Add option to OIDC connecter to override email_verified to true
This commit is contained in:
parent
83a0326b88
commit
fc723af0fe
@ -55,6 +55,11 @@ connectors:
|
|||||||
# - profile
|
# - profile
|
||||||
# - email
|
# - email
|
||||||
# - groups
|
# - groups
|
||||||
|
|
||||||
|
# Some providers return claims without "email_verified", when they had no usage of emails verification in enrollement process
|
||||||
|
# or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP
|
||||||
|
# This can be overridden with the below option
|
||||||
|
# insecureSkipEmailVerified: true
|
||||||
```
|
```
|
||||||
|
|
||||||
[oidc-doc]: openid-connect.md
|
[oidc-doc]: openid-connect.md
|
||||||
|
@ -36,6 +36,9 @@ type Config struct {
|
|||||||
// Optional list of whitelisted domains when using Google
|
// Optional list of whitelisted domains when using Google
|
||||||
// If this field is nonempty, only users from a listed domain will be allowed to log in
|
// If this field is nonempty, only users from a listed domain will be allowed to log in
|
||||||
HostedDomains []string `json:"hostedDomains"`
|
HostedDomains []string `json:"hostedDomains"`
|
||||||
|
|
||||||
|
// Override the value of email_verifed to true in the returned claims
|
||||||
|
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Domains that don't support basic auth. golang.org/x/oauth2 has an internal
|
// Domains that don't support basic auth. golang.org/x/oauth2 has an internal
|
||||||
@ -113,9 +116,10 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
|
|||||||
verifier: provider.Verifier(
|
verifier: provider.Verifier(
|
||||||
&oidc.Config{ClientID: clientID},
|
&oidc.Config{ClientID: clientID},
|
||||||
),
|
),
|
||||||
logger: logger,
|
logger: logger,
|
||||||
cancel: cancel,
|
cancel: cancel,
|
||||||
hostedDomains: c.HostedDomains,
|
hostedDomains: c.HostedDomains,
|
||||||
|
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -125,13 +129,14 @@ var (
|
|||||||
)
|
)
|
||||||
|
|
||||||
type oidcConnector struct {
|
type oidcConnector struct {
|
||||||
redirectURI string
|
redirectURI string
|
||||||
oauth2Config *oauth2.Config
|
oauth2Config *oauth2.Config
|
||||||
verifier *oidc.IDTokenVerifier
|
verifier *oidc.IDTokenVerifier
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
cancel context.CancelFunc
|
cancel context.CancelFunc
|
||||||
logger log.Logger
|
logger log.Logger
|
||||||
hostedDomains []string
|
hostedDomains []string
|
||||||
|
insecureSkipEmailVerified bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *oidcConnector) Close() error {
|
func (c *oidcConnector) Close() error {
|
||||||
@ -209,6 +214,11 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if c.insecureSkipEmailVerified {
|
||||||
|
claims.EmailVerified = true
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
identity = connector.Identity{
|
identity = connector.Identity{
|
||||||
UserID: idToken.Subject,
|
UserID: idToken.Subject,
|
||||||
Username: claims.Username,
|
Username: claims.Username,
|
||||||
|
Reference in New Issue
Block a user