Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding oidc email scope check #1610

Merged
merged 1 commit into from
Jan 6, 2020
Merged

Adding oidc email scope check #1610

merged 1 commit into from
Jan 6, 2020

Conversation

nabokihms
Copy link
Member

This helps to avoid "no email claim" error if the email scope was not specified.

Signed-off-by: m.nabokikh maksim.nabokikh@flant.com

Closes #1598

@nabokihms nabokihms force-pushed the oidc-email-scope-check branch from 32038d8 to 45bc3be Compare December 27, 2019 22:04
sagikazarmark
sagikazarmark requested changes Dec 27, 2019
View reviewed changes
Copy link
Member

@sagikazarmark sagikazarmark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, only a few suggestions

connector/oidc/oidc.go Outdated
EmailVerified: emailVerified,
ConnectorData: connData,
}
if email != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check is not necessary because of default values.

connector/oidc/oidc.go Outdated Show resolved Hide resolved
connector/oidc/oidc.go Outdated
@@ -302,10 +315,12 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
identity = connector.Identity{
UserID: idToken.Subject,
Username: name,
Email: email,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would revert this, because it doesn't change behavior at all.

@sagikazarmark
Copy link
Member

Further thinking about this: email claim will only be included in the returned token if email scope is requested. Given this wasn't the behavior before, one could interpret this as a breaking change. I'm not sure what the standard says about returning non-requested fields, but if nothing, then we should probably continue returning those fields in case the underlying provider returns them.

@nabokihms nabokihms force-pushed the oidc-email-scope-check branch from 7f049f0 to cbed29a Compare December 28, 2019 07:04
@nabokihms
Copy link
Member Author

Yep, it has sense. I will change the behavior according to your thoughts.

@nabokihms nabokihms force-pushed the oidc-email-scope-check branch 3 times, most recently from b03ed83 to c4ebee2 Compare December 28, 2019 08:19
sagikazarmark
sagikazarmark requested changes Dec 28, 2019
View reviewed changes
Copy link
Member

@sagikazarmark sagikazarmark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few more nits

connector/oidc/oidc.go Outdated
@@ -262,15 +262,28 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
if !found {
return identity, fmt.Errorf("missing \"%s\" claim", userNameKey)
}

emailInScopes := func() bool {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about:

	hasEmailScope := false

	for _, s := range c.oauth2Config.Scopes {
		if s == "email" {
			hasEmailScope = true

			break
		}
	}

Feels a bit cleaner and more readable

connector/oidc/oidc.go Outdated
email, found := claims["email"].(string)
if !found {
return identity, errors.New("missing \"email\" claim")
if emailInScopes {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could merge these two ifs. The default value of email is an empty string because of the type.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, you are right. Fixed.

@nabokihms
Adding oidc email scope check
383c2fe 
This helps to avoid "no email claim" error if email scope was not specified.

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
@nabokihms nabokihms force-pushed the oidc-email-scope-check branch from c4ebee2 to 383c2fe Compare December 28, 2019 11:28
sagikazarmark
sagikazarmark approved these changes Jan 6, 2020
View reviewed changes
Copy link
Member

@sagikazarmark sagikazarmark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @nabokihms

bonifaido
bonifaido approved these changes Jan 6, 2020
View reviewed changes
Copy link
Member

@bonifaido bonifaido left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@bonifaido bonifaido merged commit 3cbba11 into dexidp:master Jan 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sagikazarmark sagikazarmark sagikazarmark approved these changes

@bonifaido bonifaido bonifaido approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Failed to authenticate: missing "email" claim
3 participants
@nabokihms @sagikazarmark @bonifaido