Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable custom structure for group claim with default name group #839

Conversation

Bibob7
Copy link
Contributor

@Bibob7 Bibob7 commented Oct 13, 2020

Description

I ignore the default group claim for unmarshalling json, because we can not be sure that it has the type []string.
Instead I extract only the group claim defined via config. If the group value is not a string I use the json representation of the group value. With this change the application can handle the group values individually.

Maybe you have a better idea for handling the group value, but at least for me it would work.

Motivation and Context

Couldn't extract claims from id_token because group claim has invalid structure

How Has This Been Tested?

I created an additional test case.

Checklist:

  • My change requires a change to the documentation or CHANGELOG.
  • I have updated the documentation/CHANGELOG accordingly.
  • I have created a feature (non-master) branch for my PR.

@Bibob7 Bibob7 requested a review from a team as a code owner October 13, 2020 14:24
@NickMeves
Copy link
Member

Hi @Bibob7 -- This might be a duplicate of this PR that is in work: #816

Can you take a look over there and see if your needs are covered?

@Bibob7
Copy link
Contributor Author

Bibob7 commented Oct 14, 2020

@NickMeves You are right, there is an overlap. But the decisive difference is that in my PR, even the default group claim can have a completely different structure.
The most important thing for me is the adjustment in line 314 in providers/oidc.go.

@NickMeves
Copy link
Member

@NickMeves You are right, there is an overlap. But the decisive difference is that in my PR, even the default group claim can have a completely different structure.
The most important thing for me is the adjustment in line 314 in providers/oidc.go.

If you don't mind, can you support getting the proper fixes in the other PR? We try to lean toward letting the first submitter of a PR the precedence to encourage the community to contribute and get the experience of getting a PR merged on an open source project.

If it starts to go stale, we can pick up the work here. We won't wait the normal 60 days because we want this feature in v7 which we want to release in 4-6 weeks.

providers/oidc.go Outdated Show resolved Hide resolved
Copy link
Member

@NickMeves NickMeves left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see enough differences in the bug you are trying to solve vs the other PR to merge this separately in case you don't see movement on the other PR in a timely manner.

I left a couple of questions that aren't blocking, looking for opinions.

Please go ahead and add a CHANGELOG entry reflecting the new support for complex groups in OIDC IDTokens.

providers/oidc.go Outdated Show resolved Hide resolved
providers/oidc.go Outdated Show resolved Hide resolved
providers/oidc.go Outdated Show resolved Hide resolved
providers/oidc_test.go Outdated Show resolved Hide resolved
providers/oidc.go Outdated Show resolved Hide resolved
providers/oidc.go Outdated Show resolved Hide resolved
providers/oidc.go Outdated Show resolved Hide resolved
Copy link
Member

@NickMeves NickMeves left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the work on this!

@Bibob7
Copy link
Contributor Author

Bibob7 commented Nov 3, 2020

Thanks for the work on this!

You are welcome! 😊

Comment on lines +304 to +313
func formatGroup(rawGroup interface{}) (string, error) {
group, ok := rawGroup.(string)
if !ok {
jsonGroup, err := json.Marshal(rawGroup)
if err != nil {
return "", err
}
group = string(jsonGroup)
}
return group, nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function is a tad terse, it's not obvious what this is trying to achieve, maybe could have done with a comment on this 🤔

Is the point that groups is always flattened to some JSON string?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah - only if the IdP had a structure that wasn't []string . In the contributers case, this was what the claim looked like from there IdP raised in the linked issue:

"groups": [
    {
      "groupId": "CIDAAS_ADMINS",
      "roles": [
        "ADMIN"
      ]
    }
  ],

@sosiskin2000
Copy link

When its planned to be merged? In which version?

@JoelSpeed
Copy link
Member

This is merged and in releases from 7.0.0 onwards

k-jell pushed a commit to liquidinvestigations/oauth2-proxy that referenced this pull request Apr 6, 2022
…h2-proxy#839)

* Allow complex structure for groups in group claim.

* Remove unused constant

* Update variable name

* Fix linting

* Use helper method

* Log error if not possible to append group value

* Add missing import

* Use own logger

* Fix imports

* Remove Dockerfile for testing

* Add Changelog entry

* Use formatGroup helper method and update tests

* Return string instead of string array

* Remove groups variable

* Return error in format method.

* Reorder imports

Co-authored-by: Nick Meves <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants