Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/configurable userid claim minimal #499

Conversation

holyjak
Copy link
Contributor

@holyjak holyjak commented Apr 23, 2020

Replace #469 with a PR from a personal repo so that maintainers can fix merge issues

Fix #431 - This is a minimal change to allow the user to configure which claim is
the source of the "user ID".

It is kept minimal to make to minimize conflicts with other ongoing changes.

Description

  • Add the option user-id-claim (defaults to email)
  • OIDC extracts this claim into session.Email (to be renamed later)
  • providers: add CreateSessionStateFromBearerToken with a default impl taken from
    GetJwtSession and overridden by oidc to respect user-id-claim

Once #466 is merged, I can continue to port other work from #448, namely to rename SessionState.Email to .UserID, adjust (de)serialization accordingly, add HTTP headers with a corresponding name.

Motivation and Context

Fix #431

How Has This Been Tested?

Tested on OS X:

  • the new unit test
  • following manual test cases:
    • log in with no custom -user-id-claim and a user with an email, verify logged in
    • log in with -user-id-claim phone_number and -user-id-claim sub, verify it works
    • try to log in with a user lacking email and no custom -user-id-claim and verify it fails
    • run with -skip-jwt-bearer-tokens true -user-id-claim phone_number and verify that requests that include Authorization: <the auth. header forwarded by the proxy to the upstream> go directly to the upstream

PS: I'd love to add a unit test for CreateSessionStateFromBearerToken but couldn't figure out a reasonable way to create an oidc.IDToken - any tips?

Checklist:

  • My change requires a change to the documentation or CHANGELOG.
  • I have updated the documentation/CHANGELOG accordingly.
  • I have created a feature (non-master) branch for my PR.
  • tested

Jakub Holy and others added 3 commits April 11, 2020 16:25
Fix oauth2-proxy#431 - This is a minimal change to allow the user to configure which claim is
the source of the "user ID".

- Add the option `user-id-claim` (defaults to email)
- OIDC extracts this claim into session.Email (to be renamed later)
- providers: add `CreateSessionStateFromBearerToken` with a default impl taken from
  `GetJwtSession` and overridden by oidc to respect `user-id-claim`

Once oauth2-proxy#466 is merged, I can continue to rename SessionState.Email to .UserID
and add HTTP headers with a corresponding name.
Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves.
@holyjak holyjak force-pushed the feature/configurable-userid-claim-minimal branch from 037818d to ae04c95 Compare April 23, 2020 17:00
@holyjak holyjak force-pushed the feature/configurable-userid-claim-minimal branch from ae04c95 to a6ab338 Compare April 23, 2020 17:05
options.go Outdated Show resolved Hide resolved
Comment on lines +154 to +162
var newSession *sessions.SessionState

if idToken != nil {
claims, err := findClaimsFromIDToken(idToken, token.AccessToken, p.ProfileURL.String())
if idToken == nil {
newSession = &sessions.SessionState{}
} else {
var err error
newSession, err = p.createSessionStateInternal(token.Extra("id_token").(string), idToken, token)
if err != nil {
return nil, fmt.Errorf("couldn't extract claims from id_token (%e)", err)
}

if claims != nil {

if !p.AllowUnverifiedEmail && claims.Verified != nil && !*claims.Verified {
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
}

newSession.IDToken = token.Extra("id_token").(string)
newSession.Email = claims.Email
newSession.User = claims.Subject
newSession.PreferredUsername = claims.PreferredUsername
return nil, err
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this if else block adds anything, the same logic is capture in createSessionStateInternal right, could potentially clean this up

Copy link
Member

@JoelSpeed JoelSpeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's one outstanding comment I've just added but I'm happy to fix that up at another point (unless @holyjak manages to fix it before we get another reviewer in)

@steakunderscore steakunderscore merged commit 1961424 into oauth2-proxy:master Apr 28, 2020
NickMeves pushed a commit to grnhse/oauth2-proxy that referenced this pull request Jul 27, 2020
This reverts to functionality before oauth2-proxy#499 where an OIDC
provider could be used with `--skip-jwt-bearer-tokens` and
tokens without an email or profileURL would still be valid.
This logic mirrors `middleware.createSessionStateFromBearerToken`
which used to be the universal logic before oauth2-proxy#499.
NickMeves pushed a commit to grnhse/oauth2-proxy that referenced this pull request Jul 27, 2020
This reverts to functionality before oauth2-proxy#499 where an OIDC
provider could be used with `--skip-jwt-bearer-tokens` and
tokens without an email or profileURL would still be valid.
This logic mirrors `middleware.createSessionStateFromBearerToken`
which used to be the universal logic before oauth2-proxy#499.
NickMeves pushed a commit to grnhse/oauth2-proxy that referenced this pull request Aug 10, 2020
This reverts to functionality before oauth2-proxy#499 where an OIDC
provider could be used with `--skip-jwt-bearer-tokens` and
tokens without an email or profileURL would still be valid.
This logic mirrors `middleware.createSessionStateFromBearerToken`
which used to be the universal logic before oauth2-proxy#499.
NickMeves pushed a commit to grnhse/oauth2-proxy that referenced this pull request Aug 10, 2020
This reverts to functionality before oauth2-proxy#499 where an OIDC
provider could be used with `--skip-jwt-bearer-tokens` and
tokens without an email or profileURL would still be valid.
This logic mirrors `middleware.createSessionStateFromBearerToken`
which used to be the universal logic before oauth2-proxy#499.
NickMeves pushed a commit to grnhse/oauth2-proxy that referenced this pull request Aug 11, 2020
This reverts to functionality before oauth2-proxy#499 where an OIDC
provider could be used with `--skip-jwt-bearer-tokens` and
tokens without an email or profileURL would still be valid.
This logic mirrors `middleware.createSessionStateFromBearerToken`
which used to be the universal logic before oauth2-proxy#499.
NickMeves pushed a commit to grnhse/oauth2-proxy that referenced this pull request Aug 14, 2020
This reverts to functionality before oauth2-proxy#499 where an OIDC
provider could be used with `--skip-jwt-bearer-tokens` and
tokens without an email or profileURL would still be valid.
This logic mirrors `middleware.createSessionStateFromBearerToken`
which used to be the universal logic before oauth2-proxy#499.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Make it configurable which claim is user id (currently = email)
3 participants