identity: support oidc UserInfo Response (#529)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Bobby DeSimone 2020-03-12 20:56:40 -07:00 committed by GitHub
parent 8d1732582e
commit 6f4b26abe2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 33 additions and 15 deletions

View file

@ -10,7 +10,7 @@ import (
"github.com/pomerium/pomerium/internal/sessions"
oidc "github.com/pomerium/go-oidc"
oidc "github.com/coreos/go-oidc"
"golang.org/x/oauth2"
)
@ -81,6 +81,8 @@ type Provider struct {
UserGroupFn func(context.Context, *sessions.State) ([]string, error)
UserInfoEndpoint bool
// ServiceAccount can be set for those providers that require additional
// credentials or tokens to do follow up API calls (e.g. Google)
ServiceAccount string
@ -117,6 +119,24 @@ func (p *Provider) Authenticate(ctx context.Context, code string) (*sessions.Sta
if err != nil {
return nil, err
}
// check if provider has info endpoint, try to hit that and gather more info
// especially useful if initial request did not an contain email, or subject
// https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
var claims struct {
UserInfoURL string `json:"userinfo_endpoint"`
}
if err := p.provider.Claims(&claims); err == nil && claims.UserInfoURL != "" {
userInfo, err := p.provider.UserInfo(ctx, oauth2.StaticTokenSource(oauth2Token))
if err != nil {
return nil, fmt.Errorf("internal/identity: could not retrieve user info %w", err)
}
if err := userInfo.Claims(&s); err != nil {
return nil, err
}
}
if p.UserGroupFn != nil {
s.Groups, err = p.UserGroupFn(ctx, s)
if err != nil {