Add groupsClaimMapping to the OIDC connector

The groupsClaimMapping setting allows one to specify which claim to pull
group information from the OIDC provider.  Previously it assumed group
information was always in the "groups" claim, but that isn't the case
for many OIDC providers (such as AWS Cognito using the "cognito:groups"
claim instead)

Signed-off-by: Scott Lemmon <slemmon@aurora.tech>
Signed-off-by: Rui Yang <ruiya@vmware.com>
This commit is contained in:
Scott Lemmon 2020-08-07 15:06:14 -07:00 committed by Rui Yang
parent 61312e726e
commit a783667c57
2 changed files with 17 additions and 2 deletions

View File

@ -73,6 +73,10 @@ connectors:
# This can be overridden with the below option # This can be overridden with the below option
# insecureEnableGroups: true # insecureEnableGroups: true
# If an OIDC provider uses a different claim name than the standard "groups" claim to provide group information
# the claim to use can be specified
# groupsClaimMapping: "cognito:groups"
# When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims # When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims
# take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain # take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain
# all the claims requested. # all the claims requested.

View File

@ -44,6 +44,9 @@ type Config struct {
// InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved // InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved
InsecureEnableGroups bool `json:"insecureEnableGroups"` InsecureEnableGroups bool `json:"insecureEnableGroups"`
// GroupsClaimMapping sets the name of the claim which contains the users groups. InsecureEnableGroups must be enabled to use this setting
GroupsClaimMapping string `json:"groupsClaimMapping"` // defaults to "groups"
// GetUserInfo uses the userinfo endpoint to get additional claims for // GetUserInfo uses the userinfo endpoint to get additional claims for
// the token. This is especially useful where upstreams return "thin" // the token. This is especially useful where upstreams return "thin"
// id tokens // id tokens
@ -132,6 +135,11 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
c.PromptType = "consent" c.PromptType = "consent"
} }
// GroupsClaimMapping should be "groups" by default, if not set
if c.GroupsClaimMapping == "" {
c.GroupsClaimMapping = "groups"
}
clientID := c.ClientID clientID := c.ClientID
return &oidcConnector{ return &oidcConnector{
provider: provider, provider: provider,
@ -151,6 +159,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
hostedDomains: c.HostedDomains, hostedDomains: c.HostedDomains,
insecureSkipEmailVerified: c.InsecureSkipEmailVerified, insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
insecureEnableGroups: c.InsecureEnableGroups, insecureEnableGroups: c.InsecureEnableGroups,
groupsClaimMapping: c.GroupsClaimMapping,
getUserInfo: c.GetUserInfo, getUserInfo: c.GetUserInfo,
userIDKey: c.UserIDKey, userIDKey: c.UserIDKey,
userNameKey: c.UserNameKey, userNameKey: c.UserNameKey,
@ -175,6 +184,7 @@ type oidcConnector struct {
hostedDomains []string hostedDomains []string
insecureSkipEmailVerified bool insecureSkipEmailVerified bool
insecureEnableGroups bool insecureEnableGroups bool
groupsClaimMapping string
getUserInfo bool getUserInfo bool
userIDKey string userIDKey string
userNameKey string userNameKey string
@ -357,13 +367,14 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
} }
if c.insecureEnableGroups { if c.insecureEnableGroups {
vs, ok := claims["groups"].([]interface{})
vs, ok := claims[c.groupsClaimMapping].([]interface{})
if ok { if ok {
for _, v := range vs { for _, v := range vs {
if s, ok := v.(string); ok { if s, ok := v.(string); ok {
identity.Groups = append(identity.Groups, s) identity.Groups = append(identity.Groups, s)
} else { } else {
return identity, errors.New("malformed \"groups\" claim") return identity, fmt.Errorf("malformed \"%v\" claim", c.groupsClaimMapping)
} }
} }
} }