Skip to content
Snippets Groups Projects
Commit 4194530c authored by Ben Navetta's avatar Ben Navetta
Browse files

initial hostedDomain support

parent 3493e30f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 16 additions and 3 deletions
connector/oidc/oidc.go
+ 16
3
View file @ 4194530c
...@@ -33,6 +33,7 @@ type Config struct { ...@@ -33,6 +33,7 @@ type Config struct {
Scopes []string `json:"scopes"` // defaults to "profile" and "email" Scopes []string `json:"scopes"` // defaults to "profile" and "email"
HostedDomain string `json:"hostedDomain"`
} }
// Domains that don't support basic auth. golang.org/x/oauth2 has an internal // Domains that don't support basic auth. golang.org/x/oauth2 has an internal
...@@ -110,8 +111,9 @@ func (c *Config) Open(logger logrus.FieldLogger) (conn connector.Connector, err ...@@ -110,8 +111,9 @@ func (c *Config) Open(logger logrus.FieldLogger) (conn connector.Connector, err
verifier: provider.Verifier( verifier: provider.Verifier(
&oidc.Config{ClientID: clientID}, &oidc.Config{ClientID: clientID},
), ),
logger: logger, logger: logger,
cancel: cancel, cancel: cancel,
hostedDomain: c.HostedDomain,
}, nil }, nil
} }
...@@ -127,6 +129,7 @@ type oidcConnector struct { ...@@ -127,6 +129,7 @@ type oidcConnector struct {
ctx context.Context ctx context.Context
cancel context.CancelFunc cancel context.CancelFunc
logger logrus.FieldLogger logger logrus.FieldLogger
hostedDomain string
} }
func (c *oidcConnector) Close() error { func (c *oidcConnector) Close() error {
...@@ -138,7 +141,12 @@ func (c *oidcConnector) LoginURL(s connector.Scopes, callbackURL, state string) ...@@ -138,7 +141,12 @@ func (c *oidcConnector) LoginURL(s connector.Scopes, callbackURL, state string)
if c.redirectURI != callbackURL { if c.redirectURI != callbackURL {
return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI) return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)
} }
return c.oauth2Config.AuthCodeURL(state), nil
if c.hostedDomain != "" {
return c.oauth2Config.AuthCodeURL(state, oauth2.SetAuthURLParam("hd", c.hostedDomain)), nil
} else {
return c.oauth2Config.AuthCodeURL(state), nil
}
} }
type oauth2Error struct { type oauth2Error struct {
...@@ -176,11 +184,16 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide ...@@ -176,11 +184,16 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
Username string `json:"name"` Username string `json:"name"`
Email string `json:"email"` Email string `json:"email"`
EmailVerified bool `json:"email_verified"` EmailVerified bool `json:"email_verified"`
HostedDomain string `json:"hd"`
} }
if err := idToken.Claims(&claims); err != nil { if err := idToken.Claims(&claims); err != nil {
return identity, fmt.Errorf("oidc: failed to decode claims: %v", err) return identity, fmt.Errorf("oidc: failed to decode claims: %v", err)
} }
if claims.HostedDomain != c.hostedDomain {
return identity, fmt.Errorf("oidc: unexpected hd claim %v", claims.HostedDomain)
}
identity = connector.Identity{ identity = connector.Identity{
UserID: idToken.Subject, UserID: idToken.Subject,
Username: claims.Username, Username: claims.Username,
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment