Add groupsClaimMapping to the OIDC connector

The groupsClaimMapping setting allows one to specify which claim to pull group information from the OIDC provider. Previously it assumed group information was always in the "groups" claim, but that isn't the case for many OIDC providers (such as AWS Cognito using the "cognito:groups" claim instead) Signed-off-by: Scott Lemmon <slemmon@aurora.tech> Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-07 15:06:14 -07:00
parent 61312e726e
commit a783667c57
2 changed files with 17 additions and 2 deletions
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -44,6 +44,9 @@ type Config struct {
 	// InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved
 	InsecureEnableGroups bool `json:"insecureEnableGroups"`

+	// GroupsClaimMapping sets the name of the claim which contains the users groups. InsecureEnableGroups must be enabled to use this setting
+	GroupsClaimMapping string `json:"groupsClaimMapping"` // defaults to "groups"
+
 	// GetUserInfo uses the userinfo endpoint to get additional claims for
 	// the token. This is especially useful where upstreams return "thin"
 	// id tokens
@@ -132,6 +135,11 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 		c.PromptType = "consent"
 	}

+	// GroupsClaimMapping should be "groups" by default, if not set
+	if c.GroupsClaimMapping == "" {
+		c.GroupsClaimMapping = "groups"
+	}
+
 	clientID := c.ClientID
 	return &oidcConnector{
 		provider:    provider,
@@ -151,6 +159,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 		hostedDomains:             c.HostedDomains,
 		insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
 		insecureEnableGroups:      c.InsecureEnableGroups,
+		groupsClaimMapping:        c.GroupsClaimMapping,
 		getUserInfo:               c.GetUserInfo,
 		userIDKey:                 c.UserIDKey,
 		userNameKey:               c.UserNameKey,
@@ -175,6 +184,7 @@ type oidcConnector struct {
 	hostedDomains             []string
 	insecureSkipEmailVerified bool
 	insecureEnableGroups      bool
+	groupsClaimMapping        string
 	getUserInfo               bool
 	userIDKey                 string
 	userNameKey               string
@@ -357,13 +367,14 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
 	}

 	if c.insecureEnableGroups {
-		vs, ok := claims["groups"].([]interface{})
+
+		vs, ok := claims[c.groupsClaimMapping].([]interface{})
 		if ok {
 			for _, v := range vs {
 				if s, ok := v.(string); ok {
 					identity.Groups = append(identity.Groups, s)
 				} else {
-					return identity, errors.New("malformed \"groups\" claim")
+					return identity, fmt.Errorf("malformed \"%v\" claim", c.groupsClaimMapping)
 				}
 			}
 		}