From fc723af0fe9d2969299edf2ffa457527790cb349 Mon Sep 17 00:00:00 2001 From: Gerald Barker Date: Tue, 5 Mar 2019 21:24:02 +0000 Subject: [PATCH] Add option to OIDC connecter to override email_verified to true --- Documentation/connectors/oidc.md | 5 +++++ connector/oidc/oidc.go | 30 ++++++++++++++++++++---------- 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/Documentation/connectors/oidc.md b/Documentation/connectors/oidc.md index 1217bc8f..559c0f8c 100644 --- a/Documentation/connectors/oidc.md +++ b/Documentation/connectors/oidc.md @@ -55,6 +55,11 @@ connectors: # - profile # - email # - groups + + # Some providers return claims without "email_verified", when they had no usage of emails verification in enrollement process + # or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP + # This can be overridden with the below option + # insecureSkipEmailVerified: true ``` [oidc-doc]: openid-connect.md diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go index ac24acc9..65f877ee 100644 --- a/connector/oidc/oidc.go +++ b/connector/oidc/oidc.go @@ -36,6 +36,9 @@ type Config struct { // Optional list of whitelisted domains when using Google // If this field is nonempty, only users from a listed domain will be allowed to log in HostedDomains []string `json:"hostedDomains"` + + // Override the value of email_verifed to true in the returned claims + InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"` } // Domains that don't support basic auth. golang.org/x/oauth2 has an internal @@ -113,9 +116,10 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e verifier: provider.Verifier( &oidc.Config{ClientID: clientID}, ), - logger: logger, - cancel: cancel, - hostedDomains: c.HostedDomains, + logger: logger, + cancel: cancel, + hostedDomains: c.HostedDomains, + insecureSkipEmailVerified: c.InsecureSkipEmailVerified, }, nil } @@ -125,13 +129,14 @@ var ( ) type oidcConnector struct { - redirectURI string - oauth2Config *oauth2.Config - verifier *oidc.IDTokenVerifier - ctx context.Context - cancel context.CancelFunc - logger log.Logger - hostedDomains []string + redirectURI string + oauth2Config *oauth2.Config + verifier *oidc.IDTokenVerifier + ctx context.Context + cancel context.CancelFunc + logger log.Logger + hostedDomains []string + insecureSkipEmailVerified bool } func (c *oidcConnector) Close() error { @@ -209,6 +214,11 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide } } + if c.insecureSkipEmailVerified { + claims.EmailVerified = true + + } + identity = connector.Identity{ UserID: idToken.Subject, Username: claims.Username,