Merge pull request #145 from rtluckie/feature/add_oidc_userinfo_support
Add OIDC support for UserInfo Endpoint Email Verification
This commit is contained in:
commit
b167744b0a
@ -96,6 +96,7 @@
|
|||||||
- [#159](https://github.com/pusher/oauth2_proxy/pull/159) Add option to skip the OIDC provider verified email check: `--insecure-oidc-allow-unverified-email`
|
- [#159](https://github.com/pusher/oauth2_proxy/pull/159) Add option to skip the OIDC provider verified email check: `--insecure-oidc-allow-unverified-email`
|
||||||
- [#210](https://github.com/pusher/oauth2_proxy/pull/210) Update base image from Alpine 3.9 to 3.10 (@steakunderscore)
|
- [#210](https://github.com/pusher/oauth2_proxy/pull/210) Update base image from Alpine 3.9 to 3.10 (@steakunderscore)
|
||||||
- [#211](https://github.com/pusher/oauth2_proxy/pull/211) Switch from dep to go modules (@steakunderscore)
|
- [#211](https://github.com/pusher/oauth2_proxy/pull/211) Switch from dep to go modules (@steakunderscore)
|
||||||
|
- [#145](https://github.com/pusher/oauth2_proxy/pull/145) Add support for OIDC UserInfo endpoint email verification (@rtluckie)
|
||||||
|
|
||||||
# v3.2.0
|
# v3.2.0
|
||||||
|
|
||||||
|
@ -3,10 +3,13 @@ package providers
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"net/http"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
oidc "github.com/coreos/go-oidc"
|
oidc "github.com/coreos/go-oidc"
|
||||||
"github.com/pusher/oauth2_proxy/pkg/apis/sessions"
|
"github.com/pusher/oauth2_proxy/pkg/apis/sessions"
|
||||||
|
"github.com/pusher/oauth2_proxy/pkg/requests"
|
||||||
|
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -117,8 +120,31 @@ func (p *OIDCProvider) createSessionState(ctx context.Context, token *oauth2.Tok
|
|||||||
}
|
}
|
||||||
|
|
||||||
if claims.Email == "" {
|
if claims.Email == "" {
|
||||||
// TODO: Try getting email from /userinfo before falling back to Subject
|
if p.ProfileURL.String() == "" {
|
||||||
claims.Email = claims.Subject
|
return nil, fmt.Errorf("id_token did not contain an email")
|
||||||
|
}
|
||||||
|
|
||||||
|
// If the userinfo endpoint profileURL is defined, then there is a chance the userinfo
|
||||||
|
// contents at the profileURL contains the email.
|
||||||
|
// Make a query to the userinfo endpoint, and attempt to locate the email from there.
|
||||||
|
|
||||||
|
req, err := http.NewRequest("GET", p.ProfileURL.String(), nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
req.Header = getOIDCHeader(token.AccessToken)
|
||||||
|
|
||||||
|
respJSON, err := requests.Request(req)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
email, err := respJSON.Get("email").String()
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Neither id_token nor userinfo endpoint contained an email")
|
||||||
|
}
|
||||||
|
|
||||||
|
claims.Email = email
|
||||||
}
|
}
|
||||||
if !p.AllowUnverifiedEmail && claims.Verified != nil && !*claims.Verified {
|
if !p.AllowUnverifiedEmail && claims.Verified != nil && !*claims.Verified {
|
||||||
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
|
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
|
||||||
@ -145,3 +171,10 @@ func (p *OIDCProvider) ValidateSessionState(s *sessions.SessionState) bool {
|
|||||||
|
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getOIDCHeader(accessToken string) http.Header {
|
||||||
|
header := make(http.Header)
|
||||||
|
header.Set("Accept", "application/json")
|
||||||
|
header.Set("Authorization", fmt.Sprintf("Bearer %s", accessToken))
|
||||||
|
return header
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user