Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow arbitrary claims from the IDToken to be injected into the response header #2685

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Allow arbitrary claims from the IDToken to be injected into the response header #2685

wants to merge 2 commits into from

Conversation

vegetablest
Copy link
Contributor

Description

Allows retrieval of additional claims from IDToken.

Motivation and Context

The IDToken from the OIDCProvider I'm using contains claims that I want to use, but currently only a few of them can be injected into the response headers. This change allows users to specify additional claims from the IDToken that they want to include.

Checklist:

  • My change requires a change to the documentation or CHANGELOG.
  • I have updated the documentation/CHANGELOG accordingly.
  • I have created a feature (non-master) branch for my PR.
  • I have written tests for my code changes.

@vegetablest vegetablest requested a review from a team as a code owner June 25, 2024 08:50
@vegetablest vegetablest changed the title feat: support additional claims Allows arbitrary claims from the Id token to be injected into the response header Jun 25, 2024
@vegetablest vegetablest changed the title Allows arbitrary claims from the Id token to be injected into the response header Allow arbitrary claims from the IDToken to be injected into the response header Jun 25, 2024
@daniellienert
Copy link

Hey @vegetablest,
Thank you very much for the PR. This is exactly what we needed for our use case!
Would be great to have this feature in the official release.

tuunit
tuunit requested changes Aug 23, 2024
View reviewed changes
pkg/apis/options/providers.go Outdated
@@ -84,6 +84,9 @@ type Provider struct {
// The code challenge method
CodeChallengeMethod string `json:"code_challenge_method,omitempty"`

// Allows additional claims to be obtained from the `id_token`.
AllowAdditionalClaims []string `json:"allowAdditionalClaims,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this a good naming scheme.

In my opinion AllowXX indicates a boolean value instead we should call it AllowedAddiotionalClaims or even better just AdditionalClaims

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this a good naming scheme.

In my opinion AllowXX indicates a boolean value instead we should call it AllowedAddiotionalClaims or even better just AdditionalClaims

I agree, I have made the correction.

@vegetablest vegetablest force-pushed the feat/claim branch 3 times, most recently from 7214b2e to cc56acc Compare August 26, 2024 02:23
@ItsZiroy
Copy link

Is there a timeline for when this feature will be available?

@artificiosus
Copy link

@vegetablest
If you added something like the following it would also solve #834 and put the additional claims into /oauth2/userinfo.

diff --git a/oauthproxy.go b/oauthproxy.go
index ca9d4e97..8ed2c68e 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -718,15 +718,17 @@ func (p *OAuthProxy) UserInfo(rw http.ResponseWriter, req *http.Request) {
        }
 
        userInfo := struct {
-               User              string   `json:"user"`
-               Email             string   `json:"email"`
-               Groups            []string `json:"groups,omitempty"`
-               PreferredUsername string   `json:"preferredUsername,omitempty"`
+               User              string                 `json:"user"`
+               Email             string                 `json:"email"`
+               Groups            []string               `json:"groups,omitempty"`
+               PreferredUsername string                 `json:"preferredUsername,omitempty"`
+               AdditionalClaims  map[string]interface{} `json:"additionalClaims,omitempty"`
        }{
                User:              session.User,
                Email:             session.Email,
                Groups:            session.Groups,
                PreferredUsername: session.PreferredUsername,
+               AdditionalClaims:  session.AdditionalClaims,
        }
 
        if err := json.NewEncoder(rw).Encode(userInfo); err != nil {

@vegetablest
Copy link
Contributor Author

@artificiosus Thanks for the suggestion! I think it’s a great idea, but it might be better to address this in a separate PR to keep the focus on the issue at hand. Once this PR is merged, I’d be happy to work on the other issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tuunit tuunit tuunit requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
docs go provider tests
Projects
OAuth2-Proxy Release Planning & Roadmap
Status: Proposed
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@vegetablest @daniellienert @ItsZiroy @artificiosus @tuunit