Feature/add option to skip loading claims from profile url (#2329)

* add new flag skip-claims-from-profile-url * skip passing profile URL if SkipClaimsFromProfileURL * docs for --skip-claims-from-profile-url flag * update flag comment * update docs * update CHANGELOG.md * Update providers/provider_data.go Co-authored-by: Jan Larwig <jan@larwig.com> * Add tests for SkipClaimsFromProfileURL * simplify tests for SkipClaimsFromProfileURL * generate alpha_config.md --------- Co-authored-by: Jan Larwig <jan@larwig.com>
2025-12-01 22:51:45 +02:00 · 2024-01-20 20:51:42 +01:00
parent 184c5820af
commit 4c2bf5a2fe
8 changed files with 78 additions and 28 deletions
--- a/providers/provider_data_test.go
+++ b/providers/provider_data_test.go
@@ -8,6 +8,8 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net/http"
+	"net/http/httptest"
 	"net/url"
 	"strings"
 	"testing"
@@ -233,13 +235,16 @@ func TestProviderData_verifyIDToken(t *testing.T) {

 func TestProviderData_buildSessionFromClaims(t *testing.T) {
 	testCases := map[string]struct {
-		IDToken         idTokenClaims
-		AllowUnverified bool
-		UserClaim       string
-		EmailClaim      string
-		GroupsClaim     string
-		ExpectedError   error
-		ExpectedSession *sessions.SessionState
+		IDToken                  idTokenClaims
+		AllowUnverified          bool
+		UserClaim                string
+		EmailClaim               string
+		GroupsClaim              string
+		SkipClaimsFromProfileURL bool
+		SetProfileURL            bool
+		ExpectedError            error
+		ExpectedSession          *sessions.SessionState
+		ExpectProfileURLCalled   bool
 	}{
 		"Standard": {
 			IDToken:         defaultIDToken,
@@ -408,11 +413,36 @@ func TestProviderData_buildSessionFromClaims(t *testing.T) {
 				PreferredUsername: "Jane Dobbs",
 			},
 		},
+		"Request claims from ProfileURL": {
+			IDToken:                minimalIDToken,
+			SetProfileURL:          true,
+			ExpectProfileURLCalled: true,
+			ExpectedSession:        &sessions.SessionState{},
+		},
+		"Skip claims request to ProfileURL": {
+			IDToken:                  minimalIDToken,
+			SetProfileURL:            true,
+			SkipClaimsFromProfileURL: true,
+			ExpectedSession:          &sessions.SessionState{},
+		},
 	}
 	for testName, tc := range testCases {
 		t.Run(testName, func(t *testing.T) {
 			g := NewWithT(t)

+			var (
+				profileURL       *url.URL
+				profileURLCalled bool
+			)
+			if tc.SetProfileURL {
+				profileURLSrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+					profileURLCalled = true
+					w.Write([]byte("{}"))
+				}))
+				defer profileURLSrv.Close()
+				profileURL, _ = url.Parse(profileURLSrv.URL)
+			}
+
 			verificationOptions := internaloidc.IDTokenVerificationOptions{
 				AudienceClaims: []string{"aud"},
 				ClientID:       oidcClientID,
@@ -423,22 +453,26 @@ func TestProviderData_buildSessionFromClaims(t *testing.T) {
 					mockJWKS{},
 					&oidc.Config{ClientID: oidcClientID},
 				), verificationOptions),
+				ProfileURL:                 profileURL,
+				getAuthorizationHeaderFunc: func(s string) http.Header { return http.Header{} },
 			}
 			provider.AllowUnverifiedEmail = tc.AllowUnverified
 			provider.UserClaim = tc.UserClaim
 			provider.EmailClaim = tc.EmailClaim
 			provider.GroupsClaim = tc.GroupsClaim
+			provider.SkipClaimsFromProfileURL = tc.SkipClaimsFromProfileURL

 			rawIDToken, err := newSignedTestIDToken(tc.IDToken)
 			g.Expect(err).ToNot(HaveOccurred())

-			ss, err := provider.buildSessionFromClaims(rawIDToken, "")
+			ss, err := provider.buildSessionFromClaims(rawIDToken, "testtoken")
 			if err != nil {
 				g.Expect(err).To(Equal(tc.ExpectedError))
 			}
 			if ss != nil {
 				g.Expect(ss).To(Equal(tc.ExpectedSession))
 			}
+			g.Expect(profileURLCalled).To(Equal(tc.ExpectProfileURLCalled))
 		})
 	}
 }