Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
D
dex
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
go
dex
Commits
59560c99
Unverified
Commit
59560c99
authored
May 23, 2019
by
Eric Chiang
Committed by
GitHub
May 23, 2019
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #1433 from jacksontj/userinfo
Add option in oidc to hit the optional userinfo endpoint
parents
cd3c6983
52d09a2d
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
25 additions
and
0 deletions
+25
-0
oidc.md
Documentation/connectors/oidc.md
+6
-0
oidc.go
connector/oidc/oidc.go
+19
-0
No files found.
Documentation/connectors/oidc.md
View file @
59560c99
...
...
@@ -60,6 +60,12 @@ connectors:
# or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP
# This can be overridden with the below option
# insecureSkipEmailVerified: true
# When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims
# take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain
# all the claims requested.
# https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
# getUserInfo: true
```
[
oidc-doc
]:
openid-connect.md
...
...
connector/oidc/oidc.go
View file @
59560c99
...
...
@@ -39,6 +39,11 @@ type Config struct {
// Override the value of email_verifed to true in the returned claims
InsecureSkipEmailVerified
bool
`json:"insecureSkipEmailVerified"`
// GetUserInfo uses the userinfo endpoint to get additional claims for
// the token. This is especially useful where upstreams return "thin"
// id tokens
GetUserInfo
bool
`json:"getUserInfo"`
}
// Domains that don't support basic auth. golang.org/x/oauth2 has an internal
...
...
@@ -105,6 +110,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
clientID
:=
c
.
ClientID
return
&
oidcConnector
{
provider
:
provider
,
redirectURI
:
c
.
RedirectURI
,
oauth2Config
:
&
oauth2
.
Config
{
ClientID
:
clientID
,
...
...
@@ -120,6 +126,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
cancel
:
cancel
,
hostedDomains
:
c
.
HostedDomains
,
insecureSkipEmailVerified
:
c
.
InsecureSkipEmailVerified
,
getUserInfo
:
c
.
GetUserInfo
,
},
nil
}
...
...
@@ -129,6 +136,7 @@ var (
)
type
oidcConnector
struct
{
provider
*
oidc
.
Provider
redirectURI
string
oauth2Config
*
oauth2
.
Config
verifier
*
oidc
.
IDTokenVerifier
...
...
@@ -137,6 +145,7 @@ type oidcConnector struct {
logger
log
.
Logger
hostedDomains
[]
string
insecureSkipEmailVerified
bool
getUserInfo
bool
}
func
(
c
*
oidcConnector
)
Close
()
error
{
...
...
@@ -219,6 +228,16 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
}
if
c
.
getUserInfo
{
userInfo
,
err
:=
c
.
provider
.
UserInfo
(
r
.
Context
(),
oauth2
.
StaticTokenSource
(
token
))
if
err
!=
nil
{
return
identity
,
fmt
.
Errorf
(
"oidc: error loading userinfo: %v"
,
err
)
}
if
err
:=
userInfo
.
Claims
(
&
claims
);
err
!=
nil
{
return
identity
,
fmt
.
Errorf
(
"oidc: failed to decode userinfo claims: %v"
,
err
)
}
}
identity
=
connector
.
Identity
{
UserID
:
idToken
.
Subject
,
Username
:
claims
.
Username
,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment