-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Google hosted domain support #974
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -33,6 +33,9 @@ type Config struct { | |
|
||
Scopes []string `json:"scopes"` // defaults to "profile" and "email" | ||
|
||
// Optional list of whitelisted domains when using Google | ||
// If this field is nonempty, only users from a listed domain will be allowed to log in | ||
HostedDomains []string `json:"hostedDomain"` | ||
} | ||
|
||
// Domains that don't support basic auth. golang.org/x/oauth2 has an internal | ||
|
@@ -110,8 +113,9 @@ func (c *Config) Open(logger logrus.FieldLogger) (conn connector.Connector, err | |
verifier: provider.Verifier( | ||
&oidc.Config{ClientID: clientID}, | ||
), | ||
logger: logger, | ||
cancel: cancel, | ||
logger: logger, | ||
cancel: cancel, | ||
hostedDomains: c.HostedDomains, | ||
}, nil | ||
} | ||
|
||
|
@@ -121,12 +125,13 @@ var ( | |
) | ||
|
||
type oidcConnector struct { | ||
redirectURI string | ||
oauth2Config *oauth2.Config | ||
verifier *oidc.IDTokenVerifier | ||
ctx context.Context | ||
cancel context.CancelFunc | ||
logger logrus.FieldLogger | ||
redirectURI string | ||
oauth2Config *oauth2.Config | ||
verifier *oidc.IDTokenVerifier | ||
ctx context.Context | ||
cancel context.CancelFunc | ||
logger logrus.FieldLogger | ||
hostedDomains []string | ||
} | ||
|
||
func (c *oidcConnector) Close() error { | ||
|
@@ -138,6 +143,14 @@ func (c *oidcConnector) LoginURL(s connector.Scopes, callbackURL, state string) | |
if c.redirectURI != callbackURL { | ||
return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI) | ||
} | ||
|
||
if len(c.hostedDomains) > 0 { | ||
preferredDomain := c.hostedDomains[0] | ||
if len(c.hostedDomains) > 1 { | ||
preferredDomain = "*" | ||
} | ||
return c.oauth2Config.AuthCodeURL(state, oauth2.SetAuthURLParam("hd", preferredDomain)), nil | ||
} | ||
return c.oauth2Config.AuthCodeURL(state), nil | ||
} | ||
|
||
|
@@ -176,11 +189,26 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide | |
Username string `json:"name"` | ||
Email string `json:"email"` | ||
EmailVerified bool `json:"email_verified"` | ||
HostedDomain string `json:"hd"` | ||
} | ||
if err := idToken.Claims(&claims); err != nil { | ||
return identity, fmt.Errorf("oidc: failed to decode claims: %v", err) | ||
} | ||
|
||
if len(c.hostedDomains) > 0 { | ||
found := false | ||
for _, domain := range c.hostedDomains { | ||
if claims.HostedDomain != domain { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. shouldn't it be |
||
found = true | ||
break | ||
} | ||
} | ||
|
||
if !found { | ||
return identity, fmt.Errorf("oidc: unexpected hd claim %v", claims.HostedDomain) | ||
} | ||
} | ||
|
||
identity = connector.Identity{ | ||
UserID: idToken.Subject, | ||
Username: claims.Username, | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -61,6 +61,7 @@ connectors: | |
# clientID: $GOOGLE_CLIENT_ID | ||
# clientSecret: $GOOGLE_CLIENT_SECRET | ||
# redirectURI: http://127.0.0.1:5556/dex/callback | ||
# hostedDomain: $GOOGLE_HOSTED_DOMAIN | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm afraid this doesn't match the code. If I understand it correctly, it should be:
|
||
|
||
# Let dex keep a list of passwords which can be used to login to dex. | ||
enablePasswordDB: true | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be
json:"hostedDomains"
(domains)