Merge pull request #1434 from jacksontj/groups
Add option to enable groups for oidc connectors
This commit is contained in:
commit
c41035732f
2 changed files with 25 additions and 0 deletions
|
@ -61,6 +61,13 @@ connectors:
|
|||
# This can be overridden with the below option
|
||||
# insecureSkipEmailVerified: true
|
||||
|
||||
# Groups claims (like the rest of oidc claims through dex) only refresh when the id token is refreshed
|
||||
# meaning the regular refresh flow doesn't update the groups claim. As such by default the oidc connector
|
||||
# doesn't allow groups claims. If you are okay with having potentially stale group claims you can use
|
||||
# this option to enable groups claims through the oidc connector on a per-connector basis.
|
||||
# This can be overridden with the below option
|
||||
# insecureEnableGroups: true
|
||||
|
||||
# When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims
|
||||
# take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain
|
||||
# all the claims requested.
|
||||
|
|
|
@ -42,6 +42,9 @@ type Config struct {
|
|||
// Override the value of email_verifed to true in the returned claims
|
||||
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
|
||||
|
||||
// InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved
|
||||
InsecureEnableGroups bool `json:"insecureEnableGroups"`
|
||||
|
||||
// GetUserInfo uses the userinfo endpoint to get additional claims for
|
||||
// the token. This is especially useful where upstreams return "thin"
|
||||
// id tokens
|
||||
|
@ -139,6 +142,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
|
|||
cancel: cancel,
|
||||
hostedDomains: c.HostedDomains,
|
||||
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
|
||||
insecureEnableGroups: c.InsecureEnableGroups,
|
||||
getUserInfo: c.GetUserInfo,
|
||||
userIDKey: c.UserIDKey,
|
||||
userNameKey: c.UserNameKey,
|
||||
|
@ -159,6 +163,7 @@ type oidcConnector struct {
|
|||
logger log.Logger
|
||||
hostedDomains []string
|
||||
insecureSkipEmailVerified bool
|
||||
insecureEnableGroups bool
|
||||
getUserInfo bool
|
||||
userIDKey string
|
||||
userNameKey string
|
||||
|
@ -321,5 +326,18 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
|
|||
identity.UserID = userID
|
||||
}
|
||||
|
||||
if c.insecureEnableGroups {
|
||||
vs, ok := claims["groups"].([]interface{})
|
||||
if ok {
|
||||
for _, v := range vs {
|
||||
if s, ok := v.(string); ok {
|
||||
identity.Groups = append(identity.Groups, s)
|
||||
} else {
|
||||
return identity, errors.New("malformed \"groups\" claim")
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return identity, nil
|
||||
}
|
||||
|
|
Reference in a new issue