authelia/internal/handlers/oidc.go

package handlers

import (
	"github.com/ory/fosite"

	"github.com/authelia/authelia/v4/internal/model"
	"github.com/authelia/authelia/v4/internal/oidc"
	"github.com/authelia/authelia/v4/internal/session"
)

func oidcGrantRequests(ar fosite.AuthorizeRequester, consent *model.OAuth2ConsentSession, userSession *session.UserSession) (extraClaims map[string]interface{}) {
	extraClaims = map[string]interface{}{}

	for _, scope := range consent.GrantedScopes {
		if ar != nil {
			ar.GrantScope(scope)
		}

		switch scope {
		case oidc.ScopeGroups:
			extraClaims[oidc.ClaimGroups] = userSession.Groups
		case oidc.ScopeProfile:
			extraClaims[oidc.ClaimPreferredUsername] = userSession.Username
			extraClaims[oidc.ClaimDisplayName] = userSession.DisplayName
		case oidc.ScopeEmail:
			if len(userSession.Emails) != 0 {
				extraClaims[oidc.ClaimEmail] = userSession.Emails[0]
				if len(userSession.Emails) > 1 {
					extraClaims[oidc.ClaimEmailAlts] = userSession.Emails[1:]
				}
				// TODO (james-d-elliott): actually verify emails and record that information.
				extraClaims[oidc.ClaimEmailVerified] = true
			}
		}
	}

	if ar != nil {
		for _, audience := range consent.GrantedAudience {
			ar.GrantAudience(audience)
		}
	}

	return extraClaims
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`package handlers`

			`import (`
fix(oidc): add preferred username claim (#2801) This adds the missing preferred username claim to the ID Token for OIDC. Fixes #2798 2022-01-18 09:32:06 +00:00			`"github.com/ory/fosite"`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00
feat(oidc): implement amr claim (#2969) This adds the amr claim which stores methods used to authenticate with Authelia by the users session. 2022-04-01 11:18:58 +00:00			`"github.com/authelia/authelia/v4/internal/model"`
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/oidc"`
			`"github.com/authelia/authelia/v4/internal/session"`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`)`

feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`func oidcGrantRequests(ar fosite.AuthorizeRequester, consent model.OAuth2ConsentSession, userSession session.UserSession) (extraClaims map[string]interface{}) {`
fix(oidc): make preferred_username a profile scope claim (#2930) This corrects an issue with the preferred_username which should be part of the profile scope as per https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims. Introduced in ddbb21a via #2829 2022-03-01 03:07:39 +00:00			`extraClaims = map[string]interface{}{}`
fix(oidc): add preferred username claim (#2801) This adds the missing preferred username claim to the ID Token for OIDC. Fixes #2798 2022-01-18 09:32:06 +00:00
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`for _, scope := range consent.GrantedScopes {`
fix(oidc): add preferred username claim (#2801) This adds the missing preferred username claim to the ID Token for OIDC. Fixes #2798 2022-01-18 09:32:06 +00:00			`if ar != nil {`
			`ar.GrantScope(scope)`
			`}`

			`switch scope {`
			`case oidc.ScopeGroups:`
			`extraClaims[oidc.ClaimGroups] = userSession.Groups`
			`case oidc.ScopeProfile:`
fix(oidc): make preferred_username a profile scope claim (#2930) This corrects an issue with the preferred_username which should be part of the profile scope as per https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims. Introduced in ddbb21a via #2829 2022-03-01 03:07:39 +00:00			`extraClaims[oidc.ClaimPreferredUsername] = userSession.Username`
fix(oidc): add preferred username claim (#2801) This adds the missing preferred username claim to the ID Token for OIDC. Fixes #2798 2022-01-18 09:32:06 +00:00			`extraClaims[oidc.ClaimDisplayName] = userSession.DisplayName`
			`case oidc.ScopeEmail:`
			`if len(userSession.Emails) != 0 {`
			`extraClaims[oidc.ClaimEmail] = userSession.Emails[0]`
			`if len(userSession.Emails) > 1 {`
fix(handlers): include preferred_username claim in meta (#2829) This includes the preferred_username claim in the meta. Also uses the consts for all the applicable claims and scopes. 2022-02-09 22:55:28 +00:00			`extraClaims[oidc.ClaimEmailAlts] = userSession.Emails[1:]`
fix(oidc): add preferred username claim (#2801) This adds the missing preferred username claim to the ID Token for OIDC. Fixes #2798 2022-01-18 09:32:06 +00:00			`}`
			`// TODO (james-d-elliott): actually verify emails and record that information.`
			`extraClaims[oidc.ClaimEmailVerified] = true`
			`}`
			`}`
			`}`

			`if ar != nil {`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`for _, audience := range consent.GrantedAudience {`
fix(oidc): add preferred username claim (#2801) This adds the missing preferred username claim to the ID Token for OIDC. Fixes #2798 2022-01-18 09:32:06 +00:00			`ar.GrantAudience(audience)`
			`}`
			`}`

			`return extraClaims`
			`}`