Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC groups and userinfo support #1463

Closed
wants to merge 10 commits into from
Closed

OIDC groups and userinfo support #1463

wants to merge 10 commits into from

Conversation

drekle
Copy link

@drekle drekle commented Jun 6, 2019
edited
Loading

Trying to resume
#1315
#1133
Also noticed #1454 is a little more relevant and okay making changes after that one if one of these can merge.

fjbsantiago and others added 8 commits November 25, 2017 21:05
@fjbsantiago
Added User Info endpoint
065feda 
1. The AccessToken is filled with Claims, Connector Data and ConnectorID from the AuthCode.
2. It is then Serialized and sent to the user
3. The user may, then, do a request to the /userinfo endpoint using this token.

By default, when dex gets a /userinfo request, the token is deserialized, the Claims originally copied from AuthCode are extracted from it and sent back to the user as the User Info response payload.

This should work for all the connectors and was tested with the LDAP and OIDC connectors.

If the connector used to authenticate the user implements the GetUserInfo interface, then the responsibility of generating the User Info payload is delegated to it.

This is the case of the Oidc connector.
It uses the real AccessToken, previously stored as a field in the ConnectorData, to forward a genuine /userinfo request to the original IdP.
The Claims extracted from the AuthCode are used to generate the initial user info payload object, and this object is extended with whatever claims are returned by the original IdP.
@fjbsantiago
Fixed errors causing make testall to fail.
e54c48b
@fjbsantiago
— Added security package for token encryption/decryption
27ce1d4 
— Access Token is encrypted upon generation
— Access Token is decrypted in userinfo handler to extract original Claims and other relevant information
@kalinon
Merge branch 'master' of https://github.com/sara-nl/dex into sara-nl-…
67a8e6f 
…master

# Conflicts:
#	Documentation/oidc-connector.md
#	server/internal/types.pb.go
@kalinon
Merge branch 'sara-nl-master'
1b35460
@kalinon
added error handling for userinfo token
c0b256a
@drekle
Adding support for groups. Merging all claims from userinfo before cl…
258260a 
…aims are checked
@drekle
Merging userdata into claims earlier for email. Adding support for gr…
5ddf28d 
…oups.
@drekle
Copy link
Author

drekle commented Jun 6, 2019

@JoelSpeed I tried to resolve many of your comments from #1315. We would very much like to use this. Let me know what I can do to try to get this merged.

@drekle
Copy link
Author

drekle commented Jun 6, 2019
edited
Loading

@kalinon please +1 if this is okay for me to pick up. Otherwise I am okay with you cherry-picking anything I have done.

@kalinon
Copy link

kalinon commented Jun 6, 2019

@kalinon please +1 if this is okay for me to pick up. Otherwise I am okay with you cherry-picking anything I have done.

Please do, i appreciate it. Go is not my main language and i would rather not muck it up.

@drekle drekle closed this Jun 6, 2019
@drekle drekle reopened this Jun 6, 2019
@drekle
Copy link
Author

drekle commented Jun 7, 2019

@srenatus any idea on the direction here with all these PR's?

@kalinon kalinon mentioned this pull request Jun 7, 2019
Closed
@kalinon
Copy link

kalinon commented Jun 7, 2019

Looks good to me. If i could approve i would!

@JoelSpeed
Copy link
Contributor

Hey, I don't have time to look now, but will try to over the weekend

@nabokihms
Copy link
Member

UserInfo endpoint was implemented in #1473
Groups are supported by enabling the flag. The group key is also customizable.

Closing this PR. Please open a new one if you still have an issue.

@nabokihms nabokihms closed this Feb 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@drekle @kalinon @JoelSpeed @nabokihms @fjbsantiago