use claim mappings when retrieving user identity

Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-10-19 22:18:25 -04:00
parent 60b8875780
commit 02860da8b6
3 changed files with 90 additions and 50 deletions
--- a/connector/oauth/oauth.go
+++ b/connector/oauth/oauth.go
@@ -28,10 +28,12 @@ type oauthConnector struct {
 	authorizationURL     string
 	userInfoURL          string
 	scopes               []string
-	groupsKey            string
 	userIDKey            string
 	userNameKey          string
 	preferredUsernameKey string
+	emailKey             string
+	emailVerifiedKey     string
+	groupsKey            string
 	httpClient           *http.Client
 	logger               log.Logger
 }
@@ -41,36 +43,43 @@ type connectorData struct {
 }

 type Config struct {
-	ClientID             string   `json:"clientID"`
-	ClientSecret         string   `json:"clientSecret"`
-	RedirectURI          string   `json:"redirectURI"`
-	TokenURL             string   `json:"tokenURL"`
-	AuthorizationURL     string   `json:"authorizationURL"`
-	UserInfoURL          string   `json:"userInfoURL"`
-	Scopes               []string `json:"scopes"`
-	GroupsKey            string   `json:"groupsKey"`
-	UserIDKey            string   `json:"userIDKey"`
-	UserNameKey          string   `json:"userNameKey"`
-	PreferredUsernameKey string   `json:"preferredUsernameKey"`
-	RootCAs              []string `json:"rootCAs"`
-	InsecureSkipVerify   bool     `json:"insecureSkipVerify"`
+	ClientID           string   `json:"clientID"`
+	ClientSecret       string   `json:"clientSecret"`
+	RedirectURI        string   `json:"redirectURI"`
+	TokenURL           string   `json:"tokenURL"`
+	AuthorizationURL   string   `json:"authorizationURL"`
+	UserInfoURL        string   `json:"userInfoURL"`
+	Scopes             []string `json:"scopes"`
+	RootCAs            []string `json:"rootCAs"`
+	InsecureSkipVerify bool     `json:"insecureSkipVerify"`
+	UserIDKey          string   `json:"userIDKey"` // defaults to "id"
+	ClaimMapping       struct {
+		UserNameKey          string `json:"userNameKey"`          // defaults to "user_name"
+		PreferredUsernameKey string `json:"preferredUsernameKey"` // defaults to "preferred_username"
+		GroupsKey            string `json:"groupsKey"`            // defaults to "groups"
+		EmailKey             string `json:"emailKey"`             // defaults to "email"
+		EmailVerifiedKey     string `json:"emailVerifiedKey"`     // defaults to "email_verified"
+	} `json:"claimMapping"`
 }

 func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) {
 	var err error

 	oauthConn := &oauthConnector{
-		clientID:         c.ClientID,
-		clientSecret:     c.ClientSecret,
-		tokenURL:         c.TokenURL,
-		authorizationURL: c.AuthorizationURL,
-		userInfoURL:      c.UserInfoURL,
-		scopes:           c.Scopes,
-		groupsKey:        c.GroupsKey,
-		userIDKey:        c.UserIDKey,
-		userNameKey:      c.UserNameKey,
-		redirectURI:      c.RedirectURI,
-		logger:           logger,
+		clientID:             c.ClientID,
+		clientSecret:         c.ClientSecret,
+		tokenURL:             c.TokenURL,
+		authorizationURL:     c.AuthorizationURL,
+		userInfoURL:          c.UserInfoURL,
+		scopes:               c.Scopes,
+		redirectURI:          c.RedirectURI,
+		logger:               logger,
+		userIDKey:            c.UserIDKey,
+		userNameKey:          c.ClaimMapping.UserNameKey,
+		preferredUsernameKey: c.ClaimMapping.PreferredUsernameKey,
+		groupsKey:            c.ClaimMapping.GroupsKey,
+		emailKey:             c.ClaimMapping.EmailKey,
+		emailVerifiedKey:     c.ClaimMapping.EmailVerifiedKey,
 	}

 	oauthConn.httpClient, err = newHTTPClient(c.RootCAs, c.InsecureSkipVerify)
@@ -173,26 +182,39 @@ func (c *oauthConnector) HandleCallback(s connector.Scopes, r *http.Request) (id
 	}

 	if c.userIDKey == "" {
-		c.userIDKey = "user_id"
+		c.userIDKey = "id"
 	}

+	userID, found := userInfoResult[c.userIDKey].(string)
+	if !found {
+		return identity, fmt.Errorf("OAuth Connector: not found %v claim", c.userIDKey)
+	}
+
+	identity.UserID = userID
 	if c.userNameKey == "" {
 		c.userNameKey = "user_name"
 	}

-	if c.groupsKey == "" {
-		c.groupsKey = "groups"
-	}
-
 	if c.preferredUsernameKey == "" {
 		c.preferredUsernameKey = "preferred_username"
 	}

-	identity.UserID, _ = userInfoResult[c.userIDKey].(string)
+	if c.groupsKey == "" {
+		c.groupsKey = "groups"
+	}
+
+	if c.emailKey == "" {
+		c.emailKey = "email"
+	}
+
+	if c.emailVerifiedKey == "" {
+		c.emailVerifiedKey = "email_verified"
+	}
+
 	identity.Username, _ = userInfoResult[c.userNameKey].(string)
 	identity.PreferredUsername, _ = userInfoResult[c.preferredUsernameKey].(string)
-	identity.Email, _ = userInfoResult["email"].(string)
-	identity.EmailVerified, _ = userInfoResult["email_verified"].(bool)
+	identity.Email, _ = userInfoResult[c.emailKey].(string)
+	identity.EmailVerified, _ = userInfoResult[c.emailVerifiedKey].(bool)

 	if s.Groups {
 		groups := map[string]bool{}