public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Handle claim finding differently in bearer vs standard IDTokens

This commit is contained in:
Nick Meves 2020-07-28 09:00:27 -07:00
parent 514db45d1a
commit dcc75410a8
No known key found for this signature in database
GPG Key ID: 93BA8A3CEDCDD1CF
1 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
providers/oidc.go
View File

@ -157,7 +157,7 @@ func (p *OIDCProvider) createSessionState(ctx context.Context, token *oauth2.Tok
newSession = &sessions.SessionState{} newSession = &sessions.SessionState{}
} else { } else {
var err error var err error
newSession, err = p.createSessionStateInternal(ctx, token.Extra("id_token").(string), idToken, token) newSession, err = p.createSessionStateInternal(ctx, token.Extra("id_token").(string), idToken, token, false)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -172,7 +172,7 @@ func (p *OIDCProvider) createSessionState(ctx context.Context, token *oauth2.Tok
} }
func (p *OIDCProvider) CreateSessionStateFromBearerToken(ctx context.Context, rawIDToken string, idToken *oidc.IDToken) (*sessions.SessionState, error) { func (p *OIDCProvider) CreateSessionStateFromBearerToken(ctx context.Context, rawIDToken string, idToken *oidc.IDToken) (*sessions.SessionState, error) {
newSession, err := p.createSessionStateInternal(ctx, rawIDToken, idToken, nil) newSession, err := p.createSessionStateInternal(ctx, rawIDToken, idToken, nil, true)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -185,7 +185,7 @@ func (p *OIDCProvider) CreateSessionStateFromBearerToken(ctx context.Context, ra
return newSession, nil return newSession, nil
} }
func (p *OIDCProvider) createSessionStateInternal(ctx context.Context, rawIDToken string, idToken *oidc.IDToken, token *oauth2.Token) (*sessions.SessionState, error) { func (p *OIDCProvider) createSessionStateInternal(ctx context.Context, rawIDToken string, idToken *oidc.IDToken, token *oauth2.Token, bearer bool) (*sessions.SessionState, error) {
newSession := &sessions.SessionState{} newSession := &sessions.SessionState{}
@ -197,7 +197,7 @@ func (p *OIDCProvider) createSessionStateInternal(ctx context.Context, rawIDToke
accessToken = token.AccessToken accessToken = token.AccessToken
} }
claims, err := p.findClaimsFromIDToken(ctx, idToken, accessToken, p.ProfileURL.String()) claims, err := p.findClaimsFromIDToken(ctx, idToken, accessToken, p.ProfileURL.String(), bearer)
if err != nil { if err != nil {
return nil, fmt.Errorf("couldn't extract claims from id_token (%v)", err) return nil, fmt.Errorf("couldn't extract claims from id_token (%v)", err)
} }
@ -230,7 +230,7 @@ func getOIDCHeader(accessToken string) http.Header {
return header return header
} }
func (p *OIDCProvider) findClaimsFromIDToken(ctx context.Context, idToken *oidc.IDToken, accessToken string, profileURL string) (*OIDCClaims, error) { func (p *OIDCProvider) findClaimsFromIDToken(ctx context.Context, idToken *oidc.IDToken, accessToken string, profileURL string, bearer bool) (*OIDCClaims, error) {
claims := &OIDCClaims{} claims := &OIDCClaims{}
// Extract default claims. // Extract default claims.
if err := idToken.Claims(&claims); err != nil { if err := idToken.Claims(&claims); err != nil {
@ -249,9 +249,12 @@ func (p *OIDCProvider) findClaimsFromIDToken(ctx context.Context, idToken *oidc.
// userID claim was not present or was empty in the ID Token // userID claim was not present or was empty in the ID Token
if claims.UserID == "" { if claims.UserID == "" {
if profileURL == "" { if profileURL == "" {
if bearer {
claims.UserID = claims.Subject claims.UserID = claims.Subject
return claims, nil return claims, nil
} }
return nil, fmt.Errorf("id_token did not contain user ID claim (%q)", p.UserIDClaim)
}
// If the userinfo endpoint profileURL is defined, then there is a chance the userinfo // If the userinfo endpoint profileURL is defined, then there is a chance the userinfo
// contents at the profileURL contains the email. // contents at the profileURL contains the email.