Merge pull request #1433 from jacksontj/userinfo
Add option in oidc to hit the optional userinfo endpoint
This commit is contained in:
commit
59560c9919
2 changed files with 25 additions and 0 deletions
|
@ -60,6 +60,12 @@ connectors:
|
|||
# or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP
|
||||
# This can be overridden with the below option
|
||||
# insecureSkipEmailVerified: true
|
||||
|
||||
# When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims
|
||||
# take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain
|
||||
# all the claims requested.
|
||||
# https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
|
||||
# getUserInfo: true
|
||||
```
|
||||
|
||||
[oidc-doc]: openid-connect.md
|
||||
|
|
|
@ -39,6 +39,11 @@ type Config struct {
|
|||
|
||||
// Override the value of email_verifed to true in the returned claims
|
||||
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
|
||||
|
||||
// GetUserInfo uses the userinfo endpoint to get additional claims for
|
||||
// the token. This is especially useful where upstreams return "thin"
|
||||
// id tokens
|
||||
GetUserInfo bool `json:"getUserInfo"`
|
||||
}
|
||||
|
||||
// Domains that don't support basic auth. golang.org/x/oauth2 has an internal
|
||||
|
@ -105,6 +110,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
|
|||
|
||||
clientID := c.ClientID
|
||||
return &oidcConnector{
|
||||
provider: provider,
|
||||
redirectURI: c.RedirectURI,
|
||||
oauth2Config: &oauth2.Config{
|
||||
ClientID: clientID,
|
||||
|
@ -120,6 +126,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
|
|||
cancel: cancel,
|
||||
hostedDomains: c.HostedDomains,
|
||||
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
|
||||
getUserInfo: c.GetUserInfo,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
@ -129,6 +136,7 @@ var (
|
|||
)
|
||||
|
||||
type oidcConnector struct {
|
||||
provider *oidc.Provider
|
||||
redirectURI string
|
||||
oauth2Config *oauth2.Config
|
||||
verifier *oidc.IDTokenVerifier
|
||||
|
@ -137,6 +145,7 @@ type oidcConnector struct {
|
|||
logger log.Logger
|
||||
hostedDomains []string
|
||||
insecureSkipEmailVerified bool
|
||||
getUserInfo bool
|
||||
}
|
||||
|
||||
func (c *oidcConnector) Close() error {
|
||||
|
@ -219,6 +228,16 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
|
|||
|
||||
}
|
||||
|
||||
if c.getUserInfo {
|
||||
userInfo, err := c.provider.UserInfo(r.Context(), oauth2.StaticTokenSource(token))
|
||||
if err != nil {
|
||||
return identity, fmt.Errorf("oidc: error loading userinfo: %v", err)
|
||||
}
|
||||
if err := userInfo.Claims(&claims); err != nil {
|
||||
return identity, fmt.Errorf("oidc: failed to decode userinfo claims: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
identity = connector.Identity{
|
||||
UserID: idToken.Subject,
|
||||
Username: claims.Username,
|
||||
|
|
Reference in a new issue