mirror
/
dex
mirror of https://github.com/dexidp/dex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add option to OIDC connecter to override email_verified to true

pull/1417/head
Gerald Barker 7 years ago
parent
83a0326b88
commit
fc723af0fe
2 changed files with 25 additions and 10 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      Documentation/connectors/oidc.md
  2. 30
      connector/oidc/oidc.go

5
Documentation/connectors/oidc.md
Unescape View File

@ -55,6 +55,11 @@ connectors:
# - profile # - profile
# - email # - email
# - groups # - groups
# Some providers return claims without "email_verified", when they had no usage of emails verification in enrollement process
# or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP
# This can be overridden with the below option
# insecureSkipEmailVerified: true
``` ```
[oidc-doc]: openid-connect.md [oidc-doc]: openid-connect.md

30
connector/oidc/oidc.go
Unescape View File

@ -36,6 +36,9 @@ type Config struct {
// Optional list of whitelisted domains when using Google // Optional list of whitelisted domains when using Google
// If this field is nonempty, only users from a listed domain will be allowed to log in // If this field is nonempty, only users from a listed domain will be allowed to log in
HostedDomains []string `json:"hostedDomains"` HostedDomains []string `json:"hostedDomains"`
// Override the value of email_verifed to true in the returned claims
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`
} }
// Domains that don't support basic auth. golang.org/x/oauth2 has an internal // Domains that don't support basic auth. golang.org/x/oauth2 has an internal
@ -113,9 +116,10 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
verifier: provider.Verifier( verifier: provider.Verifier(
&oidc.Config{ClientID: clientID}, &oidc.Config{ClientID: clientID},
), ),
logger: logger, logger: logger,
cancel: cancel, cancel: cancel,
hostedDomains: c.HostedDomains, hostedDomains: c.HostedDomains,
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
}, nil }, nil
} }
@ -125,13 +129,14 @@ var (
) )
type oidcConnector struct { type oidcConnector struct {
redirectURI string redirectURI string
oauth2Config *oauth2.Config oauth2Config *oauth2.Config
verifier *oidc.IDTokenVerifier verifier *oidc.IDTokenVerifier
ctx context.Context ctx context.Context
cancel context.CancelFunc cancel context.CancelFunc
logger log.Logger logger log.Logger
hostedDomains []string hostedDomains []string
insecureSkipEmailVerified bool
} }
func (c *oidcConnector) Close() error { func (c *oidcConnector) Close() error {
@ -209,6 +214,11 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
} }
} }
if c.insecureSkipEmailVerified {
claims.EmailVerified = true
}
identity = connector.Identity{ identity = connector.Identity{
UserID: idToken.Subject, UserID: idToken.Subject,
Username: claims.Username, Username: claims.Username,

Write Preview
Loading…
Cancel
Save