Include JWT sub as User
This commit is contained in:
Phil Taprogge
parent
15f48fb95e
commit
56da8387c0
@ -29,6 +29,12 @@ type GoogleProvider struct {
|
|||||||
GroupValidator func(string) bool
|
GroupValidator func(string) bool
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type claims struct {
|
||||||
|
Subject string `json:"sub"`
|
||||||
|
Email string `json:"email"`
|
||||||
|
EmailVerified bool `json:"email_verified"`
|
||||||
|
}
|
||||||
|
|
||||||
// NewGoogleProvider initiates a new GoogleProvider
|
// NewGoogleProvider initiates a new GoogleProvider
|
||||||
func NewGoogleProvider(p *ProviderData) *GoogleProvider {
|
func NewGoogleProvider(p *ProviderData) *GoogleProvider {
|
||||||
p.ProviderName = "Google"
|
p.ProviderName = "Google"
|
||||||
@ -64,7 +70,7 @@ func NewGoogleProvider(p *ProviderData) *GoogleProvider {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func emailFromIDToken(idToken string) (string, error) {
|
func claimsFromIDToken(idToken string) (*claims, error) {
|
||||||
|
|
||||||
// id_token is a base64 encode ID token payload
|
// id_token is a base64 encode ID token payload
|
||||||
// https://developers.google.com/accounts/docs/OAuth2Login#obtainuserinfo
|
// https://developers.google.com/accounts/docs/OAuth2Login#obtainuserinfo
|
||||||
@ -72,24 +78,21 @@ func emailFromIDToken(idToken string) (string, error) {
|
|||||||
jwtData := strings.TrimSuffix(jwt[1], "=")
|
jwtData := strings.TrimSuffix(jwt[1], "=")
|
||||||
b, err := base64.RawURLEncoding.DecodeString(jwtData)
|
b, err := base64.RawURLEncoding.DecodeString(jwtData)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
var email struct {
|
c := &claims{}
|
||||||
Email string `json:"email"`
|
err = json.Unmarshal(b, c)
|
||||||
EmailVerified bool `json:"email_verified"`
|
|
||||||
}
|
|
||||||
err = json.Unmarshal(b, &email)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return nil, err
|
||||||
}
|
}
|
||||||
if email.Email == "" {
|
if c.Email == "" {
|
||||||
return "", errors.New("missing email")
|
return nil, errors.New("missing email")
|
||||||
}
|
}
|
||||||
if !email.EmailVerified {
|
if !c.EmailVerified {
|
||||||
return "", fmt.Errorf("email %s not listed as verified", email.Email)
|
return nil, fmt.Errorf("email %s not listed as verified", c.Email)
|
||||||
}
|
}
|
||||||
return email.Email, nil
|
return c, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Redeem exchanges the OAuth2 authentication token for an ID token
|
// Redeem exchanges the OAuth2 authentication token for an ID token
|
||||||
@ -138,8 +141,7 @@ func (p *GoogleProvider) Redeem(redirectURL, code string) (s *SessionState, err
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
var email string
|
c, err := claimsFromIDToken(jsonResponse.IDToken)
|
||||||
email, err = emailFromIDToken(jsonResponse.IDToken)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -148,7 +150,8 @@ func (p *GoogleProvider) Redeem(redirectURL, code string) (s *SessionState, err
|
|||||||
IDToken: jsonResponse.IDToken,
|
IDToken: jsonResponse.IDToken,
|
||||||
ExpiresOn: time.Now().Add(time.Duration(jsonResponse.ExpiresIn) * time.Second).Truncate(time.Second),
|
ExpiresOn: time.Now().Add(time.Duration(jsonResponse.ExpiresIn) * time.Second).Truncate(time.Second),
|
||||||
RefreshToken: jsonResponse.RefreshToken,
|
RefreshToken: jsonResponse.RefreshToken,
|
||||||
Email: email,
|
Email: c.Email,
|
||||||
|
User: c.Subject,
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|||||||
@ -128,6 +128,7 @@ func (p *OIDCProvider) createSessionState(ctx context.Context, token *oauth2.Tok
|
|||||||
RefreshToken: token.RefreshToken,
|
RefreshToken: token.RefreshToken,
|
||||||
ExpiresOn: token.Expiry,
|
ExpiresOn: token.Expiry,
|
||||||
Email: claims.Email,
|
Email: claims.Email,
|
||||||
|
User: claims.Subject,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user