From 9d1ea5ec3e2b4465ed05b33a970627bf9a290122 Mon Sep 17 00:00:00 2001
From: Jose Plana <jplana@tuenti.com>
Date: Mon, 10 Apr 2017 16:01:03 +0200
Subject: [PATCH] Skip userinfo if provider doesn't support it.

---
 lib/auth/auth.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/auth/auth.go b/lib/auth/auth.go
index 98f1b27774ab0..971593220016a 100644
--- a/lib/auth/auth.go
+++ b/lib/auth/auth.go
@@ -909,6 +909,10 @@ func claimsFromUserInfo(oidcClient *oidc.Client, issuerURL string, accessToken s
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
+	// If the provider doesn't offer a UserInfo endpoint don't err.
+	if pc.UserInfoEndpoint == nil {
+		return nil, nil
+	}
 	endpoint := pc.UserInfoEndpoint.String()
 	err = isHTTPS(endpoint)
 	if err != nil {
@@ -979,6 +983,11 @@ func (a *AuthServer) getClaims(oidcClient *oidc.Client, issuerURL string, code s
 		log.Debugf("[OIDC] Unable to fetch UserInfo claims: %v", err)
 		return nil, trace.Wrap(err)
 	}
+	if userInfoClaims == nil {
+		log.Warn("[OIDC] Provider doesn't offer UserInfo endpoint. Only token claims will be used.")
+		return idTokenClaims, nil
+	}
+
 	log.Debugf("[OIDC] UserInfo claims: %v", userInfoClaims)
 
 	// make sure that the subject in the userinfo claim matches the subject in