New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: oidc provider claims config option #753
feat: oidc provider claims config option #753
Conversation
950ffe3
to
0846eda
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contribution 😉
I think it would be better to have the requested_claims
as a JSON object. Is there some way to validate them further or are they proprietary?
The spec defines that on the top level can only be a
Example claims request:
If it is possible to define this in the schema without concrete key names then this should be possible. |
Right, JSON schema can get a bit complicated. Here is my take: {
"additionalProperties": false,
"patternProperties": {
"^userinfo$|^id_token$": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
".*": {
"oneOf": [
{
"const": null,
"description": "Indicates that this Claim is being requested in the default manner"
},
{
"allOf": [
{
"propertyNames": {
"$comment": "This is to implement 'additionalProperties: false'",
"enum": [
"essential",
"value",
"values"
]
}
},
{
"properties": {
"essential": {
"description": "Indicates whether the Claim being requested is an Essential Claim",
"type": "boolean"
}
}
},
{
"$comment": "Although not required by the spec, it makes no sense to allow both at the same time",
"oneOf": [
{
"properties": {
"value": {
"description": "Requests that the Claim be returned with a particular value",
"$comment": "There seem to be no constrains on value"
}
}
},
{
"properties": {
"values": {
"description": "Requests that the Claim be returned with one of a set of values, with the values appearing in order of preference",
"type": "array",
"items": {
"$comment": "There seem to be no constrains on individual items"
}
}
}
}
]
}
]
}
]
}
}
}
}
} Maybe you can check if it works as expected by adding schema tests for it 😉 |
When #757 is merged and you rebase, there should also be no timeout any more in the CI |
When everything passes, this looks good to me 👍 |
5b54885
to
a38a55b
Compare
Awesome 🎉 Thank you for your contribution! |
Related issue
#735
@aeneasr
Proposed changes
Adds an option to oidc providers to request specific openid claims on an authorization request
Checklist
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
security@ory.sh) from the maintainers to push
the changes.
works.