Move claimMapping.enforce to overrideClaimMapping
Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
This commit is contained in:
parent
45143c98b3
commit
14a0aecc81
@ -56,14 +56,15 @@ type Config struct {
|
|||||||
// PromptType will be used fot the prompt parameter (when offline_access, by default prompt=consent)
|
// PromptType will be used fot the prompt parameter (when offline_access, by default prompt=consent)
|
||||||
PromptType string `json:"promptType"`
|
PromptType string `json:"promptType"`
|
||||||
|
|
||||||
|
// OverrideClaimMapping will be used to override the options defined in claimMappings.
|
||||||
|
// i.e. if there are 'email' and `preferred_email` claims available, by default Dex will always use the `email` claim independent of the ClaimMapping.EmailKey.
|
||||||
|
// This setting allows you to override the default behavior of Dex and enforce the mappings defined in `claimMapping`.
|
||||||
|
OverrideClaimMapping bool `json:"overrideClaimMapping"` // defaults to false
|
||||||
|
|
||||||
ClaimMapping ClaimMapping `json:"claimMapping"`
|
ClaimMapping ClaimMapping `json:"claimMapping"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type ClaimMapping struct {
|
type ClaimMapping struct {
|
||||||
// Enforce the ClaimMapping.
|
|
||||||
// i.e. an 'email' claim will always be taken if available,
|
|
||||||
// irrelevant of the settings in EmailKey. This option will enforce the ClaimMapping options independent of the existing claims.
|
|
||||||
Enforce bool `json:"enforce"` // defaults to false
|
|
||||||
|
|
||||||
// Configurable key which contains the preferred username claims
|
// Configurable key which contains the preferred username claims
|
||||||
PreferredUsernameKey string `json:"preferred_username"` // defaults to "preferred_username"
|
PreferredUsernameKey string `json:"preferred_username"` // defaults to "preferred_username"
|
||||||
@ -160,6 +161,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
|
|||||||
promptType: c.PromptType,
|
promptType: c.PromptType,
|
||||||
userIDKey: c.UserIDKey,
|
userIDKey: c.UserIDKey,
|
||||||
userNameKey: c.UserNameKey,
|
userNameKey: c.UserNameKey,
|
||||||
|
overrideClaimMapping: c.OverrideClaimMapping,
|
||||||
claimMapping: c.ClaimMapping,
|
claimMapping: c.ClaimMapping,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
@ -183,6 +185,7 @@ type oidcConnector struct {
|
|||||||
promptType string
|
promptType string
|
||||||
userIDKey string
|
userIDKey string
|
||||||
userNameKey string
|
userNameKey string
|
||||||
|
overrideClaimMapping bool
|
||||||
claimMapping ClaimMapping
|
claimMapping ClaimMapping
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -293,7 +296,7 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
|
|||||||
|
|
||||||
prefUsername := "preferred_username"
|
prefUsername := "preferred_username"
|
||||||
preferredUsername, found := claims[prefUsername].(string)
|
preferredUsername, found := claims[prefUsername].(string)
|
||||||
if (!found || c.claimMapping.Enforce) && c.claimMapping.PreferredUsernameKey != "" {
|
if (!found || c.overrideClaimMapping) && c.claimMapping.PreferredUsernameKey != "" {
|
||||||
prefUsername = c.claimMapping.PreferredUsernameKey
|
prefUsername = c.claimMapping.PreferredUsernameKey
|
||||||
preferredUsername, found = claims[prefUsername].(string)
|
preferredUsername, found = claims[prefUsername].(string)
|
||||||
if !found {
|
if !found {
|
||||||
@ -312,7 +315,7 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
|
|||||||
var email string
|
var email string
|
||||||
emailKey := "email"
|
emailKey := "email"
|
||||||
email, found = claims[emailKey].(string)
|
email, found = claims[emailKey].(string)
|
||||||
if (!found || c.claimMapping.Enforce) && c.claimMapping.EmailKey != "" {
|
if (!found || c.overrideClaimMapping) && c.claimMapping.EmailKey != "" {
|
||||||
emailKey = c.claimMapping.EmailKey
|
emailKey = c.claimMapping.EmailKey
|
||||||
email, found = claims[emailKey].(string)
|
email, found = claims[emailKey].(string)
|
||||||
if !found {
|
if !found {
|
||||||
@ -337,7 +340,7 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
|
|||||||
if c.insecureEnableGroups {
|
if c.insecureEnableGroups {
|
||||||
groupsKey := "groups"
|
groupsKey := "groups"
|
||||||
vs, found := claims[groupsKey].([]interface{})
|
vs, found := claims[groupsKey].([]interface{})
|
||||||
if (!found || c.claimMapping.Enforce) && c.claimMapping.GroupsKey != "" {
|
if (!found || c.overrideClaimMapping) && c.claimMapping.GroupsKey != "" {
|
||||||
groupsKey = c.claimMapping.GroupsKey
|
groupsKey = c.claimMapping.GroupsKey
|
||||||
vs, found = claims[groupsKey].([]interface{})
|
vs, found = claims[groupsKey].([]interface{})
|
||||||
}
|
}
|
||||||
|
@ -49,6 +49,7 @@ func TestHandleCallback(t *testing.T) {
|
|||||||
name string
|
name string
|
||||||
userIDKey string
|
userIDKey string
|
||||||
userNameKey string
|
userNameKey string
|
||||||
|
overrideClaimMapping bool
|
||||||
claimMapping ClaimMapping
|
claimMapping ClaimMapping
|
||||||
insecureSkipEmailVerified bool
|
insecureSkipEmailVerified bool
|
||||||
scopes []string
|
scopes []string
|
||||||
@ -93,11 +94,11 @@ func TestHandleCallback(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "enforceCustomEmailClaim",
|
name: "overrideWithCustomEmailClaim",
|
||||||
userIDKey: "", // not configured
|
userIDKey: "", // not configured
|
||||||
userNameKey: "", // not configured
|
userNameKey: "", // not configured
|
||||||
|
overrideClaimMapping: true,
|
||||||
claimMapping: ClaimMapping{
|
claimMapping: ClaimMapping{
|
||||||
Enforce: true,
|
|
||||||
EmailKey: "custommail",
|
EmailKey: "custommail",
|
||||||
},
|
},
|
||||||
expectUserID: "subvalue",
|
expectUserID: "subvalue",
|
||||||
@ -260,9 +261,9 @@ func TestHandleCallback(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "customGroupsKeyButGroupsProvidedButEnforced",
|
name: "customGroupsKeyButGroupsProvidedButOverride",
|
||||||
|
overrideClaimMapping: true,
|
||||||
claimMapping: ClaimMapping{
|
claimMapping: ClaimMapping{
|
||||||
Enforce: true,
|
|
||||||
GroupsKey: "cognito:groups",
|
GroupsKey: "cognito:groups",
|
||||||
},
|
},
|
||||||
expectUserID: "subvalue",
|
expectUserID: "subvalue",
|
||||||
@ -309,6 +310,7 @@ func TestHandleCallback(t *testing.T) {
|
|||||||
InsecureSkipEmailVerified: tc.insecureSkipEmailVerified,
|
InsecureSkipEmailVerified: tc.insecureSkipEmailVerified,
|
||||||
InsecureEnableGroups: true,
|
InsecureEnableGroups: true,
|
||||||
BasicAuthUnsupported: &basicAuth,
|
BasicAuthUnsupported: &basicAuth,
|
||||||
|
OverrideClaimMapping: tc.overrideClaimMapping,
|
||||||
}
|
}
|
||||||
config.ClaimMapping = tc.claimMapping
|
config.ClaimMapping = tc.claimMapping
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user