feat: Add acr_values support for OIDC

Signed-off-by: Engin Diri <engin.diri@mail.schwarz>
This commit is contained in:
Engin Diri 2022-02-22 14:49:44 +01:00
parent b83ba01c40
commit 5d9d68106a
No known key found for this signature in database
GPG key ID: A874F754654F7A84

View file

@ -44,6 +44,11 @@ type Config struct {
// InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved
InsecureEnableGroups bool `json:"insecureEnableGroups"`
// AcrValues (Authentication Context Class Reference Values) that specifies the Authentication Context Class Values
// within the Authentication Request that the Authorization Server is being requested to use for
// processing requests from this Client, with the values appearing in order of preference.
AcrValues []string `json:"acrValues"`
// GetUserInfo uses the userinfo endpoint to get additional claims for
// the token. This is especially useful where upstreams return "thin"
// id tokens
@ -154,6 +159,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
hostedDomains: c.HostedDomains,
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
insecureEnableGroups: c.InsecureEnableGroups,
acrValues: c.AcrValues,
getUserInfo: c.GetUserInfo,
promptType: c.PromptType,
userIDKey: c.UserIDKey,
@ -180,6 +186,7 @@ type oidcConnector struct {
hostedDomains []string
insecureSkipEmailVerified bool
insecureEnableGroups bool
acrValues []string
getUserInfo bool
promptType string
userIDKey string
@ -209,6 +216,11 @@ func (c *oidcConnector) LoginURL(s connector.Scopes, callbackURL, state string)
opts = append(opts, oauth2.SetAuthURLParam("hd", preferredDomain))
}
if len(c.acrValues) > 0 {
acrValues := strings.Join(c.acrValues, " ")
opts = append(opts, oauth2.SetAuthURLParam("acr_values", acrValues))
}
if s.OfflineAccess {
opts = append(opts, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", c.promptType))
}