Merge pull request #57 from aigarius/patch-1

Fall back to using OIDC Subject instead of Email
This commit is contained in:
Joel Speed 2019-03-08 14:20:12 +00:00 committed by GitHub
commit 21c9d38ada
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 1 deletions

View File

@ -2,6 +2,7 @@
## Changes since v3.1.0 ## Changes since v3.1.0
- [#57](https://github.com/pusher/oauth2_proxy/pull/57) Fall back to using OIDC Subject instead of Email (@aigarius)
- [#85](https://github.com/pusher/oauth2_proxy/pull/85) Use non-root user in docker images (@kskewes) - [#85](https://github.com/pusher/oauth2_proxy/pull/85) Use non-root user in docker images (@kskewes)
- [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove) - [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove)
- [#41](https://github.com/pusher/oauth2_proxy/pull/41) Added option to manually specify OIDC endpoints instead of relying on discovery - [#41](https://github.com/pusher/oauth2_proxy/pull/41) Added option to manually specify OIDC endpoints instead of relying on discovery

View File

@ -106,6 +106,7 @@ func (p *OIDCProvider) createSessionState(ctx context.Context, token *oauth2.Tok
// Extract custom claims. // Extract custom claims.
var claims struct { var claims struct {
Subject string `json:"sub"`
Email string `json:"email"` Email string `json:"email"`
Verified *bool `json:"email_verified"` Verified *bool `json:"email_verified"`
} }
@ -114,7 +115,8 @@ func (p *OIDCProvider) createSessionState(ctx context.Context, token *oauth2.Tok
} }
if claims.Email == "" { if claims.Email == "" {
return nil, fmt.Errorf("id_token did not contain an email") // TODO: Try getting email from /userinfo before falling back to Subject
claims.Email = claims.Subject
} }
if claims.Verified != nil && !*claims.Verified { if claims.Verified != nil && !*claims.Verified {
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email) return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)