-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth connector #1630
OAuth connector #1630
Conversation
f930a9f
to
c8d3ead
Compare
Nice! This would be most welcome in my opinion. @xtremerui Would you mind adding a commit or two to a) list the generic oauth connector in the table of the main readme; and I believe that would be helpful to get the PR to be accepted. @bonifaido @sagikazarmark This PR has stalled basically on a single person's review, I believe it'd be nice to get this in (with above mentions additions) so I'm hoping one of you could take a look since @srenatus doesn't appear to have time? Disclaimer: I'm in no way involved with either the Concourse or Dex team. I'm just a simple user trying to help the process as it were. |
2f6d1e1
to
fbc31d7
Compare
I have updated the documents for oauth connector. Please let me know if there is anything I can do. Thx! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So overall... with the caveat of me having read through the PR on my phone and not having "physically" tested it... 😄
LGTM assuming my comments are addressed.
connector/oauth/oauth.go
Outdated
|
||
identity.UserID, _ = userInfoResult[c.userIDKey].(string) | ||
identity.Username, _ = userInfoResult[c.userNameKey].(string) | ||
identity.PreferredUsername, _ = userInfoResult["name"].(string) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unless I am mistaken, you guys wanted to make sure the preferred_username
field is available for users.
However, hardcoding it to be the same as the name
field does not seem desirable to me. Apart from that it also doesn't give the backend a chance to pass preferred_username
if it tries to and effectively renders preferred_username
fairly useless.
My suggestion would be to:
- default it to unset if its unset at the backend
- pass through the value unchanged if the backend does provide the field
- and allow a user to override the above two through a config entry which tells the connector to copy the value of another field to
preferred_username
Please see the Atlassian Crowd connector for an example.
Again disclaimer: I'm not a member of Dex, just an occasional contributor trying to help both of you. 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that makes sense. If there is connector that handles preferred_username already. I'd like to keep the behavior the same as much as possible.
@@ -474,6 +475,7 @@ var ConnectorsConfig = map[string]func() ConnectorConfig{ | |||
"gitlab": func() ConnectorConfig { return new(gitlab.Config) }, | |||
"google": func() ConnectorConfig { return new(google.Config) }, | |||
"oidc": func() ConnectorConfig { return new(oidc.Config) }, | |||
"oauth": func() ConnectorConfig { return new(oauth.Config) }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some whitespace issues
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm can't tell where the whitespace is. I took an existing line and just changed the name. It shown no difference.
Hmm... I'm wondering if I made a booboo here... I believe that Can we verify this? @sagikazarmark & @xtremerui ? I did not find any reference to preferred_username in the OAUTH 2 specs, only in the OIDC specs. |
@mvdkleijn I think you are right. Though I can't see how it affects the current implementation in this PR. Upstream might or might not include |
Sounds sensible enough, but I'll leave this decision to one of the Dex mainteiners like @sagikazarmark 😄 I'm juat happy to see there's some movement in these PRs again since they're so close to being merged. |
64d658f
to
e094327
Compare
93b72b4
to
785319a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @xtremerui
I think it's a great feature.
Found a few nits, can you please take a look at those? Thanks!
Documentation/connectors/oauth.md
Outdated
# Optional: Configurable keys for groups claim look up | ||
# Default: groups | ||
# groupsKey: | ||
|
||
# Optional: Configurable keys for user ID claim look up | ||
# Default: user_id | ||
# userIDKey: | ||
|
||
# Optional: Configurable keys for preferred username claim look up | ||
# Default: preferred_username | ||
# preferredUsernameKey: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a claim mapping for these (except userIDKey) similar to the one introduced in #1634?
(userIDKey
is not actually an OIDC claim, so it should remain separate)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if userIDKey
is not a standard claim (actullay i believe for oauth framework there is no standard claim, compared to OIDC), should we also include it in the claim mapping so user can configure it to match whatever they want from the auth provider?
I think the same case also apply to email
and email_verified
. Please correct me if there is a doc about standard claims of oauth.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think in our case claims are interpreted from the Dex providing OIDC point of view. No, they are not oauth claims, but we map some information from oauth to the OIDC token.
The userIDKey is only used by Dex to determine which field to use as the user identifier for the specific connector. The rest of the keys are "mapped" into an OIDC token as standard claims.
That's how I see it at least, correct me if my thought process is wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have put eveything but userIDKey
under ClaimMappings
and added an error if user ID is not found since it is critical. EmailKey
and EmailVerifiedKey
are added so it can handle a response like reddit:
https://oauth.reddit.com/api/v1/me
{
"comment_karma": 0,
"created": 1389649907.0,
"created_utc": 1389649907.0,
"has_mail": false,
"has_mod_mail": false,
"has_verified_email": null, <--- emailVerifiedKey
"id": "1", <--- userIDKey
"is_gold": false,
"is_mod": true,
"link_karma": 1,
"name": "reddit_bot", <--- preferredUsernameKey
"over_18": true
}
connector/oauth/oauth.go
Outdated
if c.userIDKey == "" { | ||
c.userIDKey = "user_id" | ||
} | ||
|
||
if c.userNameKey == "" { | ||
c.userNameKey = "user_name" | ||
} | ||
|
||
if c.groupsKey == "" { | ||
c.groupsKey = "groups" | ||
} | ||
|
||
if c.preferredUsernameKey == "" { | ||
c.preferredUsernameKey = "preferred_username" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think these default should probably be assigned in the "constructor", no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I put them here to follow what OIDC does in the handlerCallback()
. I have no preference here so if you insiit I can move them to the Open()
method where it constructs Oauth connection.
Lines 282 to 310 in 2a28286
userNameKey := "name" | |
if c.userNameKey != "" { | |
userNameKey = c.userNameKey | |
} | |
name, found := claims[userNameKey].(string) | |
if !found { | |
return identity, fmt.Errorf("missing \"%s\" claim", userNameKey) | |
} | |
preferredUsername, found := claims["preferred_username"].(string) | |
if !found { | |
preferredUsername, _ = claims[c.preferredUsernameKey].(string) | |
} | |
hasEmailScope := false | |
for _, s := range c.oauth2Config.Scopes { | |
if s == "email" { | |
hasEmailScope = true | |
break | |
} | |
} | |
var email string | |
emailKey := "email" | |
email, found = claims[emailKey].(string) | |
if !found && c.emailKey != "" { | |
emailKey = c.emailKey | |
email, found = claims[emailKey].(string) | |
} |
faa49fe
to
6d77be2
Compare
6d77be2
to
cbd166d
Compare
7d1a86c
to
af62fc7
Compare
fdb86ea
to
81e80d7
Compare
I have a similar scene, i want to know why this pr isn't merged now? |
54578a5
to
53d11be
Compare
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
Co-authored-by: Shash Reddy <sreddy@pivotal.io> Signed-off-by: Joshua Winters <jwinters@pivotal.io>
Signed-off-by: Josh Winters <jwinters@pivotal.io> Co-authored-by: Mark Huang <mhuang@pivotal.io>
Signed-off-by: Rui Yang <ryang@pivotal.io>
Signed-off-by: Rui Yang <ruiya@vmware.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
move default key values configure to connector construct function Signed-off-by: Rui Yang <ruiya@vmware.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
There are cases when groups are represented as a list of maps, not strings e.g. "groups":[{"id":"1", "name":"gr1"},{"id": "2", "name":"gr2"}]. Handle groups represented as a list of maps. #23 Signed-off-by: Vlad Safronov <vladislav.safronov@oracle.com>
Signed-off-by: Vlad Safronov <vladislav.safronov@oracle.com>
53d11be
to
7c80e44
Compare
us 'os' insteak of 'io/ioutil' Signed-off-by: Rui Yang <ruiya@vmware.com>
8c61d5e
to
8b86516
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@xtremerui Thanks for the efforts you've put into this. I finally got the time around to give it a proper review. It looks good to me.
I had two small comments. Would you mind taking a look at them? We can finally get this merged after that.
Signed-off-by: Rui Yang <ruiya@vmware.com>
Thx for reviewing. I have updated it accordingly. @sagikazarmark |
Thanks @xtremerui |
The official docker release for this release can be pulled from ``` ghcr.io/dexidp/dex:v2.31.0 ``` ## What's Changed * Bump Dex image to v2.30.0 for Kubernetes deployment example by @rdimitrov in dexidp#2232 * Update Go to 1.17 by @sagikazarmark in dexidp#2247 * refactor: move from io/ioutil to io and os package by @Juneezee in dexidp#2278 * feat: Add MySQL ent-based storage driver by @nabokihms in dexidp#2272 * chore: fix ioutil lint error after merging MySQL ent storage by @nabokihms in dexidp#2282 * Add parametrization of grant type supported in discovery endpoint by @ariary in dexidp#2265 * Resolves dexidp#2111 Option to fetch transitive group membership by @snuggie12 in dexidp#2268 * Return valid JWT access token from password grant by @enj in dexidp#2234 * fix: do not update offlinesession lastUsed field if refresh token was not updated by @nabokihms in dexidp#2300 * fix web static file path slash error for win platform by @copperyp in dexidp#2305 * Update grpc by @sagikazarmark in dexidp#2321 * ci: fix container image permissions by @sagikazarmark in dexidp#2329 * feat: print dex version in the logs by @iam-veeramalla in dexidp#2337 * OAuth connector by @xtremerui in dexidp#1630 * fix: return invalid_grant error on claiming token of another client by @nabokihms in dexidp#2344 * chore: warning about deprecated LDAP groupSearch fields by @nabokihms in dexidp#2026 * Add Nix environment by @sagikazarmark in dexidp#2324 * Update dependencies in the examples package by @sagikazarmark in dexidp#2372 * add sigstore to ADOPTERS.md by @bobcallaway in dexidp#2374 * Add claimMapping enforcement by @Happy2C0de in dexidp#2233 * ci: run trivy scan on container image by @sagikazarmark in dexidp#2387 * chore: update gomplate by @sagikazarmark in dexidp#2388 * chore: update golangci-lint download script by @nabokihms in dexidp#2394 * [fix] Replace /teams API w/ /workspaces endpoints by @rahulchheda in dexidp#2390 * ci: add Docker cache to speed builds up by @sagikazarmark in dexidp#2400 * distroless: Dockerfile works with distroless base image by @ankeesler in dexidp#2378 * Update dependencies by @sagikazarmark in dexidp#2404 * Update API package by @sagikazarmark in dexidp#2405 ## Dependency updates * build(deps): bump entgo.io/ent from 0.8.0 to 0.9.0 by @dependabot in dexidp#2226 * build(deps): bump golang from 1.16.6-alpine3.13 to 1.16.7-alpine3.13 by @dependabot in dexidp#2225 * build(deps): bump google.golang.org/grpc from 1.39.0 to 1.39.1 by @dependabot in dexidp#2227 * build(deps): bump google.golang.org/api from 0.52.0 to 0.53.0 by @dependabot in dexidp#2235 * build(deps): bump google.golang.org/grpc from 1.39.1 to 1.40.0 by @dependabot in dexidp#2236 * build(deps): bump alpine from 3.14.0 to 3.14.1 by @dependabot in dexidp#2229 * build(deps): bump github.com/go-ldap/ldap/v3 from 3.3.0 to 3.4.0 by @dependabot in dexidp#2239 * build(deps): bump google.golang.org/api from 0.53.0 to 0.54.0 by @dependabot in dexidp#2241 * build(deps): bump github.com/AppsFlyer/go-sundheit from 0.4.0 to 0.5.0 by @dependabot in dexidp#2240 * build(deps): bump google.golang.org/protobuf from 1.26.0 to 1.27.1 in /api/v2 by @dependabot in dexidp#2243 * build(deps): bump google.golang.org/grpc from 1.36.1 to 1.40.0 in /api/v2 by @dependabot in dexidp#2242 * build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.0 to 3.4.1 by @dependabot in dexidp#2246 * build(deps): bump entgo.io/ent from 0.9.0 to 0.9.1 by @dependabot in dexidp#2249 * build(deps): bump alpine from 3.14.1 to 3.14.2 by @dependabot in dexidp#2258 * build(deps): bump google.golang.org/api from 0.54.0 to 0.55.0 by @dependabot in dexidp#2259 * build(deps): bump google.golang.org/api from 0.55.0 to 0.56.0 by @dependabot in dexidp#2262 * build(deps): bump github.com/lib/pq from 1.10.2 to 1.10.3 by @dependabot in dexidp#2263 * build(deps): bump github.com/russellhaering/goxmldsig from 1.1.0 to 1.1.1 by @dependabot in dexidp#2270 * build(deps): bump golang from 1.17.0-alpine3.14 to 1.17.1-alpine3.14 by @dependabot in dexidp#2269 * build(deps): bump google.golang.org/api from 0.56.0 to 0.57.0 by @dependabot in dexidp#2277 * build(deps): bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.1.0 by @dependabot in dexidp#2279 * build(deps): bump golang from 1.17.1-alpine3.14 to 1.17.2-alpine3.14 by @dependabot in dexidp#2292 * build(deps): bump go.etcd.io/etcd/client/pkg/v3 from 3.5.0 to 3.5.1 by @dependabot in dexidp#2298 * build(deps): bump go.etcd.io/etcd/client/v3 from 3.5.0 to 3.5.1 by @dependabot in dexidp#2299 * build(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 by @dependabot in dexidp#2285 * build(deps): bump github.com/mattn/go-sqlite3 from 1.14.8 to 1.14.9 by @dependabot in dexidp#2302 * build(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 in /api/v2 by @dependabot in dexidp#2286 * build(deps): bump google.golang.org/api from 0.57.0 to 0.58.0 by @dependabot in dexidp#2287 * build(deps): bump google.golang.org/api from 0.58.0 to 0.59.0 by @dependabot in dexidp#2303 * build(deps): bump google.golang.org/api from 0.59.0 to 0.60.0 by @dependabot in dexidp#2308 * build(deps): bump golang from 1.17.2-alpine3.14 to 1.17.3-alpine3.14 by @dependabot in dexidp#2317 * build(deps): bump github.com/lib/pq from 1.10.3 to 1.10.4 by @dependabot in dexidp#2320 * build(deps): bump alpine from 3.14.2 to 3.14.3 by @dependabot in dexidp#2325 * build(deps): bump alpine from 3.14.3 to 3.15.0 by @dependabot in dexidp#2336 * build(deps): bump google.golang.org/api from 0.60.0 to 0.61.0 by @dependabot in dexidp#2341 * build(deps): bump golang from 1.17.3-alpine3.14 to 1.17.4-alpine3.14 by @dependabot in dexidp#2345 * build(deps): bump google.golang.org/api from 0.61.0 to 0.62.0 by @dependabot in dexidp#2348 * build(deps): bump golang from 1.17.4-alpine3.14 to 1.17.5-alpine3.14 by @dependabot in dexidp#2349 * build(deps): bump github.com/spf13/cobra from 1.2.1 to 1.3.0 by @dependabot in dexidp#2354 * build(deps): bump google.golang.org/api from 0.62.0 to 0.63.0 by @dependabot in dexidp#2353 * build(deps): bump google.golang.org/grpc from 1.42.0 to 1.43.0 by @dependabot in dexidp#2355 * build(deps): bump google.golang.org/grpc from 1.42.0 to 1.43.0 in /api/v2 by @dependabot in dexidp#2356 * build(deps): bump github.com/mattn/go-sqlite3 from 1.14.9 to 1.14.10 by @dependabot in dexidp#2362 * build(deps): bump golang from 1.17.5-alpine3.14 to 1.17.6-alpine3.14 by @dependabot in dexidp#2363 * build(deps): bump google.golang.org/api from 0.63.0 to 0.64.0 by @dependabot in dexidp#2364 * build(deps): bump google.golang.org/api from 0.64.0 to 0.65.0 by @dependabot in dexidp#2368 * build(deps): bump github.com/prometheus/client_golang from 1.11.0 to 1.12.0 by @dependabot in dexidp#2380 * build(deps): bump google.golang.org/grpc from 1.43.0 to 1.44.0 by @dependabot in dexidp#2384 * build(deps): bump google.golang.org/grpc from 1.43.0 to 1.44.0 in /api/v2 by @dependabot in dexidp#2385 * build(deps): bump go.etcd.io/etcd/client/v3 from 3.5.1 to 3.5.2 by @dependabot in dexidp#2395 * build(deps): bump aquasecurity/trivy-action from 0.2.1 to 0.2.2 by @dependabot in dexidp#2398 * build(deps): bump google.golang.org/api from 0.65.0 to 0.67.0 by @dependabot in dexidp#2399 * build(deps): bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 by @dependabot in dexidp#2393 ## New Contributors * @rdimitrov made their first contribution in dexidp#2232 * @Juneezee made their first contribution in dexidp#2278 * @ariary made their first contribution in dexidp#2265 * @snuggie12 made their first contribution in dexidp#2268 * @enj made their first contribution in dexidp#2234 * @copperyp made their first contribution in dexidp#2305 * @iam-veeramalla made their first contribution in dexidp#2337 * @bobcallaway made their first contribution in dexidp#2374 * @Happy2C0de made their first contribution in dexidp#2233 * @rahulchheda made their first contribution in dexidp#2390 * @ankeesler made their first contribution in dexidp#2378 **Full Changelog**: dexidp/dex@v2.30.0...v2.31.0
Hi, this implements an oauth connector, which could be used for generic authentication following OAuth2.0 framework.