Merge pull request #2511 from Blorpy/remove_hd_oidc
Remove google specific hd / hosted domain claim config from oidc connector
This commit is contained in:
Maksim Nabokikh
GitHub
commit
9cd29bdee0
@ -34,10 +34,6 @@ type Config struct {
|
|||||||
|
|
||||||
Scopes []string `json:"scopes"` // defaults to "profile" and "email"
|
Scopes []string `json:"scopes"` // defaults to "profile" and "email"
|
||||||
|
|
||||||
// Optional list of whitelisted domains when using Google
|
|
||||||
// If this field is nonempty, only users from a listed domain will be allowed to log in
|
|
||||||
HostedDomains []string `json:"hostedDomains"`
|
|
||||||
|
|
||||||
// Override the value of email_verified to true in the returned claims
|
// Override the value of email_verified to true in the returned claims
|
||||||
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
|
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
|
||||||
|
|
||||||
@ -156,7 +152,6 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
|
|||||||
),
|
),
|
||||||
logger: logger,
|
logger: logger,
|
||||||
cancel: cancel,
|
cancel: cancel,
|
||||||
hostedDomains: c.HostedDomains,
|
|
||||||
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
|
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
|
||||||
insecureEnableGroups: c.InsecureEnableGroups,
|
insecureEnableGroups: c.InsecureEnableGroups,
|
||||||
acrValues: c.AcrValues,
|
acrValues: c.AcrValues,
|
||||||
@ -183,7 +178,6 @@ type oidcConnector struct {
|
|||||||
verifier *oidc.IDTokenVerifier
|
verifier *oidc.IDTokenVerifier
|
||||||
cancel context.CancelFunc
|
cancel context.CancelFunc
|
||||||
logger log.Logger
|
logger log.Logger
|
||||||
hostedDomains []string
|
|
||||||
insecureSkipEmailVerified bool
|
insecureSkipEmailVerified bool
|
||||||
insecureEnableGroups bool
|
insecureEnableGroups bool
|
||||||
acrValues []string
|
acrValues []string
|
||||||
@ -208,13 +202,6 @@ func (c *oidcConnector) LoginURL(s connector.Scopes, callbackURL, state string)
|
|||||||
}
|
}
|
||||||
|
|
||||||
var opts []oauth2.AuthCodeOption
|
var opts []oauth2.AuthCodeOption
|
||||||
if len(c.hostedDomains) > 0 {
|
|
||||||
preferredDomain := c.hostedDomains[0]
|
|
||||||
if len(c.hostedDomains) > 1 {
|
|
||||||
preferredDomain = "*"
|
|
||||||
}
|
|
||||||
opts = append(opts, oauth2.SetAuthURLParam("hd", preferredDomain))
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(c.acrValues) > 0 {
|
if len(c.acrValues) > 0 {
|
||||||
acrValues := strings.Join(c.acrValues, " ")
|
acrValues := strings.Join(c.acrValues, " ")
|
||||||
@ -361,21 +348,6 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
hostedDomain, _ := claims["hd"].(string)
|
|
||||||
if len(c.hostedDomains) > 0 {
|
|
||||||
found := false
|
|
||||||
for _, domain := range c.hostedDomains {
|
|
||||||
if hostedDomain == domain {
|
|
||||||
found = true
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if !found {
|
|
||||||
return identity, fmt.Errorf("oidc: unexpected hd claim %v", hostedDomain)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
cd := connectorData{
|
cd := connectorData{
|
||||||
RefreshToken: []byte(token.RefreshToken),
|
RefreshToken: []byte(token.RefreshToken),
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user