From 512cb3169ea0d9ca7207616d08426455820727c9 Mon Sep 17 00:00:00 2001 From: Thomas Jackson Date: Fri, 13 Sep 2019 11:10:44 -0700 Subject: [PATCH] Run getUserInfo prior to claim enforcement If you have an oidc connector configured *and* that IDP provides thin tokens (e.g. okta) then the majority of the requested claims come in the getUserInfo call (such as email_verified). So if getUserInfo is configured it should be run before claims are validated. --- connector/oidc/oidc.go | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go index 4a64df8b..b5e075ad 100644 --- a/connector/oidc/oidc.go +++ b/connector/oidc/oidc.go @@ -213,6 +213,17 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide return identity, fmt.Errorf("oidc: failed to decode claims: %v", err) } + // We immediately want to run getUserInfo if configured before we validate the claims + if c.getUserInfo { + userInfo, err := c.provider.UserInfo(r.Context(), oauth2.StaticTokenSource(token)) + if err != nil { + return identity, fmt.Errorf("oidc: error loading userinfo: %v", err) + } + if err := userInfo.Claims(&claims); err != nil { + return identity, fmt.Errorf("oidc: failed to decode userinfo claims: %v", err) + } + } + userNameKey := "name" if c.userNameKey != "" { userNameKey = c.userNameKey @@ -249,16 +260,6 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide } } - if c.getUserInfo { - userInfo, err := c.provider.UserInfo(r.Context(), oauth2.StaticTokenSource(token)) - if err != nil { - return identity, fmt.Errorf("oidc: error loading userinfo: %v", err) - } - if err := userInfo.Claims(&claims); err != nil { - return identity, fmt.Errorf("oidc: failed to decode userinfo claims: %v", err) - } - } - identity = connector.Identity{ UserID: idToken.Subject, Username: name,