k-space/dex
Archived
11
0
Fork 0
Code Issues Pull Requests Packages Projects Activity

connectors/oidc: truely ignore "email_verified" claim if configured that way

Browse Source 
Fixes #1455, I hope.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
This commit is contained in:
Stephan Renatus
2019-05-28 14:43:00 +02:00
parent e137db978d
commit 4e8cbf0f61
2 changed files with 57 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
connector/oidc/oidc.go
View File

@@ -219,7 +219,11 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
}
emailVerified, found := claims["email_verified"].(bool)
if !found {
return identity, errors.New("missing \"email_verified\" claim")
if c.insecureSkipEmailVerified {
emailVerified = true
} else {
return identity, errors.New("missing \"email_verified\" claim")
}
}
hostedDomain, _ := claims["hd"].(string)
@@ -237,10 +241,6 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
}
}
if c.insecureSkipEmailVerified {
emailVerified = true
}
if c.getUserInfo {
userInfo, err := c.provider.UserInfo(r.Context(), oauth2.StaticTokenSource(token))
if err != nil {