Merge pull request #1433 from jacksontj/userinfo

Add option in oidc to hit the optional userinfo endpoint

Merge pull request #1433 from jacksontj/userinfo
Add option in oidc to hit the optional userinfo endpoint
59560c99 · Eric Chiang · GitHub · cd3c6983 · 52d09a2d · 59560c99
Unverified Commit 59560c99 authored May 23, 2019 by Eric Chiang Committed by GitHub May 23, 2019
Show whitespace changes
Inline Side-by-side

Showing with 25 additions and 0 deletions

oidc.md Documentation/connectors/oidc.md +6 -0

oidc.go connector/oidc/oidc.go +19 -0

No files found.
--- a/Documentation/connectors/oidc.md
+++ b/Documentation/connectors/oidc.md
@@ -60,6 +60,12 @@ connectors:
    # or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP
    # This can be overridden with the below option
    # insecureSkipEmailVerified: true 
+    # When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims
+    # take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain
+    # all the claims requested.
+    # https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+    # getUserInfo: true
 ```
 [oidc-doc]: openid-connect.md

--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -39,6 +39,11 @@ type Config struct {
 	// Override the value of email_verifed to true in the returned claims
 	InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
+	// GetUserInfo uses the userinfo endpoint to get additional claims for
+	// the token. This is especially useful where upstreams return "thin"
+	// id tokens
+	GetUserInfo bool `json:"getUserInfo"`
 }
 // Domains that don't support basic auth. golang.org/x/oauth2 has an internal
@@ -105,6 +110,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 	clientID := c.ClientID
 	return &oidcConnector{
+		provider:    provider,
 		redirectURI: c.RedirectURI,
 		oauth2Config: &oauth2.Config{
 			ClientID:     clientID,
@@ -120,6 +126,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 		cancel:                    cancel,
 		hostedDomains:             c.HostedDomains,
 		insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
+		getUserInfo:               c.GetUserInfo,
 	}, nil
 }
@@ -129,6 +136,7 @@ var (
 )
 type oidcConnector struct {
+	provider                  *oidc.Provider
 	redirectURI               string
 	oauth2Config              *oauth2.Config
 	verifier                  *oidc.IDTokenVerifier
@@ -137,6 +145,7 @@ type oidcConnector struct {
 	logger                    log.Logger
 	hostedDomains             []string
 	insecureSkipEmailVerified bool
+	getUserInfo               bool
 }
 func (c *oidcConnector) Close() error {
@@ -219,6 +228,16 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
 	}
+	if c.getUserInfo {
+		userInfo, err := c.provider.UserInfo(r.Context(), oauth2.StaticTokenSource(token))
+		if err != nil {
+			return identity, fmt.Errorf("oidc: error loading userinfo: %v", err)
+		}
+		if err := userInfo.Claims(&claims); err != nil {
+			return identity, fmt.Errorf("oidc: failed to decode userinfo claims: %v", err)
+		}
+	}
 	identity = connector.Identity{
 		UserID:        idToken.Subject,
 		Username:      claims.Username,