Merge pull request #1433 from jacksontj/userinfo

Add option in oidc to hit the optional userinfo endpoint

Merge pull request #1433 from jacksontj/userinfo
59560c99 · Eric Chiang · GitHub · cd3c6983 · 52d09a2d · 59560c99
Unverified Commit 59560c99 authored 5 years ago by Eric Chiang Committed by GitHub 5 years ago
--- a/Documentation/connectors/oidc.md
+++ b/Documentation/connectors/oidc.md
@@ -60,6 +60,12 @@ connectors:
    # or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP
    # This can be overridden with the below option
    # insecureSkipEmailVerified: true 
+
+    # When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims
+    # take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain
+    # all the claims requested.
+    # https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+    # getUserInfo: true
 ```

 [oidc-doc]: openid-connect.md

--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -39,6 +39,11 @@ type Config struct {

 	// Override the value of email_verifed to true in the returned claims
 	InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
+
+	// GetUserInfo uses the userinfo endpoint to get additional claims for
+	// the token. This is especially useful where upstreams return "thin"
+	// id tokens
+	GetUserInfo bool `json:"getUserInfo"`
 }

 // Domains that don't support basic auth. golang.org/x/oauth2 has an internal
@@ -105,6 +110,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e

 	clientID := c.ClientID
 	return &oidcConnector{
+		provider:    provider,
 		redirectURI: c.RedirectURI,
 		oauth2Config: &oauth2.Config{
 			ClientID:     clientID,
@@ -120,6 +126,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 		cancel:                    cancel,
 		hostedDomains:             c.HostedDomains,
 		insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
+		getUserInfo:               c.GetUserInfo,
 	}, nil
 }

@@ -129,6 +136,7 @@ var (
 )

 type oidcConnector struct {
+	provider                  *oidc.Provider
 	redirectURI               string
 	oauth2Config              *oauth2.Config
 	verifier                  *oidc.IDTokenVerifier
@@ -137,6 +145,7 @@ type oidcConnector struct {
 	logger                    log.Logger
 	hostedDomains             []string
 	insecureSkipEmailVerified bool
+	getUserInfo               bool
 }

 func (c *oidcConnector) Close() error {
@@ -219,6 +228,16 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide

 	}

+	if c.getUserInfo {
+		userInfo, err := c.provider.UserInfo(r.Context(), oauth2.StaticTokenSource(token))
+		if err != nil {
+			return identity, fmt.Errorf("oidc: error loading userinfo: %v", err)
+		}
+		if err := userInfo.Claims(&claims); err != nil {
+			return identity, fmt.Errorf("oidc: failed to decode userinfo claims: %v", err)
+		}
+	}
+
 	identity = connector.Identity{
 		UserID:        idToken.Subject,
 		Username:      claims.Username,