Merge pull request #1434 from jacksontj/groups
Add option to enable groups for oidc connectors
This commit is contained in:
commit
c41035732f
2 changed files with 25 additions and 0 deletions
|
@ -61,6 +61,13 @@ connectors:
|
||||||
# This can be overridden with the below option
|
# This can be overridden with the below option
|
||||||
# insecureSkipEmailVerified: true
|
# insecureSkipEmailVerified: true
|
||||||
|
|
||||||
|
# Groups claims (like the rest of oidc claims through dex) only refresh when the id token is refreshed
|
||||||
|
# meaning the regular refresh flow doesn't update the groups claim. As such by default the oidc connector
|
||||||
|
# doesn't allow groups claims. If you are okay with having potentially stale group claims you can use
|
||||||
|
# this option to enable groups claims through the oidc connector on a per-connector basis.
|
||||||
|
# This can be overridden with the below option
|
||||||
|
# insecureEnableGroups: true
|
||||||
|
|
||||||
# When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims
|
# When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims
|
||||||
# take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain
|
# take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain
|
||||||
# all the claims requested.
|
# all the claims requested.
|
||||||
|
|
|
@ -42,6 +42,9 @@ type Config struct {
|
||||||
// Override the value of email_verifed to true in the returned claims
|
// Override the value of email_verifed to true in the returned claims
|
||||||
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
|
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
|
||||||
|
|
||||||
|
// InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved
|
||||||
|
InsecureEnableGroups bool `json:"insecureEnableGroups"`
|
||||||
|
|
||||||
// GetUserInfo uses the userinfo endpoint to get additional claims for
|
// GetUserInfo uses the userinfo endpoint to get additional claims for
|
||||||
// the token. This is especially useful where upstreams return "thin"
|
// the token. This is especially useful where upstreams return "thin"
|
||||||
// id tokens
|
// id tokens
|
||||||
|
@ -139,6 +142,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
|
||||||
cancel: cancel,
|
cancel: cancel,
|
||||||
hostedDomains: c.HostedDomains,
|
hostedDomains: c.HostedDomains,
|
||||||
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
|
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
|
||||||
|
insecureEnableGroups: c.InsecureEnableGroups,
|
||||||
getUserInfo: c.GetUserInfo,
|
getUserInfo: c.GetUserInfo,
|
||||||
userIDKey: c.UserIDKey,
|
userIDKey: c.UserIDKey,
|
||||||
userNameKey: c.UserNameKey,
|
userNameKey: c.UserNameKey,
|
||||||
|
@ -159,6 +163,7 @@ type oidcConnector struct {
|
||||||
logger log.Logger
|
logger log.Logger
|
||||||
hostedDomains []string
|
hostedDomains []string
|
||||||
insecureSkipEmailVerified bool
|
insecureSkipEmailVerified bool
|
||||||
|
insecureEnableGroups bool
|
||||||
getUserInfo bool
|
getUserInfo bool
|
||||||
userIDKey string
|
userIDKey string
|
||||||
userNameKey string
|
userNameKey string
|
||||||
|
@ -321,5 +326,18 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
|
||||||
identity.UserID = userID
|
identity.UserID = userID
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if c.insecureEnableGroups {
|
||||||
|
vs, ok := claims["groups"].([]interface{})
|
||||||
|
if ok {
|
||||||
|
for _, v := range vs {
|
||||||
|
if s, ok := v.(string); ok {
|
||||||
|
identity.Groups = append(identity.Groups, s)
|
||||||
|
} else {
|
||||||
|
return identity, errors.New("malformed \"groups\" claim")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return identity, nil
|
return identity, nil
|
||||||
}
|
}
|
||||||
|
|
Reference in a new issue