From 2eecf756e43a2d77e489d41251af4ab2f419aa06 Mon Sep 17 00:00:00 2001
From: Ryan Luckie <rluckie@cisco.com>
Date: Fri, 3 May 2019 17:33:56 -0500
Subject: [PATCH] Add OIDC support for UserInfo Endpoint Email Verification

* Current OIDC implementation asserts that user email check must come
from JWT token claims. OIDC specification also allows for source
of user email to be fetched from userinfo profile endpoint.
http://openid.net/specs/openid-connect-core-1_0.html#UserInfo

* First, attempt to retrieve email from JWT token claims.  Then fall back to
requesting email from userinfo endpoint.

* Don't fallback to subject for email

https://github.com/bitly/oauth2_proxy/pull/481
---
 providers/oidc.go | 38 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/providers/oidc.go b/providers/oidc.go
index 86a58f6..396310f 100644
--- a/providers/oidc.go
+++ b/providers/oidc.go
@@ -3,11 +3,15 @@ package providers
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"time"
 
 	oidc "github.com/coreos/go-oidc"
 	"github.com/pusher/oauth2_proxy/pkg/apis/sessions"
+	"github.com/pusher/oauth2_proxy/pkg/requests"
+
 	"golang.org/x/oauth2"
+
 )
 
 // OIDCProvider represents an OIDC based Identity Provider
@@ -117,8 +121,31 @@ func (p *OIDCProvider) createSessionState(ctx context.Context, token *oauth2.Tok
 	}
 
 	if claims.Email == "" {
-		// TODO: Try getting email from /userinfo before falling back to Subject
-		claims.Email = claims.Subject
+		if p.ProfileURL.String() == "" {
+			return nil, fmt.Errorf("id_token did not contain an email")
+		}
+
+		// If the userinfo endpoint profileURL is defined, then there is a chance the userinfo
+		// contents at the profileURL contains the email.
+		// Make a query to the userinfo endpoint, and attempt to locate the email from there.
+
+		req, err := http.NewRequest("GET", p.ProfileURL.String(), nil)
+		if err != nil {
+			return nil, err
+		}
+		req.Header = getOIDCHeader(token.AccessToken)
+
+		json, err := requests.Request(req)
+		if err != nil {
+			return nil, err
+		}
+
+		email, err := json.Get("email").String()
+		if err != nil {
+			return nil, fmt.Errorf("id_token nor userinfo endpoint did not contain an email")
+		}
+
+		claims.Email = email
 	}
 	if !p.AllowUnverifiedEmail && claims.Verified != nil && !*claims.Verified {
 		return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
@@ -145,3 +172,10 @@ func (p *OIDCProvider) ValidateSessionState(s *sessions.SessionState) bool {
 
 	return true
 }
+
+func getOIDCHeader(access_token string) http.Header {
+	header := make(http.Header)
+	header.Set("Accept", "application/json")
+	header.Set("Authorization", fmt.Sprintf("Bearer %s", access_token))
+	return header
+}