diff --git a/Documentation/connectors/oidc.md b/Documentation/connectors/oidc.md index 7db2926bfe..d58789ff01 100644 --- a/Documentation/connectors/oidc.md +++ b/Documentation/connectors/oidc.md @@ -61,6 +61,13 @@ connectors: # This can be overridden with the below option # insecureSkipEmailVerified: true + # Groups claims (like the rest of oidc claims through dex) only refresh when the id token is refreshed + # meaning the regular refresh flow doesn't update the groups claim. As such by default the oidc connector + # doesn't allow groups claims. If you are okay with having potentially stale group claims you can use + # this option to enable groups claims through the oidc connector on a per-connector basis. + # This can be overridden with the below option + # insecureEnableGroups: true + # When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims # take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain # all the claims requested. diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go index 3e405d8754..341e4e0aa5 100644 --- a/connector/oidc/oidc.go +++ b/connector/oidc/oidc.go @@ -42,6 +42,9 @@ type Config struct { // Override the value of email_verifed to true in the returned claims InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"` + // InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved + InsecureEnableGroups bool `json:"insecureEnableGroups"` + // GetUserInfo uses the userinfo endpoint to get additional claims for // the token. This is especially useful where upstreams return "thin" // id tokens @@ -139,6 +142,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e cancel: cancel, hostedDomains: c.HostedDomains, insecureSkipEmailVerified: c.InsecureSkipEmailVerified, + insecureEnableGroups: c.InsecureEnableGroups, getUserInfo: c.GetUserInfo, userIDKey: c.UserIDKey, userNameKey: c.UserNameKey, @@ -159,6 +163,7 @@ type oidcConnector struct { logger log.Logger hostedDomains []string insecureSkipEmailVerified bool + insecureEnableGroups bool getUserInfo bool userIDKey string userNameKey string @@ -321,5 +326,18 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I identity.UserID = userID } + if c.insecureEnableGroups { + vs, ok := claims["groups"].([]interface{}) + if ok { + for _, v := range vs { + if s, ok := v.(string); ok { + identity.Groups = append(identity.Groups, s) + } else { + return identity, errors.New("malformed \"groups\" claim") + } + } + } + } + return identity, nil }