Skip to content

Commit

Permalink
Add claimMapping enforcement
Browse files Browse the repository at this point in the history 
Signed-off-by: Happy2C0de <[email protected]>
  • Loading branch information
@Happy2C0de
Happy2C0de committed Jan 19, 2022
1 parent ba1bd65 commit 45143c9
Show file tree
Hide file tree
Showing 2 changed files with 92 additions and 37 deletions.
53 changes: 32 additions & 21 deletions connector/oidc/oidc.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,16 +56,23 @@ type Config struct {
// PromptType will be used fot the prompt parameter (when offline_access, by default prompt=consent)
PromptType string `json:"promptType"`

ClaimMapping struct {
// Configurable key which contains the preferred username claims
PreferredUsernameKey string `json:"preferred_username"` // defaults to "preferred_username"
ClaimMapping ClaimMapping `json:"claimMapping"`
}

type ClaimMapping struct {
// Enforce the ClaimMapping.
// i.e. an 'email' claim will always be taken if available,
// irrelevant of the settings in EmailKey. This option will enforce the ClaimMapping options independent of the existing claims.
Enforce bool `json:"enforce"` // defaults to false

// Configurable key which contains the preferred username claims
PreferredUsernameKey string `json:"preferred_username"` // defaults to "preferred_username"

// Configurable key which contains the email claims
EmailKey string `json:"email"` // defaults to "email"
// Configurable key which contains the email claims
EmailKey string `json:"email"` // defaults to "email"

// Configurable key which contains the groups claims
GroupsKey string `json:"groups"` // defaults to "groups"
} `json:"claimMapping"`
// Configurable key which contains the groups claims
GroupsKey string `json:"groups"` // defaults to "groups"
}

// Domains that don't support basic auth. golang.org/x/oauth2 has an internal
Expand Down Expand Up @@ -153,9 +160,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
promptType: c.PromptType,
userIDKey: c.UserIDKey,
userNameKey: c.UserNameKey,
preferredUsernameKey: c.ClaimMapping.PreferredUsernameKey,
emailKey: c.ClaimMapping.EmailKey,
groupsKey: c.ClaimMapping.GroupsKey,
claimMapping: c.ClaimMapping,
}, nil
}

Expand All @@ -178,9 +183,7 @@ type oidcConnector struct {
promptType string
userIDKey string
userNameKey string
preferredUsernameKey string
emailKey string
groupsKey string
claimMapping ClaimMapping
}

func (c *oidcConnector) Close() error {
Expand Down Expand Up @@ -288,9 +291,14 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
return identity, fmt.Errorf("missing \"%s\" claim", userNameKey)
}

preferredUsername, found := claims["preferred_username"].(string)
if !found {
preferredUsername, _ = claims[c.preferredUsernameKey].(string)
prefUsername := "preferred_username"
preferredUsername, found := claims[prefUsername].(string)
if (!found || c.claimMapping.Enforce) && c.claimMapping.PreferredUsernameKey != "" {
prefUsername = c.claimMapping.PreferredUsernameKey
preferredUsername, found = claims[prefUsername].(string)
if !found {
return identity, fmt.Errorf("missing \"%s\" claim", prefUsername)
}
}

hasEmailScope := false
Expand All @@ -304,9 +312,12 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
var email string
emailKey := "email"
email, found = claims[emailKey].(string)
if !found && c.emailKey != "" {
emailKey = c.emailKey
if (!found || c.claimMapping.Enforce) && c.claimMapping.EmailKey != "" {
emailKey = c.claimMapping.EmailKey
email, found = claims[emailKey].(string)
if !found {
return identity, fmt.Errorf("missing \"%s\" claim", emailKey)
}
}

if !found && hasEmailScope {
Expand All @@ -326,8 +337,8 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
if c.insecureEnableGroups {
groupsKey := "groups"
vs, found := claims[groupsKey].([]interface{})
if !found {
groupsKey = c.groupsKey
if (!found || c.claimMapping.Enforce) && c.claimMapping.GroupsKey != "" {
groupsKey = c.claimMapping.GroupsKey
vs, found = claims[groupsKey].([]interface{})
}

Expand Down
76 changes: 60 additions & 16 deletions connector/oidc/oidc_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,7 @@ func TestHandleCallback(t *testing.T) {
name string
userIDKey string
userNameKey string
preferredUsernameKey string
emailKey string
groupsKey string
claimMapping ClaimMapping
insecureSkipEmailVerified bool
scopes []string
expectUserID string
Expand All @@ -78,10 +76,12 @@ func TestHandleCallback(t *testing.T) {
},
},
{
name: "customEmailClaim",
userIDKey: "", // not configured
userNameKey: "", // not configured
emailKey: "mail",
name: "customEmailClaim",
userIDKey: "", // not configured
userNameKey: "", // not configured
claimMapping: ClaimMapping{
EmailKey: "mail",
},
expectUserID: "subvalue",
expectUserName: "namevalue",
expectedEmailField: "emailvalue",
Expand All @@ -92,6 +92,25 @@ func TestHandleCallback(t *testing.T) {
"email_verified": true,
},
},
{
name: "enforceCustomEmailClaim",
userIDKey: "", // not configured
userNameKey: "", // not configured
claimMapping: ClaimMapping{
Enforce: true,
EmailKey: "custommail",
},
expectUserID: "subvalue",
expectUserName: "namevalue",
expectedEmailField: "customemailvalue",
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
"mail": "emailvalue",
"custommail": "customemailvalue",
"email_verified": true,
},
},
{
name: "email_verified not in claims, configured to be skipped",
insecureSkipEmailVerified: true,
Expand Down Expand Up @@ -131,8 +150,10 @@ func TestHandleCallback(t *testing.T) {
},
},
{
name: "withPreferredUsernameKey",
preferredUsernameKey: "username_key",
name: "withPreferredUsernameKey",
claimMapping: ClaimMapping{
PreferredUsernameKey: "username_key",
},
expectUserID: "subvalue",
expectUserName: "namevalue",
expectPreferredUsername: "username_value",
Expand Down Expand Up @@ -200,8 +221,10 @@ func TestHandleCallback(t *testing.T) {
},
},
{
name: "customGroupsKey",
groupsKey: "cognito:groups",
name: "customGroupsKey",
claimMapping: ClaimMapping{
GroupsKey: "cognito:groups",
},
expectUserID: "subvalue",
expectUserName: "namevalue",
expectedEmailField: "emailvalue",
Expand All @@ -217,8 +240,10 @@ func TestHandleCallback(t *testing.T) {
},
},
{
name: "customGroupsKeyButGroupsProvided",
groupsKey: "cognito:groups",
name: "customGroupsKeyButGroupsProvided",
claimMapping: ClaimMapping{
GroupsKey: "cognito:groups",
},
expectUserID: "subvalue",
expectUserName: "namevalue",
expectedEmailField: "emailvalue",
Expand All @@ -234,6 +259,27 @@ func TestHandleCallback(t *testing.T) {
"cognito:groups": []string{"group3", "group4"},
},
},
{
name: "customGroupsKeyButGroupsProvidedButEnforced",
claimMapping: ClaimMapping{
Enforce: true,
GroupsKey: "cognito:groups",
},
expectUserID: "subvalue",
expectUserName: "namevalue",
expectedEmailField: "emailvalue",
expectGroups: []string{"group3", "group4"},
scopes: []string{"groups"},
insecureSkipEmailVerified: true,
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
"user_name": "username",
"email": "emailvalue",
"groups": []string{"group1", "group2"},
"cognito:groups": []string{"group3", "group4"},
},
},
}

for _, tc := range tests {
Expand Down Expand Up @@ -264,9 +310,7 @@ func TestHandleCallback(t *testing.T) {
InsecureEnableGroups: true,
BasicAuthUnsupported: &basicAuth,
}
config.ClaimMapping.PreferredUsernameKey = tc.preferredUsernameKey
config.ClaimMapping.EmailKey = tc.emailKey
config.ClaimMapping.GroupsKey = tc.groupsKey
config.ClaimMapping = tc.claimMapping

conn, err := newConnector(config)
if err != nil {
Expand Down

0 comments on commit 45143c9

Please sign in to comment.