feat/generic-oidc-claims: add the ability to set email and id_from_idp from separate OIDC claims in the generic OIDC idp #1153
Conversation
fence/resources/openid/idp_oauth2.py
Outdated
| self.logger.exception( | ||
| f"Can't get {field} from claims: {claims}" | ||
| ) | ||
| return {"error": f"Can't get {field} from claims"} |
There was a problem hiding this comment.
We shouldn't return an error if the email field is missing. The claims come from id_token. Throwing an error because we get an id_token would effectively require the email claim in the id_token. This would take fence out of spec with OIDC standard. See here https://openid.net/specs/openid-connect-core-1_0.html#IDToken
There was a problem hiding this comment.
I've reworked this, but the new version doesn't return an error if all the fields are missing, which probably isn't right either. I'm not sure what the right answer is - should I check if the requested fields are mandatory, or throw an error if the field requested for user_id_field doesn't exist but ignore the others?
fence/resources/openid/idp_oauth2.py
Outdated
| return {"error": f"Can't get {field} from claims"} | ||
|
|
||
| # Field is email, but isn't verified and we aren't assuming all emails are verified | ||
| if field == "email" and not (claims.get("email_verified") or self.settings.get("assume_emails_verified")): |
There was a problem hiding this comment.
test_idp_oauth2 need to be updated to test the branch conditions here to ensure that the error is returned as expected depending on the use of "assume_emails_verified"
fence/resources/openid/idp_oauth2.py
Outdated
| return {"error": f"Can't get {field} from claims"} | ||
|
|
||
| # Field is email, but isn't verified and we aren't assuming all emails are verified | ||
| if field == "email" and not (claims.get("email_verified") or self.settings.get("assume_emails_verified")): |
There was a problem hiding this comment.
assumed_email_verified needs to be added to config-default.yaml under OPENID_CONNECT with documentation explaining its usage for the respective IDPs of interest.
Co-authored-by: burtonk <[email protected]>
Link to JIRA ticket if there is one:
New Features
Allow returning email and id_from_idp claims from the generic OIDC get_auth_info() code, as well as the user_id.
Breaking Changes
Bug Fixes
Improvements
Dependency updates
Deployment changes
Notes:
This is the first time I've attempted to contribute to gen3, so I may well be doing it wrong!
I have tested this locally using the dex idp https://github.com/dexidp/dex as the OIDC server