k-space/dex
Archived
11
0
Fork 0
Code Issues Pull Requests Packages Projects Activity

Adding oidc email scope check

Browse Source 
This helps to avoid "no email claim" error if email scope was not specified.

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
This commit is contained in:
m.nabokikh
2019-12-28 12:18:51 +04:00
parent 789272a0c1
commit 383c2fe8b6
2 changed files with 67 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
connector/oidc/oidc.go
View File

@@ -262,15 +262,25 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
if !found {
return identity, fmt.Errorf("missing \"%s\" claim", userNameKey)
}
hasEmailScope := false
for _, s := range c.oauth2Config.Scopes {
if s == "email" {
hasEmailScope = true
break
}
}
email, found := claims["email"].(string)
if !found {
if !found && hasEmailScope {
return identity, errors.New("missing \"email\" claim")
}
emailVerified, found := claims["email_verified"].(bool)
if !found {
if c.insecureSkipEmailVerified {
emailVerified = true
} else {
} else if hasEmailScope {
return identity, errors.New("missing \"email_verified\" claim")
}
}