Skip to content

Commit

Permalink
Merge pull request #1434 from jacksontj/groups
Browse files Browse the repository at this point in the history
Add option to enable groups for oidc connectors
  • Loading branch information
bonifaido authored Nov 27, 2019
2 parents 8fdcee7 + 21ab30d commit c410357
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 0 deletions.
7 changes: 7 additions & 0 deletions Documentation/connectors/oidc.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,13 @@ connectors:
# This can be overridden with the below option
# insecureSkipEmailVerified: true

# Groups claims (like the rest of oidc claims through dex) only refresh when the id token is refreshed
# meaning the regular refresh flow doesn't update the groups claim. As such by default the oidc connector
# doesn't allow groups claims. If you are okay with having potentially stale group claims you can use
# this option to enable groups claims through the oidc connector on a per-connector basis.
# This can be overridden with the below option
# insecureEnableGroups: true

# When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims
# take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain
# all the claims requested.
Expand Down
18 changes: 18 additions & 0 deletions connector/oidc/oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,9 @@ type Config struct {
// Override the value of email_verifed to true in the returned claims
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`

// InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved
InsecureEnableGroups bool `json:"insecureEnableGroups"`

// GetUserInfo uses the userinfo endpoint to get additional claims for
// the token. This is especially useful where upstreams return "thin"
// id tokens
Expand Down Expand Up @@ -139,6 +142,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
cancel: cancel,
hostedDomains: c.HostedDomains,
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
insecureEnableGroups: c.InsecureEnableGroups,
getUserInfo: c.GetUserInfo,
userIDKey: c.UserIDKey,
userNameKey: c.UserNameKey,
Expand All @@ -159,6 +163,7 @@ type oidcConnector struct {
logger log.Logger
hostedDomains []string
insecureSkipEmailVerified bool
insecureEnableGroups bool
getUserInfo bool
userIDKey string
userNameKey string
Expand Down Expand Up @@ -321,5 +326,18 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
identity.UserID = userID
}

if c.insecureEnableGroups {
vs, ok := claims["groups"].([]interface{})
if ok {
for _, v := range vs {
if s, ok := v.(string); ok {
identity.Groups = append(identity.Groups, s)
} else {
return identity, errors.New("malformed \"groups\" claim")
}
}
}
}

return identity, nil
}

0 comments on commit c410357

Please sign in to comment.