Merge pull request #2418 from dirien/acr_values

feat: Add acr_values support for OIDC
This commit is contained in:
Maksim Nabokikh 2022-03-08 10:22:07 +04:00 committed by GitHub
commit cb9f0b5d5e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -44,6 +44,11 @@ type Config struct {
// InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved // InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved
InsecureEnableGroups bool `json:"insecureEnableGroups"` InsecureEnableGroups bool `json:"insecureEnableGroups"`
// AcrValues (Authentication Context Class Reference Values) that specifies the Authentication Context Class Values
// within the Authentication Request that the Authorization Server is being requested to use for
// processing requests from this Client, with the values appearing in order of preference.
AcrValues []string `json:"acrValues"`
// GetUserInfo uses the userinfo endpoint to get additional claims for // GetUserInfo uses the userinfo endpoint to get additional claims for
// the token. This is especially useful where upstreams return "thin" // the token. This is especially useful where upstreams return "thin"
// id tokens // id tokens
@ -154,6 +159,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
hostedDomains: c.HostedDomains, hostedDomains: c.HostedDomains,
insecureSkipEmailVerified: c.InsecureSkipEmailVerified, insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
insecureEnableGroups: c.InsecureEnableGroups, insecureEnableGroups: c.InsecureEnableGroups,
acrValues: c.AcrValues,
getUserInfo: c.GetUserInfo, getUserInfo: c.GetUserInfo,
promptType: c.PromptType, promptType: c.PromptType,
userIDKey: c.UserIDKey, userIDKey: c.UserIDKey,
@ -180,6 +186,7 @@ type oidcConnector struct {
hostedDomains []string hostedDomains []string
insecureSkipEmailVerified bool insecureSkipEmailVerified bool
insecureEnableGroups bool insecureEnableGroups bool
acrValues []string
getUserInfo bool getUserInfo bool
promptType string promptType string
userIDKey string userIDKey string
@ -209,6 +216,11 @@ func (c *oidcConnector) LoginURL(s connector.Scopes, callbackURL, state string)
opts = append(opts, oauth2.SetAuthURLParam("hd", preferredDomain)) opts = append(opts, oauth2.SetAuthURLParam("hd", preferredDomain))
} }
if len(c.acrValues) > 0 {
acrValues := strings.Join(c.acrValues, " ")
opts = append(opts, oauth2.SetAuthURLParam("acr_values", acrValues))
}
if s.OfflineAccess { if s.OfflineAccess {
opts = append(opts, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", c.promptType)) opts = append(opts, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", c.promptType))
} }