Skip to content

D
dex
Commit 4194530c authored by Ben Navetta's avatar Ben Navetta
Browse files
Options

initial hostedDomain support

parent 3493e30f
Hide whitespace changes
Inline Side-by-side
Showing with 16 additions and 3 deletions
connector/oidc/oidc.go
View file @ 4194530c
...@@ -33,6 +33,7 @@ type Config struct { ...@@ -33,6 +33,7 @@ type Config struct {
Scopes []string `json:"scopes"` // defaults to "profile" and "email" Scopes []string `json:"scopes"` // defaults to "profile" and "email"
HostedDomain string `json:"hostedDomain"`
} }
// Domains that don't support basic auth. golang.org/x/oauth2 has an internal // Domains that don't support basic auth. golang.org/x/oauth2 has an internal
...@@ -110,8 +111,9 @@ func (c *Config) Open(logger logrus.FieldLogger) (conn connector.Connector, err ...@@ -110,8 +111,9 @@ func (c *Config) Open(logger logrus.FieldLogger) (conn connector.Connector, err
verifier: provider.Verifier( verifier: provider.Verifier(
&oidc.Config{ClientID: clientID}, &oidc.Config{ClientID: clientID},
), ),
logger: logger, logger: logger,
cancel: cancel, cancel: cancel,
hostedDomain: c.HostedDomain,
}, nil }, nil
} }
...@@ -127,6 +129,7 @@ type oidcConnector struct { ...@@ -127,6 +129,7 @@ type oidcConnector struct {
ctx context.Context ctx context.Context
cancel context.CancelFunc cancel context.CancelFunc
logger logrus.FieldLogger logger logrus.FieldLogger
hostedDomain string
} }
func (c *oidcConnector) Close() error { func (c *oidcConnector) Close() error {
...@@ -138,7 +141,12 @@ func (c *oidcConnector) LoginURL(s connector.Scopes, callbackURL, state string) ...@@ -138,7 +141,12 @@ func (c *oidcConnector) LoginURL(s connector.Scopes, callbackURL, state string)
if c.redirectURI != callbackURL { if c.redirectURI != callbackURL {
return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI) return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)
} }
return c.oauth2Config.AuthCodeURL(state), nil
if c.hostedDomain != "" {
return c.oauth2Config.AuthCodeURL(state, oauth2.SetAuthURLParam("hd", c.hostedDomain)), nil
} else {
return c.oauth2Config.AuthCodeURL(state), nil
}
} }
type oauth2Error struct { type oauth2Error struct {
...@@ -176,11 +184,16 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide ...@@ -176,11 +184,16 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
Username string `json:"name"` Username string `json:"name"`
Email string `json:"email"` Email string `json:"email"`
EmailVerified bool `json:"email_verified"` EmailVerified bool `json:"email_verified"`
HostedDomain string `json:"hd"`
} }
if err := idToken.Claims(&claims); err != nil { if err := idToken.Claims(&claims); err != nil {
return identity, fmt.Errorf("oidc: failed to decode claims: %v", err) return identity, fmt.Errorf("oidc: failed to decode claims: %v", err)
} }
if claims.HostedDomain != c.hostedDomain {
return identity, fmt.Errorf("oidc: unexpected hd claim %v", claims.HostedDomain)
}
identity = connector.Identity{ identity = connector.Identity{
UserID: idToken.Subject, UserID: idToken.Subject,
Username: claims.Username, Username: claims.Username,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment