3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-30 06:51:30 +02:00
Code Issues Projects Releases Packages Wiki Activity

identity: only assign access_type uri params to google. (#2782)

Browse source 
* identity: only assign `access_type` uri params to google.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* bump upgrading

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
bobby 2021-11-28 19:01:34 -08:00 committed by GitHub
parent cce70afe98
commit 1a7c5415e7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 14 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
docs/docs/upgrading.md
View file

@ -7,6 +7,10 @@ description: >-
# Since 0.15.0 # Since 0.15.0
### OIDC flow no longer sets default uri params
Previously, Pomerium would default to setting the uri param `access_type` to `offline` for all OpenID Connect based identity providers. However, using uri params to get ensure offline access (e.g. `refresh_tokens` used to keep user's sessions alive) [is unique to Google](https://developers.google.com/identity/protocols/oauth2/web-server#offline). Those query params will now only be set for Google. Other OIDC based IdP's should continue to work using [OIDC's](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess) `offline_access` scope.
### Removed options ### Removed options
The deprecated `headers` option has been removed. Use [`set_response_headers`](/reference/readme.md#set-response-headers) instead. The deprecated `headers` option has been removed. Use [`set_response_headers`](/reference/readme.md#set-response-headers) instead.

11
internal/identity/oidc/google/google.go
View file

@ -23,8 +23,15 @@ const (
var defaultScopes = []string{oidc.ScopeOpenID, "profile", "email"} var defaultScopes = []string{oidc.ScopeOpenID, "profile", "email"}
// https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters // unlike other identity providers, google does not support the `offline_access` scope and instead
var defaultAuthCodeOptions = map[string]string{"prompt": "select_account consent"} // requires we set this on a custom uri param. Also, ` prompt` must be set to `consent`to ensure
// that our application always receives a refresh token (ask google). And finally, we default to
// having the user select which Google account they'd like to use.
//
// For more details, please see google's documentation:
// https://developers.google.com/identity/protocols/oauth2/web-server#offline
// https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters
var defaultAuthCodeOptions = map[string]string{"prompt": "select_account consent", "access_type": "offline"}
// Provider is a Google implementation of the Authenticator interface. // Provider is a Google implementation of the Authenticator interface.
type Provider struct { type Provider struct {

2
internal/identity/oidc/oidc.go
View file

@ -27,7 +27,7 @@ const Name = "oidc"
var defaultScopes = []string{go_oidc.ScopeOpenID, "profile", "email", "offline_access"} var defaultScopes = []string{go_oidc.ScopeOpenID, "profile", "email", "offline_access"}
var defaultAuthCodeOptions = []oauth2.AuthCodeOption{oauth2.AccessTypeOffline} var defaultAuthCodeOptions = []oauth2.AuthCodeOption{}
// Provider provides a standard, OpenID Connect implementation // Provider provides a standard, OpenID Connect implementation
// of an authorization identity provider. // of an authorization identity provider.