-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support username, email and groups claim in OIDC connector #1634
Support username, email and groups claim in OIDC connector #1634
Conversation
Thanks for the PR @xtremerui ! What's the reason behind letting the user change the claim for |
Thx for reviewing @sagikazarmark !
Since in OIDC spec |
Yeah, but |
Sure, I think that is reasonable. The PR is updated accordingly. From our end as long as there is a way for OIDC connector to return both |
I think there is a misunderstanding: |
@sagikazarmark the upstream provider might not support the "preferred_username" claim (dex itself only added support recently). So while I agree that the default should be "preferred_username", having it configureable is still valuable. |
@sagikazarmark @jwntrs @xtremerui - Can I try to help resolve this issue here? 😄 The problem is not that the name of the I can understand fully why the Dex maintainers would have an issue with changing the name of the However, I propose that there is an alternative solution that keeps the name of the In fact, this is basically what I did in my (already merged) PR at #1684 for the Atlassian Crowd connector. By default it would not supply a It'd be nice if we could drag this PR out of the current stalemate. 😄 👍 |
@mvdkleijn yup I totally agree with your assessment. I had to re-check the code, because I thought this was how it was implemented, but it looks like the original behaviour changed in that second commit. I've stepped away from the project using dex, but maybe @xtremerui could update this PR. |
1635d22
to
f7be9db
Compare
I have added tests for this @mvdkleijn . Thank you for the suggestion.
|
988553a
to
255312e
Compare
@mvdkleijn thanks for the suggestion. I think it makes sense. So in short: if there is a I think that sounds acceptable, so if @xtremerui updates the PR accordingly, I'd be happy to review it again. |
@sagikazarmark That is 100% correct. I see that @xtremerui made most of the changes... the claim key's to use instead of However, the connector is not checking if In pseudocode, I'd expect something like
if @xtremerui wouldn't mind making that change, I think we can basically wrap this up. (apologies for any typos, I'm writing from my phone) |
By the way @xtremerui ... all my comments here with regards to your use of preferred_username also apply to your oauth PR #1630 I believe |
255312e
to
6a3be20
Compare
Thanks @xtremerui ! LGTM @sagikazarmark Your turn 😄 |
Please see #1777 |
Signed-off-by: Josh Winters <jwinters@pivotal.io> Co-authored-by: Mark Huang <mhuang@pivotal.io> Signed-off-by: Rui Yang <ruiya@vmware.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
Signed-off-by: Rui Yang <ryang@pivotal.io> Signed-off-by: Rui Yang <ruiya@vmware.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
The groupsClaimMapping setting allows one to specify which claim to pull group information from the OIDC provider. Previously it assumed group information was always in the "groups" claim, but that isn't the case for many OIDC providers (such as AWS Cognito using the "cognito:groups" claim instead) Signed-off-by: Scott Lemmon <slemmon@aurora.tech> Signed-off-by: Rui Yang <ruiya@vmware.com>
add tests for groups key mapping Signed-off-by: Rui Yang <ruiya@vmware.com>
c48b882
to
41207ba
Compare
@sagikazarmark the PR is updated following the discussion in #1777 . |
@sagikazarmark Is anything still required for this apart from a review and merge? |
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couple nits, but I think it's great!
Documentation/connectors/oidc.md
Outdated
# Some providers return no standard claim that is different to | ||
# claims list at https://openid.net/specs/openid-connect-core-1_0.html#Claims | ||
# Use claimMapping to specify custom claim names |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# Some providers return no standard claim that is different to | |
# claims list at https://openid.net/specs/openid-connect-core-1_0.html#Claims | |
# Use claimMapping to specify custom claim names | |
# Some providers return non-standard claims (eg. mail). | |
# Use claimMapping to map those claims to standard claims: | |
# https://openid.net/specs/openid-connect-core-1_0.html#Claims | |
# claimMapping can only map a non-standard claim to a standard one if it's not returned in the id_token. |
connector/oidc/oidc.go
Outdated
if !found && hasEmailScope { | ||
return identity, errors.New("missing \"email\" claim") | ||
return identity, fmt.Errorf("missing \"%s\" claim", emailKey) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This error message won't tell the user that it's related to the email scope being set. Also, the original issue is still true: the email claim is missing as well.
I would probably leave email here and maybe mention the alias/mapping key as well.
Documentation/connectors/oidc.md
Outdated
# The set claim is used as user id. | ||
# Default: sub | ||
# user_id: nickname | ||
|
||
# The set claim is used as user name. | ||
# Default: name | ||
# user_name: nickname |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
UserID and Username are not actually claims, so I'm not sure we should include them here.
@xtremerui can you take a look at the requested changes? I think it's time that we get this merged, it only needs a few final touches. |
Signed-off-by: Rui Yang <ruiya@vmware.com>
@sagikazarmark done! Thx for waiting, it was long weekend last week and I took days off as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@xtremerui thanks a lot. I think you missed a few things though (or I wasn't entirely clear): I would keep the user id and username keys as they are, since they are not claims at all. We can always move them under claim mapping later if we think it's the right place, but for now it just seems logically wrong.
Thanks!
connector/oidc/oidc.go
Outdated
// Configurable key which contains the user id claim | ||
UserIDKey string `json:"user_id"` // defaults to "sub" | ||
|
||
// Configurable key which contains the username claim | ||
UserNameKey string `json:"user_name"` // defaults to "name" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess these shouldn't be here either.
Documentation/connectors/oidc.md
Outdated
# The set claim is used as user id. | ||
# Default: sub | ||
# Claims list at https://openid.net/specs/openid-connect-core-1_0.html#Claims | ||
# | ||
# userIDKey: nickname | ||
|
||
# The set claim is used as user name. | ||
# Default: name | ||
# userNameKey: nickname | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These should be added back as these are valid options, but not claims.
connector/oidc/oidc.go
Outdated
// Deprecated: use UserIDKey in claimMapping instead | ||
UserIDKey string `json:"userIDKey"` | ||
|
||
// Configurable key which contains the user name claim | ||
// Deprecated: use UserNameKey in claimMapping instead |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These shouldn't be deprecated.
Signed-off-by: Rui Yang <ruiya@vmware.com>
That makes sense. It will make this PR more clean. I have reverted the changes for user id and user name. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot @xtremerui
Yay! Done! 😄 |
The official docker release for this release can be pulled from dexidp/dex:v2.25.0 **Features:** - Move the API package to a separate module (dexidp#1741, @sagikazarmark) - OAuth2 Device Authorization Grant (dexidp#1706, @justin-slowik) - Support username, email and groups claim in OIDC connector (dexidp#1634, @xtremerui) **Bugfixes:** - Add offline_access scope in microsoft connector, if required (dexidp#1441, @jimmythedog) - Allow the google connector to work without a service account (dexidp#1720, @candlerb) **Minor changes:** - Remove vendor (finally) (dexidp#1745, @sagikazarmark) - Fix the LDAP example (dexidp#1762, @heidemn-faro) - Relocate the example app (dexidp#1764, @sagikazarmark)
The official docker release for this release can be pulled from dexidp/dex:v2.25.0 **Features:** - Move the API package to a separate module (dexidp#1741, @sagikazarmark) - OAuth2 Device Authorization Grant (dexidp#1706, @justin-slowik) - Support username, email and groups claim in OIDC connector (dexidp#1634, @xtremerui) **Bugfixes:** - Add offline_access scope in microsoft connector, if required (dexidp#1441, @jimmythedog) - Allow the google connector to work without a service account (dexidp#1720, @candlerb) **Minor changes:** - Remove vendor (finally) (dexidp#1745, @sagikazarmark) - Fix the LDAP example (dexidp#1762, @heidemn-faro) - Relocate the example app (dexidp#1764, @sagikazarmark)
This PR leverage the
PreferredUsername
inIdentity
for OIDC connectordex/connector/connector.go
Line 28 in aca67b0
User can config
PreferredUsernameKey
to lookup a custom claim that has user handle. Noted that it is not the same asname
orpreferred_username
standard claims.Updated: implementes #1777