Add parameter configuration to override email claim key

Signed-off-by: Rui Yang <ruiya@vmware.com>
This commit is contained in:
Cyrille Nofficial 2020-04-17 10:01:52 +02:00 committed by Rui Yang
parent 52c39fb130
commit 61312e726e
3 changed files with 34 additions and 2 deletions

View File

@ -56,6 +56,11 @@ connectors:
# - email # - email
# - groups # - groups
# Some providers return no standard email claim key (ex: 'mail')
# Override email claim key
# Default is "email"
# emailClaim: email
# Some providers return claims without "email_verified", when they had no usage of emails verification in enrollment process # Some providers return claims without "email_verified", when they had no usage of emails verification in enrollment process
# or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP # or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP
# This can be overridden with the below option # This can be overridden with the below option

View File

@ -58,6 +58,9 @@ type Config struct {
// Configurable key which contains the preferred username claims // Configurable key which contains the preferred username claims
PreferredUsernameKey string `json:"preferredUsernameKey"` PreferredUsernameKey string `json:"preferredUsernameKey"`
// EmailClaim override email claim key. Defaults to "email"
EmailClaim string `json:"emailClaim"`
// PromptType will be used fot the prompt parameter (when offline_access, by default prompt=consent) // PromptType will be used fot the prompt parameter (when offline_access, by default prompt=consent)
PromptType string `json:"promptType"` PromptType string `json:"promptType"`
} }
@ -112,6 +115,11 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
endpoint.AuthStyle = oauth2.AuthStyleInParams endpoint.AuthStyle = oauth2.AuthStyleInParams
} }
emailClaim := "email"
if len(c.EmailClaim) > 0 {
emailClaim = c.EmailClaim
}
scopes := []string{oidc.ScopeOpenID} scopes := []string{oidc.ScopeOpenID}
if len(c.Scopes) > 0 { if len(c.Scopes) > 0 {
scopes = append(scopes, c.Scopes...) scopes = append(scopes, c.Scopes...)
@ -147,6 +155,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
userIDKey: c.UserIDKey, userIDKey: c.UserIDKey,
userNameKey: c.UserNameKey, userNameKey: c.UserNameKey,
preferredUsernameKey: c.PreferredUsernameKey, preferredUsernameKey: c.PreferredUsernameKey,
emailClaim: emailClaim,
promptType: c.PromptType, promptType: c.PromptType,
}, nil }, nil
} }
@ -170,6 +179,7 @@ type oidcConnector struct {
userIDKey string userIDKey string
userNameKey string userNameKey string
preferredUsernameKey string preferredUsernameKey string
emailClaim string
promptType string promptType string
} }
@ -286,9 +296,9 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
} }
} }
email, found := claims["email"].(string) email, found := claims[c.emailClaim].(string)
if !found && hasEmailScope { if !found && hasEmailScope {
return identity, errors.New("missing \"email\" claim") return identity, fmt.Errorf("missing \"%s\" claim", c.emailClaim)
} }
emailVerified, found := claims["email_verified"].(bool) emailVerified, found := claims["email_verified"].(bool)

View File

@ -52,6 +52,7 @@ func TestHandleCallback(t *testing.T) {
preferredUsernameKey string preferredUsernameKey string
insecureSkipEmailVerified bool insecureSkipEmailVerified bool
scopes []string scopes []string
emailClaim string
expectUserID string expectUserID string
expectUserName string expectUserName string
expectPreferredUsername string expectPreferredUsername string
@ -72,6 +73,21 @@ func TestHandleCallback(t *testing.T) {
"email_verified": true, "email_verified": true,
}, },
}, },
{
name: "customEmailClaim",
userIDKey: "", // not configured
userNameKey: "", // not configured
emailClaim: "mail",
expectUserID: "subvalue",
expectUserName: "namevalue",
expectedEmailField: "emailvalue",
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
"mail": "emailvalue",
"email_verified": true,
},
},
{ {
name: "email_verified not in claims, configured to be skipped", name: "email_verified not in claims, configured to be skipped",
insecureSkipEmailVerified: true, insecureSkipEmailVerified: true,
@ -206,6 +222,7 @@ func TestHandleCallback(t *testing.T) {
UserIDKey: tc.userIDKey, UserIDKey: tc.userIDKey,
UserNameKey: tc.userNameKey, UserNameKey: tc.userNameKey,
PreferredUsernameKey: tc.preferredUsernameKey, PreferredUsernameKey: tc.preferredUsernameKey,
EmailClaim: tc.emailClaim,
InsecureSkipEmailVerified: tc.insecureSkipEmailVerified, InsecureSkipEmailVerified: tc.insecureSkipEmailVerified,
BasicAuthUnsupported: &basicAuth, BasicAuthUnsupported: &basicAuth,
} }