Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OIDC claim names options #1594

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add OIDC claim names options #1594

wants to merge 1 commit into from

Conversation

fen4o
Copy link

@fen4o fen4o commented Nov 8, 2023

Some identity providers (auth0 for example) do not allow to set the groups claims (https://auth0.com/docs/secure/tokens/json-web-tokens/create-custom-claims) and administrators must use custom claims names and add them in the id token.

This commit adds the following configuration options:

  • oidc.groups_claim to set the groups claim name
  • oidc.email_claim to set the email claim name

All claims default to the previous values for backwards compatibility.

The groups claim can now also accept []string or string as some providers might return only a string response instead of array.

  • read the CONTRIBUTING guidelines
  • raised a GitHub issue or discussed it on the projects chat beforehand
  • added unit tests
  • added integration tests
  • updated documentation if needed
  • updated CHANGELOG.md

Fixes #1114

@fen4o
Add OIDC claim names options
9d58489 
Some identity providers (auth0 for example) do not allow to set the
groups claims and administrators must use custom claims names and add
them in the id token.

This commit adds the following configuration options:

- `oidc.groups_claim` to set the groups claim name
- `oidc.email_claim` to set the email claim name

All claims default to the previous values for backwards compatibility.

The groups claim can now also accept `[]string` or `string` as some
providers might return only a string response instead of array.
@FStelzer
Copy link

FStelzer commented Dec 4, 2023

thanks for this. i'll be able to test it in a few days.
This is also needed for O365/AD OIDC Auth when you should use userPrincipalName instead of email. The latter might be editable by the user themself.

@IamTaoChen
Copy link

#1934 I add a clamis_map for this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juanfont juanfont Awaiting requested review from juanfont juanfont is a code owner

@kradalby kradalby Awaiting requested review from kradalby kradalby is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[OIDC] Allowed_groups directive issue
3 participants
@fen4o @FStelzer @IamTaoChen