OIDC groups and userinfo support#1463
Conversation
1. The AccessToken is filled with Claims, Connector Data and ConnectorID from the AuthCode. 2. It is then Serialized and sent to the user 3. The user may, then, do a request to the /userinfo endpoint using this token. By default, when dex gets a /userinfo request, the token is deserialized, the Claims originally copied from AuthCode are extracted from it and sent back to the user as the User Info response payload. This should work for all the connectors and was tested with the LDAP and OIDC connectors. If the connector used to authenticate the user implements the GetUserInfo interface, then the responsibility of generating the User Info payload is delegated to it. This is the case of the Oidc connector. It uses the real AccessToken, previously stored as a field in the ConnectorData, to forward a genuine /userinfo request to the original IdP. The Claims extracted from the AuthCode are used to generate the initial user info payload object, and this object is extended with whatever claims are returned by the original IdP.
— Access Token is encrypted upon generation — Access Token is decrypted in userinfo handler to extract original Claims and other relevant information
…master # Conflicts: # Documentation/oidc-connector.md # server/internal/types.pb.go
|
@JoelSpeed I tried to resolve many of your comments from #1315. We would very much like to use this. Let me know what I can do to try to get this merged. |
|
@kalinon please +1 if this is okay for me to pick up. Otherwise I am okay with you cherry-picking anything I have done. |
Please do, i appreciate it. Go is not my main language and i would rather not muck it up. |
|
@srenatus any idea on the direction here with all these PR's? |
|
Looks good to me. If i could approve i would! |
|
Hey, I don't have time to look now, but will try to over the weekend |
|
UserInfo endpoint was implemented in #1473 Closing this PR. Please open a new one if you still have an issue. |
Trying to resume
#1315
#1133
Also noticed #1454 is a little more relevant and okay making changes after that one if one of these can merge.