draft scopes claim
This commit is contained in:
Vladimir Dronnikov
parent
d365d5fc41
commit
803fdbf3c8
|
|
@ -720,11 +720,13 @@ func (p *OAuthProxy) UserInfo(rw http.ResponseWriter, req *http.Request) {
|
||||||
Email string `json:"email"`
|
Email string `json:"email"`
|
||||||
Groups []string `json:"groups,omitempty"`
|
Groups []string `json:"groups,omitempty"`
|
||||||
PreferredUsername string `json:"preferredUsername,omitempty"`
|
PreferredUsername string `json:"preferredUsername,omitempty"`
|
||||||
|
Name string `json:"name"`
|
||||||
}{
|
}{
|
||||||
User: session.User,
|
User: session.User,
|
||||||
Email: session.Email,
|
Email: session.Email,
|
||||||
Groups: session.Groups,
|
Groups: session.Groups,
|
||||||
PreferredUsername: session.PreferredUsername,
|
PreferredUsername: session.PreferredUsername,
|
||||||
|
Name: session.Name,
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := json.NewEncoder(rw).Encode(userInfo); err != nil {
|
if err := json.NewEncoder(rw).Encode(userInfo); err != nil {
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,9 @@ func CreateTokenToSessionFunc(verify VerifyFunc) TokenToSessionFunc {
|
||||||
Email string `json:"email"`
|
Email string `json:"email"`
|
||||||
Verified *bool `json:"email_verified"`
|
Verified *bool `json:"email_verified"`
|
||||||
PreferredUsername string `json:"preferred_username"`
|
PreferredUsername string `json:"preferred_username"`
|
||||||
|
Name string `json:"name"`
|
||||||
Groups []string `json:"groups"`
|
Groups []string `json:"groups"`
|
||||||
|
Scopes []string `json:"scopes"`
|
||||||
}
|
}
|
||||||
|
|
||||||
idToken, err := verify(ctx, token)
|
idToken, err := verify(ctx, token)
|
||||||
|
|
@ -49,6 +51,8 @@ func CreateTokenToSessionFunc(verify VerifyFunc) TokenToSessionFunc {
|
||||||
User: claims.Subject,
|
User: claims.Subject,
|
||||||
Groups: claims.Groups,
|
Groups: claims.Groups,
|
||||||
PreferredUsername: claims.PreferredUsername,
|
PreferredUsername: claims.PreferredUsername,
|
||||||
|
Name: claims.Name,
|
||||||
|
Scopes: claims.Scopes,
|
||||||
AccessToken: token,
|
AccessToken: token,
|
||||||
IDToken: token,
|
IDToken: token,
|
||||||
RefreshToken: "",
|
RefreshToken: "",
|
||||||
|
|
|
||||||
|
|
@ -4,8 +4,14 @@ const (
|
||||||
// OIDCEmailClaim is the generic email claim used by the OIDC provider.
|
// OIDCEmailClaim is the generic email claim used by the OIDC provider.
|
||||||
OIDCEmailClaim = "email"
|
OIDCEmailClaim = "email"
|
||||||
|
|
||||||
|
// OIDCNameClaim is the generic name claim used by the OIDC provider.
|
||||||
|
OIDCNameClaim = "name"
|
||||||
|
|
||||||
// OIDCGroupsClaim is the generic groups claim used by the OIDC provider.
|
// OIDCGroupsClaim is the generic groups claim used by the OIDC provider.
|
||||||
OIDCGroupsClaim = "groups"
|
OIDCGroupsClaim = "groups"
|
||||||
|
|
||||||
|
// OIDCScopesClaim is the generic scopes claim used by the OIDC provider.
|
||||||
|
OIDCScopesClaim = "scopes"
|
||||||
)
|
)
|
||||||
|
|
||||||
// OIDCAudienceClaims is the generic audience claim list used by the OIDC provider.
|
// OIDCAudienceClaims is the generic audience claim list used by the OIDC provider.
|
||||||
|
|
@ -228,9 +234,15 @@ type OIDCOptions struct {
|
||||||
// EmailClaim indicates which claim contains the user email,
|
// EmailClaim indicates which claim contains the user email,
|
||||||
// default set to 'email'
|
// default set to 'email'
|
||||||
EmailClaim string `json:"emailClaim,omitempty"`
|
EmailClaim string `json:"emailClaim,omitempty"`
|
||||||
|
// NameClaim indicates which claim contains the user name,
|
||||||
|
// default set to 'name'
|
||||||
|
NameClaim string `json:"nameClaim,omitempty"`
|
||||||
// GroupsClaim indicates which claim contains the user groups
|
// GroupsClaim indicates which claim contains the user groups
|
||||||
// default set to 'groups'
|
// default set to 'groups'
|
||||||
GroupsClaim string `json:"groupsClaim,omitempty"`
|
GroupsClaim string `json:"groupsClaim,omitempty"`
|
||||||
|
// ScopesClaim indicates which claim contains the user scopes
|
||||||
|
// default set to 'scopes'
|
||||||
|
ScopesClaim string `json:"scopesClaim,omitempty"`
|
||||||
// UserIDClaim indicates which claim contains the user ID
|
// UserIDClaim indicates which claim contains the user ID
|
||||||
// default set to 'email'
|
// default set to 'email'
|
||||||
UserIDClaim string `json:"userIDClaim,omitempty"`
|
UserIDClaim string `json:"userIDClaim,omitempty"`
|
||||||
|
|
@ -264,7 +276,9 @@ func providerDefaults() Providers {
|
||||||
SkipDiscovery: false,
|
SkipDiscovery: false,
|
||||||
UserIDClaim: OIDCEmailClaim, // Deprecated: Use OIDCEmailClaim
|
UserIDClaim: OIDCEmailClaim, // Deprecated: Use OIDCEmailClaim
|
||||||
EmailClaim: OIDCEmailClaim,
|
EmailClaim: OIDCEmailClaim,
|
||||||
|
NameClaim: OIDCNameClaim,
|
||||||
GroupsClaim: OIDCGroupsClaim,
|
GroupsClaim: OIDCGroupsClaim,
|
||||||
|
ScopesClaim: OIDCScopesClaim,
|
||||||
AudienceClaims: OIDCAudienceClaims,
|
AudienceClaims: OIDCAudienceClaims,
|
||||||
ExtraAudiences: []string{},
|
ExtraAudiences: []string{},
|
||||||
},
|
},
|
||||||
|
|
|
||||||
|
|
@ -28,6 +28,8 @@ type SessionState struct {
|
||||||
User string `msgpack:"u,omitempty"`
|
User string `msgpack:"u,omitempty"`
|
||||||
Groups []string `msgpack:"g,omitempty"`
|
Groups []string `msgpack:"g,omitempty"`
|
||||||
PreferredUsername string `msgpack:"pu,omitempty"`
|
PreferredUsername string `msgpack:"pu,omitempty"`
|
||||||
|
Name string `msgpack:"dn,omitempty"`
|
||||||
|
Scopes []string `msgpack:"s,omitempty"`
|
||||||
|
|
||||||
// Internal helpers, not serialized
|
// Internal helpers, not serialized
|
||||||
Clock clock.Clock `msgpack:"-"`
|
Clock clock.Clock `msgpack:"-"`
|
||||||
|
|
@ -101,7 +103,7 @@ func (s *SessionState) Age() time.Duration {
|
||||||
|
|
||||||
// String constructs a summary of the session state
|
// String constructs a summary of the session state
|
||||||
func (s *SessionState) String() string {
|
func (s *SessionState) String() string {
|
||||||
o := fmt.Sprintf("Session{email:%s user:%s PreferredUsername:%s", s.Email, s.User, s.PreferredUsername)
|
o := fmt.Sprintf("Session{email:%s user:%s PreferredUsername:%s Name:%s", s.Email, s.User, s.PreferredUsername, s.Name)
|
||||||
if s.AccessToken != "" {
|
if s.AccessToken != "" {
|
||||||
o += " token:true"
|
o += " token:true"
|
||||||
}
|
}
|
||||||
|
|
@ -120,6 +122,9 @@ func (s *SessionState) String() string {
|
||||||
if len(s.Groups) > 0 {
|
if len(s.Groups) > 0 {
|
||||||
o += fmt.Sprintf(" groups:%v", s.Groups)
|
o += fmt.Sprintf(" groups:%v", s.Groups)
|
||||||
}
|
}
|
||||||
|
if len(s.Scopes) > 0 {
|
||||||
|
o += fmt.Sprintf(" scopes:%v", s.Scopes)
|
||||||
|
}
|
||||||
return o + "}"
|
return o + "}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -148,6 +153,12 @@ func (s *SessionState) GetClaim(claim string) []string {
|
||||||
return groups
|
return groups
|
||||||
case "preferred_username":
|
case "preferred_username":
|
||||||
return []string{s.PreferredUsername}
|
return []string{s.PreferredUsername}
|
||||||
|
case "name":
|
||||||
|
return []string{s.Name}
|
||||||
|
case "scopes":
|
||||||
|
scopes := make([]string, len(s.Scopes))
|
||||||
|
copy(scopes, s.Scopes)
|
||||||
|
return scopes
|
||||||
default:
|
default:
|
||||||
return []string{}
|
return []string{}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -178,7 +178,9 @@ func (p *OIDCProvider) redeemRefreshToken(ctx context.Context, s *sessions.Sessi
|
||||||
s.Email = newSession.Email
|
s.Email = newSession.Email
|
||||||
s.User = newSession.User
|
s.User = newSession.User
|
||||||
s.Groups = newSession.Groups
|
s.Groups = newSession.Groups
|
||||||
|
s.Scopes = newSession.Scopes
|
||||||
s.PreferredUsername = newSession.PreferredUsername
|
s.PreferredUsername = newSession.PreferredUsername
|
||||||
|
s.Name = newSession.Name
|
||||||
}
|
}
|
||||||
|
|
||||||
s.AccessToken = newSession.AccessToken
|
s.AccessToken = newSession.AccessToken
|
||||||
|
|
|
||||||
|
|
@ -46,7 +46,9 @@ type ProviderData struct {
|
||||||
AllowUnverifiedEmail bool
|
AllowUnverifiedEmail bool
|
||||||
UserClaim string
|
UserClaim string
|
||||||
EmailClaim string
|
EmailClaim string
|
||||||
|
NameClaim string
|
||||||
GroupsClaim string
|
GroupsClaim string
|
||||||
|
ScopesClaim string
|
||||||
Verifier internaloidc.IDTokenVerifier
|
Verifier internaloidc.IDTokenVerifier
|
||||||
SkipClaimsFromProfileURL bool
|
SkipClaimsFromProfileURL bool
|
||||||
|
|
||||||
|
|
@ -260,6 +262,8 @@ func (p *ProviderData) buildSessionFromClaims(rawIDToken, accessToken string) (*
|
||||||
{p.GroupsClaim, &ss.Groups},
|
{p.GroupsClaim, &ss.Groups},
|
||||||
// TODO (@NickMeves) Deprecate for dynamic claim to session mapping
|
// TODO (@NickMeves) Deprecate for dynamic claim to session mapping
|
||||||
{"preferred_username", &ss.PreferredUsername},
|
{"preferred_username", &ss.PreferredUsername},
|
||||||
|
{p.NameClaim, &ss.Name},
|
||||||
|
{p.ScopesClaim, &ss.Scopes},
|
||||||
} {
|
} {
|
||||||
if _, err := extractor.GetClaimInto(c.claim, c.dst); err != nil {
|
if _, err := extractor.GetClaimInto(c.claim, c.dst); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
|
||||||
|
|
@ -137,7 +137,9 @@ func newProviderDataFromConfig(providerConfig options.Provider) (*ProviderData,
|
||||||
// Make the OIDC options available to all providers that support it
|
// Make the OIDC options available to all providers that support it
|
||||||
p.AllowUnverifiedEmail = providerConfig.OIDCConfig.InsecureAllowUnverifiedEmail
|
p.AllowUnverifiedEmail = providerConfig.OIDCConfig.InsecureAllowUnverifiedEmail
|
||||||
p.EmailClaim = providerConfig.OIDCConfig.EmailClaim
|
p.EmailClaim = providerConfig.OIDCConfig.EmailClaim
|
||||||
|
p.NameClaim = providerConfig.OIDCConfig.NameClaim
|
||||||
p.GroupsClaim = providerConfig.OIDCConfig.GroupsClaim
|
p.GroupsClaim = providerConfig.OIDCConfig.GroupsClaim
|
||||||
|
p.ScopesClaim = providerConfig.OIDCConfig.ScopesClaim
|
||||||
p.SkipClaimsFromProfileURL = providerConfig.SkipClaimsFromProfileURL
|
p.SkipClaimsFromProfileURL = providerConfig.SkipClaimsFromProfileURL
|
||||||
|
|
||||||
// Set PKCE enabled or disabled based on discovery and force options
|
// Set PKCE enabled or disabled based on discovery and force options
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue