Unverified Commit f6741d18 authored by Eric Chiang's avatar Eric Chiang Committed by GitHub

Merge pull request #1417 from gezb/feature/odic_add_email_verfied_override

Add option to OIDC connecter to override email_verified to true
parents 83a0326b fc723af0
...@@ -55,6 +55,11 @@ connectors: ...@@ -55,6 +55,11 @@ connectors:
# - profile # - profile
# - email # - email
# - groups # - groups
# Some providers return claims without "email_verified", when they had no usage of emails verification in enrollement process
# or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP
# This can be overridden with the below option
# insecureSkipEmailVerified: true
``` ```
[oidc-doc]: openid-connect.md [oidc-doc]: openid-connect.md
......
...@@ -36,6 +36,9 @@ type Config struct { ...@@ -36,6 +36,9 @@ type Config struct {
// Optional list of whitelisted domains when using Google // Optional list of whitelisted domains when using Google
// If this field is nonempty, only users from a listed domain will be allowed to log in // If this field is nonempty, only users from a listed domain will be allowed to log in
HostedDomains []string `json:"hostedDomains"` HostedDomains []string `json:"hostedDomains"`
// Override the value of email_verifed to true in the returned claims
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
} }
// Domains that don't support basic auth. golang.org/x/oauth2 has an internal // Domains that don't support basic auth. golang.org/x/oauth2 has an internal
...@@ -113,9 +116,10 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e ...@@ -113,9 +116,10 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
verifier: provider.Verifier( verifier: provider.Verifier(
&oidc.Config{ClientID: clientID}, &oidc.Config{ClientID: clientID},
), ),
logger: logger, logger: logger,
cancel: cancel, cancel: cancel,
hostedDomains: c.HostedDomains, hostedDomains: c.HostedDomains,
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
}, nil }, nil
} }
...@@ -125,13 +129,14 @@ var ( ...@@ -125,13 +129,14 @@ var (
) )
type oidcConnector struct { type oidcConnector struct {
redirectURI string redirectURI string
oauth2Config *oauth2.Config oauth2Config *oauth2.Config
verifier *oidc.IDTokenVerifier verifier *oidc.IDTokenVerifier
ctx context.Context ctx context.Context
cancel context.CancelFunc cancel context.CancelFunc
logger log.Logger logger log.Logger
hostedDomains []string hostedDomains []string
insecureSkipEmailVerified bool
} }
func (c *oidcConnector) Close() error { func (c *oidcConnector) Close() error {
...@@ -209,6 +214,11 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide ...@@ -209,6 +214,11 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
} }
} }
if c.insecureSkipEmailVerified {
claims.EmailVerified = true
}
identity = connector.Identity{ identity = connector.Identity{
UserID: idToken.Subject, UserID: idToken.Subject,
Username: claims.Username, Username: claims.Username,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment