authelia/internal/handlers/oidc.go
James Elliott 06641cd15a
fix(oidc): add preferred username claim (#2801)
This adds the missing preferred username claim to the ID Token for OIDC.

Fixes #2798
2022-01-18 20:32:06 +11:00

74 lines
2.2 KiB
Go

package handlers
import (
"github.com/ory/fosite"
"github.com/ory/fosite/handler/openid"
"github.com/ory/fosite/token/jwt"
"github.com/authelia/authelia/v4/internal/oidc"
"github.com/authelia/authelia/v4/internal/session"
"github.com/authelia/authelia/v4/internal/utils"
)
// isConsentMissing compares the requestedScopes and requestedAudience to the workflows
// GrantedScopes and GrantedAudience and returns true if they do not match or the workflow is nil.
func isConsentMissing(workflow *session.OIDCWorkflowSession, requestedScopes, requestedAudience []string) (isMissing bool) {
if workflow == nil {
return true
}
return len(requestedScopes) > 0 && utils.IsStringSlicesDifferent(requestedScopes, workflow.GrantedScopes) ||
len(requestedAudience) > 0 && utils.IsStringSlicesDifferentFold(requestedAudience, workflow.GrantedAudience)
}
func newOpenIDSession(subject string) *oidc.OpenIDSession {
return &oidc.OpenIDSession{
DefaultSession: &openid.DefaultSession{
Claims: new(jwt.IDTokenClaims),
Headers: new(jwt.Headers),
Subject: subject,
},
Extra: map[string]interface{}{},
}
}
func oidcGrantRequests(ar fosite.AuthorizeRequester, scopes, audiences []string, userSession *session.UserSession) (extraClaims map[string]interface{}) {
extraClaims = map[string]interface{}{
oidc.ClaimPreferredUsername: userSession.Username,
}
for _, scope := range scopes {
if ar != nil {
ar.GrantScope(scope)
}
switch scope {
case oidc.ScopeGroups:
extraClaims[oidc.ClaimGroups] = userSession.Groups
case oidc.ScopeProfile:
extraClaims[oidc.ClaimDisplayName] = userSession.DisplayName
case oidc.ScopeEmail:
if len(userSession.Emails) != 0 {
extraClaims[oidc.ClaimEmail] = userSession.Emails[0]
if len(userSession.Emails) > 1 {
extraClaims[oidc.ClaimAltEmails] = userSession.Emails[1:]
}
// TODO (james-d-elliott): actually verify emails and record that information.
extraClaims[oidc.ClaimEmailVerified] = true
}
}
}
if ar != nil {
for _, audience := range audiences {
ar.GrantAudience(audience)
}
if !utils.IsStringInSlice(ar.GetClient().GetID(), ar.GetGrantedAudience()) {
ar.GrantAudience(ar.GetClient().GetID())
}
}
return extraClaims
}