k-space/dex
Archived
11
0
Fork 0
Code Issues Pull Requests Packages Projects Activity

Add option in oidc to hit the optional userinfo endpoint

Browse Source 
Some oauth providers return "thin tokens" which won't include all of the
claims requested. This simply adds an option which will make the oidc
connector use the userinfo endpoint to fetch all the claims.
This commit is contained in:
Thomas Jackson
2019-04-24 13:58:35 -07:00
parent cd3c6983da
commit 52d09a2dfa
2 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
connector/oidc/oidc.go
View File

@@ -39,6 +39,11 @@ type Config struct {
// Override the value of email_verifed to true in the returned claims
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
// GetUserInfo uses the userinfo endpoint to get additional claims for
// the token. This is especially useful where upstreams return "thin"
// id tokens
GetUserInfo bool `json:"getUserInfo"`
}
// Domains that don't support basic auth. golang.org/x/oauth2 has an internal
@@ -105,6 +110,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
clientID := c.ClientID
return &oidcConnector{
provider: provider,
redirectURI: c.RedirectURI,
oauth2Config: &oauth2.Config{
ClientID: clientID,
@@ -120,6 +126,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
cancel: cancel,
hostedDomains: c.HostedDomains,
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
getUserInfo: c.GetUserInfo,
}, nil
}
@@ -129,6 +136,7 @@ var (
)
type oidcConnector struct {
provider *oidc.Provider
redirectURI string
oauth2Config *oauth2.Config
verifier *oidc.IDTokenVerifier
@@ -137,6 +145,7 @@ type oidcConnector struct {
logger log.Logger
hostedDomains []string
insecureSkipEmailVerified bool
getUserInfo bool
}
func (c *oidcConnector) Close() error {
@@ -219,6 +228,16 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
}
if c.getUserInfo {
userInfo, err := c.provider.UserInfo(r.Context(), oauth2.StaticTokenSource(token))
if err != nil {
return identity, fmt.Errorf("oidc: error loading userinfo: %v", err)
}
if err := userInfo.Claims(&claims); err != nil {
return identity, fmt.Errorf("oidc: failed to decode userinfo claims: %v", err)
}
}
identity = connector.Identity{
UserID: idToken.Subject,
Username: claims.Username,