identity: support oidc UserInfo Response (#529)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-06-04 03:42:49 +02:00 · 2020-03-12 20:56:40 -07:00 · 2020-03-12 20:56:40 -07:00 · 6f4b26abe2
commit 6f4b26abe2
parent 8d1732582e
9 changed files with 33 additions and 15 deletions
--- a/internal/identity/google.go
+++ b/internal/identity/google.go
@ -8,7 +8,7 @@ import (
 	"net/http"
 	"net/url"

-	oidc "github.com/pomerium/go-oidc"
+	oidc "github.com/coreos/go-oidc"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
 	admin "google.golang.org/api/admin/directory/v1"
--- a/internal/identity/microsoft.go
+++ b/internal/identity/microsoft.go
@ -8,7 +8,7 @@ import (
 	"net/url"
 	"time"

-	oidc "github.com/pomerium/go-oidc"
+	oidc "github.com/coreos/go-oidc"
 	"golang.org/x/oauth2"

 	"github.com/pomerium/pomerium/internal/httputil"
--- a/internal/identity/oidc.go
+++ b/internal/identity/oidc.go
@ -3,7 +3,7 @@ package identity // import "github.com/pomerium/pomerium/internal/identity"
 import (
 	"context"

-	oidc "github.com/pomerium/go-oidc"
+	oidc "github.com/coreos/go-oidc"
 	"golang.org/x/oauth2"
 )

--- a/internal/identity/okta.go
+++ b/internal/identity/okta.go
@ -6,7 +6,7 @@ import (
 	"net/http"
 	"net/url"

-	oidc "github.com/pomerium/go-oidc"
+	oidc "github.com/coreos/go-oidc"
 	"golang.org/x/oauth2"

 	"github.com/pomerium/pomerium/internal/httputil"
--- a/internal/identity/onelogin.go
+++ b/internal/identity/onelogin.go
@ -8,7 +8,7 @@ import (
 	"net/url"
 	"time"

-	oidc "github.com/pomerium/go-oidc"
+	oidc "github.com/coreos/go-oidc"
 	"golang.org/x/oauth2"

 	"github.com/pomerium/pomerium/internal/httputil"
--- a/internal/identity/providers.go
+++ b/internal/identity/providers.go
@ -10,7 +10,7 @@ import (

 	"github.com/pomerium/pomerium/internal/sessions"

-	oidc "github.com/pomerium/go-oidc"
+	oidc "github.com/coreos/go-oidc"
 	"golang.org/x/oauth2"
 )

@ -81,6 +81,8 @@ type Provider struct {

 	UserGroupFn func(context.Context, *sessions.State) ([]string, error)

+	UserInfoEndpoint bool
+
 	// ServiceAccount can be set for those providers that require additional
 	// credentials or tokens to do follow up API calls (e.g. Google)
 	ServiceAccount string
@ -117,6 +119,24 @@ func (p *Provider) Authenticate(ctx context.Context, code string) (*sessions.Sta
 	if err != nil {
 		return nil, err
 	}
+
+	// check if provider has info endpoint, try to hit that and gather more info
+	// especially useful if initial request did not an contain email, or subject
+	// https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+	var claims struct {
+		UserInfoURL string `json:"userinfo_endpoint"`
+	}
+
+	if err := p.provider.Claims(&claims); err == nil && claims.UserInfoURL != "" {
+		userInfo, err := p.provider.UserInfo(ctx, oauth2.StaticTokenSource(oauth2Token))
+		if err != nil {
+			return nil, fmt.Errorf("internal/identity: could not retrieve user info %w", err)
+		}
+		if err := userInfo.Claims(&s); err != nil {
+			return nil, err
+		}
+	}
+
 	if p.UserGroupFn != nil {
 		s.Groups, err = p.UserGroupFn(ctx, s)
 		if err != nil {
--- a/internal/sessions/state.go
+++ b/internal/sessions/state.go
@ -7,8 +7,8 @@ import (
 	"time"

 	"github.com/cespare/xxhash/v2"
+	oidc "github.com/coreos/go-oidc"
 	"github.com/mitchellh/hashstructure"
-	oidc "github.com/pomerium/go-oidc"
 	"golang.org/x/oauth2"
 	"gopkg.in/square/go-jose.v2/jwt"
 )