Try to get email from UserInfo before giving up

[aigarius]

Some OIDC providers do not include email in the default IDToken information. In such cases email would need to be requested separately, either via UserInfo interface or via Remote Claims.

Expected Behavior

To get email in providers/oidc.go:createSessionState check ID token first, if email is not there, request UserInfo and check there, if not there then try resolving a claim for "email"

Current Behavior

If email field is not included in the ID token, then authentication just stops with "id_token did not contain an email"

[aigarius]

There might be situations where email is not provided at all (it is not mandatory), in that case it would be useful to default to the value of "sub" in the ID Token.

[JoelSpeed]

This would be a sensible improvement to make but is probably a fairly substantial change, gonna leave this as help-wanted for now and see if anyone picks it up. If not I might have some time in the not too distant future

[mikemucc]

So this appears to be working in the current version of oauth2_proxy. I did run into an odd issue, in that the "email" field was being sent as "eMail" for my local OpenID system.

Would it be possible (and I'll open a new issue if needed, didn't open one now to avoid issue clutter) to make that match case insensitive?

[JoelSpeed]

I did run into an odd issue, in that the "email" field was being sent as "eMail" for my local OpenID system.

Can you tell me which provider you use?

Would it be possible (and I'll open a new issue if needed, didn't open one now to avoid issue clutter) to make that match case insensitive?

I don't think we should be implementing case insensitivity when reading from IDTokens. OIDC tokens and userinfo endpoints encode data in JSON which is case sensitive. The OIDC Spec also lists the fields and their standard names that any provider should be using. I'd prefer not to have special logic for individual providers who are mis-implementing OIDC in the main codebase if possible.

[mikemucc]

@JoelSpeed It's an "internal" supposedly Open ID compliant system.

I asked the people responsible for the setup, and there wasn't necessarily a reason that they set it up that way, they just did (and apparently didn't understand the whole Open ID spec and weren't thinking)... I had them add the email key (lowercase) to get us in compliance.

I wouldn't be asking for anything from the IDTokens to be changed, I agree wholeheartedly that nothing should be touched there.

Email from the userinfo endpoint was the only field I was even suggesting be case insensitive, and I totally understand why you wouldn't want to do that.

That said, a method to override a keyname like email to something like eMail might add some flexibility for people like me who encounter brain dead corporate setups (though I understand that it would be a low priority).

[grimmy]

I'm trying to use jetbrains hub and I'm getting the Error redeeming code during OAuth2 callback: unable to update session: id_token did not contain an email error.

I'm willing to do the work to get this fixed, I'm just not sure exactly what you all would be looking for here so some pointers would be cool.

[grimmy]

Actually I found a work around by providing the --profile-url command line argument. For some reason I was assuming that there would be some auto configuration magic with .well-known/openid-configuration but whatever, I've got it working now ;)

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.