Run getUserInfo prior to claim enforcement

If you have an oidc connector configured *and* that IDP provides thin tokens (e.g. okta) then the majority of the requested claims come in the getUserInfo call (such as email_verified). So if getUserInfo is configured it should be run before claims are validated.
2019-09-13 11:10:44 -07:00 · 2019-09-13 11:10:44 -07:00 · 512cb3169e
parent 8427f0f15c
commit 512cb3169e
1 changed files with 11 additions and 10 deletions
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@ -213,6 +213,17 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
 		return identity, fmt.Errorf("oidc: failed to decode claims: %v", err)
 	}

+	// We immediately want to run getUserInfo if configured before we validate the claims
+	if c.getUserInfo {
+		userInfo, err := c.provider.UserInfo(r.Context(), oauth2.StaticTokenSource(token))
+		if err != nil {
+			return identity, fmt.Errorf("oidc: error loading userinfo: %v", err)
+		}
+		if err := userInfo.Claims(&claims); err != nil {
+			return identity, fmt.Errorf("oidc: failed to decode userinfo claims: %v", err)
+		}
+	}
+
 	userNameKey := "name"
 	if c.userNameKey != "" {
 		userNameKey = c.userNameKey
@ -249,16 +260,6 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
 		}
 	}

-	if c.getUserInfo {
-		userInfo, err := c.provider.UserInfo(r.Context(), oauth2.StaticTokenSource(token))
-		if err != nil {
-			return identity, fmt.Errorf("oidc: error loading userinfo: %v", err)
-		}
-		if err := userInfo.Claims(&claims); err != nil {
-			return identity, fmt.Errorf("oidc: failed to decode userinfo claims: %v", err)
-		}
-	}
-
 	identity = connector.Identity{
 		UserID:        idToken.Subject,
 		Username:      name,