Include JWT sub as User

This commit is contained in:
Phil Taprogge 2019-05-07 11:44:19 +01:00
parent 15f48fb95e
commit 56da8387c0
No known key found for this signature in database
GPG Key ID: 64CEAA06D4D027C8
2 changed files with 20 additions and 16 deletions

View File

@ -29,6 +29,12 @@ type GoogleProvider struct {
GroupValidator func(string) bool GroupValidator func(string) bool
} }
type claims struct {
Subject string `json:"sub"`
Email string `json:"email"`
EmailVerified bool `json:"email_verified"`
}
// NewGoogleProvider initiates a new GoogleProvider // NewGoogleProvider initiates a new GoogleProvider
func NewGoogleProvider(p *ProviderData) *GoogleProvider { func NewGoogleProvider(p *ProviderData) *GoogleProvider {
p.ProviderName = "Google" p.ProviderName = "Google"
@ -64,7 +70,7 @@ func NewGoogleProvider(p *ProviderData) *GoogleProvider {
} }
} }
func emailFromIDToken(idToken string) (string, error) { func claimsFromIDToken(idToken string) (*claims, error) {
// id_token is a base64 encode ID token payload // id_token is a base64 encode ID token payload
// https://developers.google.com/accounts/docs/OAuth2Login#obtainuserinfo // https://developers.google.com/accounts/docs/OAuth2Login#obtainuserinfo
@ -72,24 +78,21 @@ func emailFromIDToken(idToken string) (string, error) {
jwtData := strings.TrimSuffix(jwt[1], "=") jwtData := strings.TrimSuffix(jwt[1], "=")
b, err := base64.RawURLEncoding.DecodeString(jwtData) b, err := base64.RawURLEncoding.DecodeString(jwtData)
if err != nil { if err != nil {
return "", err return nil, err
} }
var email struct { c := &claims{}
Email string `json:"email"` err = json.Unmarshal(b, c)
EmailVerified bool `json:"email_verified"`
}
err = json.Unmarshal(b, &email)
if err != nil { if err != nil {
return "", err return nil, err
} }
if email.Email == "" { if c.Email == "" {
return "", errors.New("missing email") return nil, errors.New("missing email")
} }
if !email.EmailVerified { if !c.EmailVerified {
return "", fmt.Errorf("email %s not listed as verified", email.Email) return nil, fmt.Errorf("email %s not listed as verified", c.Email)
} }
return email.Email, nil return c, nil
} }
// Redeem exchanges the OAuth2 authentication token for an ID token // Redeem exchanges the OAuth2 authentication token for an ID token
@ -138,8 +141,7 @@ func (p *GoogleProvider) Redeem(redirectURL, code string) (s *SessionState, err
if err != nil { if err != nil {
return return
} }
var email string c, err := claimsFromIDToken(jsonResponse.IDToken)
email, err = emailFromIDToken(jsonResponse.IDToken)
if err != nil { if err != nil {
return return
} }
@ -148,7 +150,8 @@ func (p *GoogleProvider) Redeem(redirectURL, code string) (s *SessionState, err
IDToken: jsonResponse.IDToken, IDToken: jsonResponse.IDToken,
ExpiresOn: time.Now().Add(time.Duration(jsonResponse.ExpiresIn) * time.Second).Truncate(time.Second), ExpiresOn: time.Now().Add(time.Duration(jsonResponse.ExpiresIn) * time.Second).Truncate(time.Second),
RefreshToken: jsonResponse.RefreshToken, RefreshToken: jsonResponse.RefreshToken,
Email: email, Email: c.Email,
User: c.Subject,
} }
return return
} }

View File

@ -128,6 +128,7 @@ func (p *OIDCProvider) createSessionState(ctx context.Context, token *oauth2.Tok
RefreshToken: token.RefreshToken, RefreshToken: token.RefreshToken,
ExpiresOn: token.Expiry, ExpiresOn: token.Expiry,
Email: claims.Email, Email: claims.Email,
User: claims.Subject,
}, nil }, nil
} }