Move claimMapping.enforce to overrideClaimMapping

Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
This commit is contained in:
Happy2C0de 2021-08-13 12:49:24 +02:00
parent 45143c98b3
commit 14a0aecc81
2 changed files with 18 additions and 13 deletions

View File

@ -56,14 +56,15 @@ type Config struct {
// PromptType will be used fot the prompt parameter (when offline_access, by default prompt=consent) // PromptType will be used fot the prompt parameter (when offline_access, by default prompt=consent)
PromptType string `json:"promptType"` PromptType string `json:"promptType"`
// OverrideClaimMapping will be used to override the options defined in claimMappings.
// i.e. if there are 'email' and `preferred_email` claims available, by default Dex will always use the `email` claim independent of the ClaimMapping.EmailKey.
// This setting allows you to override the default behavior of Dex and enforce the mappings defined in `claimMapping`.
OverrideClaimMapping bool `json:"overrideClaimMapping"` // defaults to false
ClaimMapping ClaimMapping `json:"claimMapping"` ClaimMapping ClaimMapping `json:"claimMapping"`
} }
type ClaimMapping struct { type ClaimMapping struct {
// Enforce the ClaimMapping.
// i.e. an 'email' claim will always be taken if available,
// irrelevant of the settings in EmailKey. This option will enforce the ClaimMapping options independent of the existing claims.
Enforce bool `json:"enforce"` // defaults to false
// Configurable key which contains the preferred username claims // Configurable key which contains the preferred username claims
PreferredUsernameKey string `json:"preferred_username"` // defaults to "preferred_username" PreferredUsernameKey string `json:"preferred_username"` // defaults to "preferred_username"
@ -160,6 +161,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
promptType: c.PromptType, promptType: c.PromptType,
userIDKey: c.UserIDKey, userIDKey: c.UserIDKey,
userNameKey: c.UserNameKey, userNameKey: c.UserNameKey,
overrideClaimMapping: c.OverrideClaimMapping,
claimMapping: c.ClaimMapping, claimMapping: c.ClaimMapping,
}, nil }, nil
} }
@ -183,6 +185,7 @@ type oidcConnector struct {
promptType string promptType string
userIDKey string userIDKey string
userNameKey string userNameKey string
overrideClaimMapping bool
claimMapping ClaimMapping claimMapping ClaimMapping
} }
@ -293,7 +296,7 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
prefUsername := "preferred_username" prefUsername := "preferred_username"
preferredUsername, found := claims[prefUsername].(string) preferredUsername, found := claims[prefUsername].(string)
if (!found || c.claimMapping.Enforce) && c.claimMapping.PreferredUsernameKey != "" { if (!found || c.overrideClaimMapping) && c.claimMapping.PreferredUsernameKey != "" {
prefUsername = c.claimMapping.PreferredUsernameKey prefUsername = c.claimMapping.PreferredUsernameKey
preferredUsername, found = claims[prefUsername].(string) preferredUsername, found = claims[prefUsername].(string)
if !found { if !found {
@ -312,7 +315,7 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
var email string var email string
emailKey := "email" emailKey := "email"
email, found = claims[emailKey].(string) email, found = claims[emailKey].(string)
if (!found || c.claimMapping.Enforce) && c.claimMapping.EmailKey != "" { if (!found || c.overrideClaimMapping) && c.claimMapping.EmailKey != "" {
emailKey = c.claimMapping.EmailKey emailKey = c.claimMapping.EmailKey
email, found = claims[emailKey].(string) email, found = claims[emailKey].(string)
if !found { if !found {
@ -337,7 +340,7 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
if c.insecureEnableGroups { if c.insecureEnableGroups {
groupsKey := "groups" groupsKey := "groups"
vs, found := claims[groupsKey].([]interface{}) vs, found := claims[groupsKey].([]interface{})
if (!found || c.claimMapping.Enforce) && c.claimMapping.GroupsKey != "" { if (!found || c.overrideClaimMapping) && c.claimMapping.GroupsKey != "" {
groupsKey = c.claimMapping.GroupsKey groupsKey = c.claimMapping.GroupsKey
vs, found = claims[groupsKey].([]interface{}) vs, found = claims[groupsKey].([]interface{})
} }

View File

@ -49,6 +49,7 @@ func TestHandleCallback(t *testing.T) {
name string name string
userIDKey string userIDKey string
userNameKey string userNameKey string
overrideClaimMapping bool
claimMapping ClaimMapping claimMapping ClaimMapping
insecureSkipEmailVerified bool insecureSkipEmailVerified bool
scopes []string scopes []string
@ -93,11 +94,11 @@ func TestHandleCallback(t *testing.T) {
}, },
}, },
{ {
name: "enforceCustomEmailClaim", name: "overrideWithCustomEmailClaim",
userIDKey: "", // not configured userIDKey: "", // not configured
userNameKey: "", // not configured userNameKey: "", // not configured
overrideClaimMapping: true,
claimMapping: ClaimMapping{ claimMapping: ClaimMapping{
Enforce: true,
EmailKey: "custommail", EmailKey: "custommail",
}, },
expectUserID: "subvalue", expectUserID: "subvalue",
@ -260,9 +261,9 @@ func TestHandleCallback(t *testing.T) {
}, },
}, },
{ {
name: "customGroupsKeyButGroupsProvidedButEnforced", name: "customGroupsKeyButGroupsProvidedButOverride",
overrideClaimMapping: true,
claimMapping: ClaimMapping{ claimMapping: ClaimMapping{
Enforce: true,
GroupsKey: "cognito:groups", GroupsKey: "cognito:groups",
}, },
expectUserID: "subvalue", expectUserID: "subvalue",
@ -309,6 +310,7 @@ func TestHandleCallback(t *testing.T) {
InsecureSkipEmailVerified: tc.insecureSkipEmailVerified, InsecureSkipEmailVerified: tc.insecureSkipEmailVerified,
InsecureEnableGroups: true, InsecureEnableGroups: true,
BasicAuthUnsupported: &basicAuth, BasicAuthUnsupported: &basicAuth,
OverrideClaimMapping: tc.overrideClaimMapping,
} }
config.ClaimMapping = tc.claimMapping config.ClaimMapping = tc.claimMapping