-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature/configurable userid claim minimal #499
Feature/configurable userid claim minimal #499
Conversation
Fix oauth2-proxy#431 - This is a minimal change to allow the user to configure which claim is the source of the "user ID". - Add the option `user-id-claim` (defaults to email) - OIDC extracts this claim into session.Email (to be renamed later) - providers: add `CreateSessionStateFromBearerToken` with a default impl taken from `GetJwtSession` and overridden by oidc to respect `user-id-claim` Once oauth2-proxy#466 is merged, I can continue to rename SessionState.Email to .UserID and add HTTP headers with a corresponding name.
Co-Authored-By: Joel Speed <[email protected]>
Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves.
037818d
to
ae04c95
Compare
ae04c95
to
a6ab338
Compare
var newSession *sessions.SessionState | ||
|
||
if idToken != nil { | ||
claims, err := findClaimsFromIDToken(idToken, token.AccessToken, p.ProfileURL.String()) | ||
if idToken == nil { | ||
newSession = &sessions.SessionState{} | ||
} else { | ||
var err error | ||
newSession, err = p.createSessionStateInternal(token.Extra("id_token").(string), idToken, token) | ||
if err != nil { | ||
return nil, fmt.Errorf("couldn't extract claims from id_token (%e)", err) | ||
} | ||
|
||
if claims != nil { | ||
|
||
if !p.AllowUnverifiedEmail && claims.Verified != nil && !*claims.Verified { | ||
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email) | ||
} | ||
|
||
newSession.IDToken = token.Extra("id_token").(string) | ||
newSession.Email = claims.Email | ||
newSession.User = claims.Subject | ||
newSession.PreferredUsername = claims.PreferredUsername | ||
return nil, err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this if else
block adds anything, the same logic is capture in createSessionStateInternal right, could potentially clean this up
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's one outstanding comment I've just added but I'm happy to fix that up at another point (unless @holyjak manages to fix it before we get another reviewer in)
This reverts to functionality before oauth2-proxy#499 where an OIDC provider could be used with `--skip-jwt-bearer-tokens` and tokens without an email or profileURL would still be valid. This logic mirrors `middleware.createSessionStateFromBearerToken` which used to be the universal logic before oauth2-proxy#499.
This reverts to functionality before oauth2-proxy#499 where an OIDC provider could be used with `--skip-jwt-bearer-tokens` and tokens without an email or profileURL would still be valid. This logic mirrors `middleware.createSessionStateFromBearerToken` which used to be the universal logic before oauth2-proxy#499.
This reverts to functionality before oauth2-proxy#499 where an OIDC provider could be used with `--skip-jwt-bearer-tokens` and tokens without an email or profileURL would still be valid. This logic mirrors `middleware.createSessionStateFromBearerToken` which used to be the universal logic before oauth2-proxy#499.
This reverts to functionality before oauth2-proxy#499 where an OIDC provider could be used with `--skip-jwt-bearer-tokens` and tokens without an email or profileURL would still be valid. This logic mirrors `middleware.createSessionStateFromBearerToken` which used to be the universal logic before oauth2-proxy#499.
This reverts to functionality before oauth2-proxy#499 where an OIDC provider could be used with `--skip-jwt-bearer-tokens` and tokens without an email or profileURL would still be valid. This logic mirrors `middleware.createSessionStateFromBearerToken` which used to be the universal logic before oauth2-proxy#499.
This reverts to functionality before oauth2-proxy#499 where an OIDC provider could be used with `--skip-jwt-bearer-tokens` and tokens without an email or profileURL would still be valid. This logic mirrors `middleware.createSessionStateFromBearerToken` which used to be the universal logic before oauth2-proxy#499.
Replace #469 with a PR from a personal repo so that maintainers can fix merge issues
Fix #431 - This is a minimal change to allow the user to configure which claim is
the source of the "user ID".
It is kept minimal to make to minimize conflicts with other ongoing changes.
Description
user-id-claim
(defaults to email)CreateSessionStateFromBearerToken
with a default impl taken fromGetJwtSession
and overridden by oidc to respectuser-id-claim
Once #466 is merged, I can continue to port other work from #448, namely to rename SessionState.Email to .UserID, adjust (de)serialization accordingly, add HTTP headers with a corresponding name.
Motivation and Context
Fix #431
How Has This Been Tested?
Tested on OS X:
-user-id-claim
and a user with an email, verify logged in-user-id-claim phone_number
and-user-id-claim sub
, verify it works-user-id-claim
and verify it fails-skip-jwt-bearer-tokens true -user-id-claim phone_number
and verify that requests that includeAuthorization: <the auth. header forwarded by the proxy to the upstream>
go directly to the upstreamPS: I'd love to add a unit test for
CreateSessionStateFromBearerToken
but couldn't figure out a reasonable way to create anoidc.IDToken
- any tips?Checklist: