Run getUserInfo prior to claim enforcement
If you have an oidc connector configured *and* that IDP provides thin tokens (e.g. okta) then the majority of the requested claims come in the getUserInfo call (such as email_verified). So if getUserInfo is configured it should be run before claims are validated.
This commit is contained in:
parent
8427f0f15c
commit
512cb3169e
@ -213,6 +213,17 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
|
|||||||
return identity, fmt.Errorf("oidc: failed to decode claims: %v", err)
|
return identity, fmt.Errorf("oidc: failed to decode claims: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// We immediately want to run getUserInfo if configured before we validate the claims
|
||||||
|
if c.getUserInfo {
|
||||||
|
userInfo, err := c.provider.UserInfo(r.Context(), oauth2.StaticTokenSource(token))
|
||||||
|
if err != nil {
|
||||||
|
return identity, fmt.Errorf("oidc: error loading userinfo: %v", err)
|
||||||
|
}
|
||||||
|
if err := userInfo.Claims(&claims); err != nil {
|
||||||
|
return identity, fmt.Errorf("oidc: failed to decode userinfo claims: %v", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
userNameKey := "name"
|
userNameKey := "name"
|
||||||
if c.userNameKey != "" {
|
if c.userNameKey != "" {
|
||||||
userNameKey = c.userNameKey
|
userNameKey = c.userNameKey
|
||||||
@ -249,16 +260,6 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if c.getUserInfo {
|
|
||||||
userInfo, err := c.provider.UserInfo(r.Context(), oauth2.StaticTokenSource(token))
|
|
||||||
if err != nil {
|
|
||||||
return identity, fmt.Errorf("oidc: error loading userinfo: %v", err)
|
|
||||||
}
|
|
||||||
if err := userInfo.Claims(&claims); err != nil {
|
|
||||||
return identity, fmt.Errorf("oidc: failed to decode userinfo claims: %v", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
identity = connector.Identity{
|
identity = connector.Identity{
|
||||||
UserID: idToken.Subject,
|
UserID: idToken.Subject,
|
||||||
Username: name,
|
Username: name,
|
||||||
|
Reference in New Issue
Block a user