
PreferredUsername string `json:"preferred_username"`
|
||||||
}
|
}
|
||||||
|
|||||||
@ -31,6 +31,7 @@ const secret = "secret"
|
|||||||
type idTokenClaims struct {
|
type idTokenClaims struct {
|
||||||
Name string `json:"name,omitempty"`
|
Name string `json:"name,omitempty"`
|
||||||
Email string `json:"email,omitempty"`
|
Email string `json:"email,omitempty"`
|
||||||
|
Phone string `json:"phone_number,omitempty"`
|
||||||
Picture string `json:"picture,omitempty"`
|
Picture string `json:"picture,omitempty"`
|
||||||
jwt.StandardClaims
|
jwt.StandardClaims
|
||||||
}
|
}
|
||||||
@ -46,6 +47,7 @@ type redeemTokenResponse struct {
|
|||||||
var defaultIDToken idTokenClaims = idTokenClaims{
|
var defaultIDToken idTokenClaims = idTokenClaims{
|
||||||
"Jane Dobbs",
|
"Jane Dobbs",
|
||||||
"janed@me.com",
|
"janed@me.com",
|
||||||
|
"+4798765432",
|
||||||
"http://mugbook.com/janed/me.jpg",
|
"http://mugbook.com/janed/me.jpg",
|
||||||
jwt.StandardClaims{
|
jwt.StandardClaims{
|
||||||
Audience: "https://test.myapp.com",
|
Audience: "https://test.myapp.com",
|
||||||
@ -106,6 +108,7 @@ func newOIDCProvider(serverURL *url.URL) *OIDCProvider {
|
|||||||
fakeKeySetStub{},
|
fakeKeySetStub{},
|
||||||
&oidc.Config{ClientID: clientID},
|
&oidc.Config{ClientID: clientID},
|
||||||
),
|
),
|
||||||
|
UserIDClaim: "email",
|
||||||
}
|
}
|
||||||
|
|
||||||
return p
|
return p
|
||||||
@ -165,6 +168,26 @@ func TestOIDCProviderRedeem(t *testing.T) {
|
|||||||
assert.Equal(t, "123456789", session.User)
|
assert.Equal(t, "123456789", session.User)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestOIDCProviderRedeem_custom_userid(t *testing.T) {
|
||||||
|
|
||||||
|
idToken, _ := newSignedTestIDToken(defaultIDToken)
|
||||||
|
body, _ := json.Marshal(redeemTokenResponse{
|
||||||
|
AccessToken: accessToken,
|
||||||
|
ExpiresIn: 10,
|
||||||
|
TokenType: "Bearer",
|
||||||
|
RefreshToken: refreshToken,
|
||||||
|
IDToken: idToken,
|
||||||
|
})
|
||||||
|
|
||||||
|
server, provider := newTestSetup(body)
|
||||||
|
provider.UserIDClaim = "phone_number"
|
||||||
|
defer server.Close()
|
||||||
|
|
||||||
|
session, err := provider.Redeem(provider.RedeemURL.String(), "code1234")
|
||||||
|
assert.Equal(t, nil, err)
|
||||||
|
assert.Equal(t, defaultIDToken.Phone, session.Email)
|
||||||
|
}
|
||||||
|
|
||||||
func TestOIDCProviderRefreshSessionIfNeededWithoutIdToken(t *testing.T) {
|
func TestOIDCProviderRefreshSessionIfNeededWithoutIdToken(t *testing.T) {
|
||||||
|
|
||||||
idToken, _ := newSignedTestIDToken(defaultIDToken)
|
idToken, _ := newSignedTestIDToken(defaultIDToken)
|
||||||
|
|||||||
@ -10,6 +10,8 @@ import (
|
|||||||
"net/url"
|
"net/url"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/coreos/go-oidc"
|
||||||
|
|
||||||
"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions"
|
"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions"
|
||||||
"github.com/oauth2-proxy/oauth2-proxy/pkg/encryption"
|
"github.com/oauth2-proxy/oauth2-proxy/pkg/encryption"
|
||||||
)
|
)
|
||||||
@ -144,3 +146,37 @@ func (p *ProviderData) ValidateSessionState(s *sessions.SessionState) bool {
|
|||||||
func (p *ProviderData) RefreshSessionIfNeeded(s *sessions.SessionState) (bool, error) {
|
func (p *ProviderData) RefreshSessionIfNeeded(s *sessions.SessionState) (bool, error) {
|
||||||
return false, nil
|
return false, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (p *ProviderData) CreateSessionStateFromBearerToken(rawIDToken string, idToken *oidc.IDToken) (*sessions.SessionState, error) {
|
||||||
|
var claims struct {
|
||||||
|
Subject string `json:"sub"`
|
||||||
|
Email string `json:"email"`
|
||||||
|
Verified *bool `json:"email_verified"`
|
||||||
|
PreferredUsername string `json:"preferred_username"`
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := idToken.Claims(&claims); err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to parse bearer token claims: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if claims.Email == "" {
|
||||||
|
claims.Email = claims.Subject
|
||||||
|
}
|
||||||
|
|
||||||
|
if claims.Verified != nil && !*claims.Verified {
|
||||||
|
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
|
||||||
|
}
|
||||||
|
|
||||||
|
newSession := &sessions.SessionState{
|
||||||
|
Email: claims.Email,
|
||||||
|
User: claims.Email,
|
||||||
|
PreferredUsername: claims.PreferredUsername,
|
||||||
|
}
|
||||||
|
|
||||||
|
newSession.AccessToken = rawIDToken
|
||||||
|
newSession.IDToken = rawIDToken
|
||||||
|
newSession.RefreshToken = ""
|
||||||
|
newSession.ExpiresOn = idToken.Expiry
|
||||||
|
|
||||||
|
return newSession, nil
|
||||||
|
}
|
||||||
|
|||||||
@ -1,6 +1,7 @@
|
|||||||
package providers
|
package providers
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"github.com/coreos/go-oidc"
|
||||||
"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions"
|
"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions"
|
||||||
"github.com/oauth2-proxy/oauth2-proxy/pkg/encryption"
|
"github.com/oauth2-proxy/oauth2-proxy/pkg/encryption"
|
||||||
)
|
)
|
||||||
@ -18,6 +19,7 @@ type Provider interface {
|
|||||||
RefreshSessionIfNeeded(*sessions.SessionState) (bool, error)
|
RefreshSessionIfNeeded(*sessions.SessionState) (bool, error)
|
||||||
SessionFromCookie(string, *encryption.Cipher) (*sessions.SessionState, error)
|
SessionFromCookie(string, *encryption.Cipher) (*sessions.SessionState, error)
|
||||||
CookieForSession(*sessions.SessionState, *encryption.Cipher) (string, error)
|
CookieForSession(*sessions.SessionState, *encryption.Cipher) (string, error)
|
||||||
|
CreateSessionStateFromBearerToken(rawIDToken string, idToken *oidc.IDToken) (*sessions.SessionState, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
// New provides a new Provider based on the configured provider string
|
// New provides a new Provider based on the configured provider string
|
||||||
|
|||||||
Reference in New Issue
Block a user