/
oidc.go
45 lines (37 loc) · 1.24 KB
/
oidc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
package handlers
import (
oauthelia2 "authelia.com/provider/oauth2"
"github.com/authelia/authelia/v4/internal/model"
"github.com/authelia/authelia/v4/internal/oidc"
"github.com/authelia/authelia/v4/internal/session"
)
func oidcGrantRequests(ar oauthelia2.AuthorizeRequester, consent *model.OAuth2ConsentSession, userSession *session.UserSession) (extraClaims map[string]any) {
extraClaims = map[string]any{}
for _, scope := range consent.GrantedScopes {
if ar != nil {
ar.GrantScope(scope)
}
switch scope {
case oidc.ScopeGroups:
extraClaims[oidc.ClaimGroups] = userSession.Groups
case oidc.ScopeProfile:
extraClaims[oidc.ClaimPreferredUsername] = userSession.Username
extraClaims[oidc.ClaimFullName] = userSession.DisplayName
case oidc.ScopeEmail:
if len(userSession.Emails) != 0 {
extraClaims[oidc.ClaimPreferredEmail] = userSession.Emails[0]
if len(userSession.Emails) > 1 {
extraClaims[oidc.ClaimEmailAlts] = userSession.Emails[1:]
}
// TODO (james-d-elliott): actually verify emails and record that information.
extraClaims[oidc.ClaimEmailVerified] = true
}
}
}
if ar != nil {
for _, audience := range consent.GrantedAudience {
ar.GrantAudience(audience)
}
}
return extraClaims
}