forked from mystiq/dex
feat: Add acr_values support for OIDC
Signed-off-by: Engin Diri <engin.diri@mail.schwarz>
This commit is contained in:
parent
b83ba01c40
commit
5d9d68106a
1 changed files with 12 additions and 0 deletions
|
@ -44,6 +44,11 @@ type Config struct {
|
|||
// InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved
|
||||
InsecureEnableGroups bool `json:"insecureEnableGroups"`
|
||||
|
||||
// AcrValues (Authentication Context Class Reference Values) that specifies the Authentication Context Class Values
|
||||
// within the Authentication Request that the Authorization Server is being requested to use for
|
||||
// processing requests from this Client, with the values appearing in order of preference.
|
||||
AcrValues []string `json:"acrValues"`
|
||||
|
||||
// GetUserInfo uses the userinfo endpoint to get additional claims for
|
||||
// the token. This is especially useful where upstreams return "thin"
|
||||
// id tokens
|
||||
|
@ -154,6 +159,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
|
|||
hostedDomains: c.HostedDomains,
|
||||
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
|
||||
insecureEnableGroups: c.InsecureEnableGroups,
|
||||
acrValues: c.AcrValues,
|
||||
getUserInfo: c.GetUserInfo,
|
||||
promptType: c.PromptType,
|
||||
userIDKey: c.UserIDKey,
|
||||
|
@ -180,6 +186,7 @@ type oidcConnector struct {
|
|||
hostedDomains []string
|
||||
insecureSkipEmailVerified bool
|
||||
insecureEnableGroups bool
|
||||
acrValues []string
|
||||
getUserInfo bool
|
||||
promptType string
|
||||
userIDKey string
|
||||
|
@ -209,6 +216,11 @@ func (c *oidcConnector) LoginURL(s connector.Scopes, callbackURL, state string)
|
|||
opts = append(opts, oauth2.SetAuthURLParam("hd", preferredDomain))
|
||||
}
|
||||
|
||||
if len(c.acrValues) > 0 {
|
||||
acrValues := strings.Join(c.acrValues, " ")
|
||||
opts = append(opts, oauth2.SetAuthURLParam("acr_values", acrValues))
|
||||
}
|
||||
|
||||
if s.OfflineAccess {
|
||||
opts = append(opts, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", c.promptType))
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue