Support username, email and groups claim in OIDC connector #1634
Conversation
|
Thanks for the PR @xtremerui ! What's the reason behind letting the user change the claim for |
|
Thx for reviewing @sagikazarmark !
Since in OIDC spec |
|
Yeah, but |
|
Sure, I think that is reasonable. The PR is updated accordingly. From our end as long as there is a way for OIDC connector to return both |
|
I think there is a misunderstanding: |
|
@sagikazarmark the upstream provider might not support the "preferred_username" claim (dex itself only added support recently). So while I agree that the default should be "preferred_username", having it configureable is still valuable. |
|
@sagikazarmark @jwntrs @xtremerui - Can I try to help resolve this issue here? 😄 The problem is not that the name of the I can understand fully why the Dex maintainers would have an issue with changing the name of the However, I propose that there is an alternative solution that keeps the name of the In fact, this is basically what I did in my (already merged) PR at #1684 for the Atlassian Crowd connector. By default it would not supply a It'd be nice if we could drag this PR out of the current stalemate. 😄 👍 |
|
@mvdkleijn yup I totally agree with your assessment. I had to re-check the code, because I thought this was how it was implemented, but it looks like the original behaviour changed in that second commit. I've stepped away from the project using dex, but maybe @xtremerui could update this PR. |
xtremerui
force-pushed
the
pr/oidc-username-key-sync
branch
2 times, most recently
from
1635d22
to
f7be9db
Compare
|
I have added tests for this @mvdkleijn . Thank you for the suggestion.
|
xtremerui
force-pushed
the
pr/oidc-username-key-sync
branch
from
988553a
to
255312e
Compare
|
@mvdkleijn thanks for the suggestion. I think it makes sense. So in short: if there is a I think that sounds acceptable, so if @xtremerui updates the PR accordingly, I'd be happy to review it again. |
|
@sagikazarmark That is 100% correct. I see that @xtremerui made most of the changes... the claim key's to use instead of However, the connector is not checking if In pseudocode, I'd expect something like if @xtremerui wouldn't mind making that change, I think we can basically wrap this up. (apologies for any typos, I'm writing from my phone) |
|
By the way @xtremerui ... all my comments here with regards to your use of preferred_username also apply to your oauth PR #1630 I believe |
xtremerui
force-pushed
the
pr/oidc-username-key-sync
branch
from
255312e
to
6a3be20
Compare
|
Thanks @xtremerui ! LGTM @sagikazarmark Your turn 😄 |
|
Please see #1777 |
Signed-off-by: Josh Winters <[email protected]> Co-authored-by: Mark Huang <[email protected]> Signed-off-by: Rui Yang <[email protected]>
Signed-off-by: Rui Yang <[email protected]>
Signed-off-by: Rui Yang <[email protected]>
Signed-off-by: Rui Yang <[email protected]> Signed-off-by: Rui Yang <[email protected]>
Signed-off-by: Rui Yang <[email protected]>
The groupsClaimMapping setting allows one to specify which claim to pull group information from the OIDC provider. Previously it assumed group information was always in the "groups" claim, but that isn't the case for many OIDC providers (such as AWS Cognito using the "cognito:groups" claim instead) Signed-off-by: Scott Lemmon <[email protected]> Signed-off-by: Rui Yang <[email protected]>
add tests for groups key mapping Signed-off-by: Rui Yang <[email protected]>
xtremerui
force-pushed
the
pr/oidc-username-key-sync
branch
from
c48b882
to
41207ba
Compare
|
@sagikazarmark the PR is updated following the discussion in #1777 . |
|
@sagikazarmark Is anything still required for this apart from a review and merge? |
|
|
Documentation/connectors/oidc.md
Outdated
| # Some providers return no standard claim that is different to | ||
| # claims list at https://openid.net/specs/openid-connect-core-1_0.html#Claims | ||
| # Use claimMapping to specify custom claim names |
There was a problem hiding this comment.
| # Some providers return no standard claim that is different to | |
| # claims list at https://openid.net/specs/openid-connect-core-1_0.html#Claims | |
| # Use claimMapping to specify custom claim names | |
| # Some providers return non-standard claims (eg. mail). | |
| # Use claimMapping to map those claims to standard claims: | |
| # https://openid.net/specs/openid-connect-core-1_0.html#Claims | |
| # claimMapping can only map a non-standard claim to a standard one if it's not returned in the id_token. |
connector/oidc/oidc.go
Outdated
| if !found && hasEmailScope { | ||
| return identity, errors.New("missing \"email\" claim") | ||
| return identity, fmt.Errorf("missing \"%s\" claim", emailKey) |
There was a problem hiding this comment.
This error message won't tell the user that it's related to the email scope being set. Also, the original issue is still true: the email claim is missing as well.
I would probably leave email here and maybe mention the alias/mapping key as well.
Documentation/connectors/oidc.md
Outdated
| # The set claim is used as user id. | ||
| # Default: sub | ||
| # user_id: nickname | ||
|
|
||
| # The set claim is used as user name. | ||
| # Default: name | ||
| # user_name: nickname |
There was a problem hiding this comment.
UserID and Username are not actually claims, so I'm not sure we should include them here.
|
@xtremerui can you take a look at the requested changes? I think it's time that we get this merged, it only needs a few final touches. |
Signed-off-by: Rui Yang <[email protected]>
|
@sagikazarmark done! Thx for waiting, it was long weekend last week and I took days off as well. |
There was a problem hiding this comment.
@xtremerui thanks a lot. I think you missed a few things though (or I wasn't entirely clear): I would keep the user id and username keys as they are, since they are not claims at all. We can always move them under claim mapping later if we think it's the right place, but for now it just seems logically wrong.
Thanks!
connector/oidc/oidc.go
Outdated
| // Configurable key which contains the user id claim | ||
| UserIDKey string `json:"user_id"` // defaults to "sub" | ||
|
|
||
| // Configurable key which contains the username claim | ||
| UserNameKey string `json:"user_name"` // defaults to "name" |
There was a problem hiding this comment.
I guess these shouldn't be here either.
Documentation/connectors/oidc.md
Outdated
| # The set claim is used as user id. | ||
| # Default: sub | ||
| # Claims list at https://openid.net/specs/openid-connect-core-1_0.html#Claims | ||
| # | ||
| # userIDKey: nickname | ||
|
|
||
| # The set claim is used as user name. | ||
| # Default: name | ||
| # userNameKey: nickname | ||
|
|
There was a problem hiding this comment.
These should be added back as these are valid options, but not claims.
connector/oidc/oidc.go
Outdated
| // Deprecated: use UserIDKey in claimMapping instead | ||
| UserIDKey string `json:"userIDKey"` | ||
|
|
||
| // Configurable key which contains the user name claim | ||
| // Deprecated: use UserNameKey in claimMapping instead |
There was a problem hiding this comment.
These shouldn't be deprecated.
Signed-off-by: Rui Yang <[email protected]>
|
That makes sense. It will make this PR more clean. I have reverted the changes for user id and user name. |
sagikazarmark
changed the title
|
Yay! Done! 😄 |
The official docker release for this release can be pulled from
dexidp/dex:v2.25.0
**Features:**
- Move the API package to a separate module (dexidp#1741, @sagikazarmark)
- OAuth2 Device Authorization Grant (dexidp#1706, @justin-slowik)
- Support username, email and groups claim in OIDC connector (dexidp#1634, @xtremerui)
**Bugfixes:**
- Add offline_access scope in microsoft connector, if required (dexidp#1441, @jimmythedog)
- Allow the google connector to work without a service account (dexidp#1720, @candlerb)
**Minor changes:**
- Remove vendor (finally) (dexidp#1745, @sagikazarmark)
- Fix the LDAP example (dexidp#1762, @heidemn-faro)
- Relocate the example app (dexidp#1764, @sagikazarmark)
The official docker release for this release can be pulled from
dexidp/dex:v2.25.0
**Features:**
- Move the API package to a separate module (dexidp#1741, @sagikazarmark)
- OAuth2 Device Authorization Grant (dexidp#1706, @justin-slowik)
- Support username, email and groups claim in OIDC connector (dexidp#1634, @xtremerui)
**Bugfixes:**
- Add offline_access scope in microsoft connector, if required (dexidp#1441, @jimmythedog)
- Allow the google connector to work without a service account (dexidp#1720, @candlerb)
**Minor changes:**
- Remove vendor (finally) (dexidp#1745, @sagikazarmark)
- Fix the LDAP example (dexidp#1762, @heidemn-faro)
- Relocate the example app (dexidp#1764, @sagikazarmark)
This PR leverage the
PreferredUsernameinIdentityfor OIDC connectordex/connector/connector.go
Line 28 in aca67b0
User can config
PreferredUsernameKeyto lookup a custom claim that has user handle. Noted that it is not the same asnameorpreferred_usernamestandard claims.Updated: implementes #1777