From ddbb21af901e56c2ef0806b80f12c98fca4c6cb2 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Thu, 10 Feb 2022 09:55:28 +1100 Subject: [PATCH] fix(handlers): include preferred_username claim in meta (#2829) This includes the preferred_username claim in the meta. Also uses the consts for all the applicable claims and scopes. --- docs/community/oidc-integrations.md | 42 +++++++++---------- docs/configuration/identity-providers/oidc.md | 12 +++++- internal/handlers/handler_oidc_wellknown.go | 19 +++++---- internal/handlers/oidc.go | 2 +- internal/handlers/oidc_test.go | 6 +-- internal/oidc/const.go | 2 +- 6 files changed, 47 insertions(+), 36 deletions(-) diff --git a/docs/community/oidc-integrations.md b/docs/community/oidc-integrations.md index e1f9245ac..9e199f97a 100644 --- a/docs/community/oidc-integrations.md +++ b/docs/community/oidc-integrations.md @@ -13,17 +13,17 @@ has_toc: false ## Currently Tested Applications -| Application | Minimal Version | Notes | -| :------------: | :----------------------------: | :-----: | -| Gitea | `1.14.6` | | -| GitLab | `13.0.0` | | -| Grafana | `8.0.5` | | -| Hashicorp Vault| `1.8.1` | | -| MinIO | `RELEASE.2021-11-09T03-21-45Z` | must set `MINIO_IDENTITY_OPENID_CLAIM_NAME: groups` in MinIO and set [MinIO policies] as groups in Authelia | -| Nextcloud | `22.1.0` | Tested using the `nextcloud-oidc-login` app - [Link](https://github.com/pulsejet/nextcloud-oidc-login)| -| Wekan | `5.41` | | -| Portainer CE | `2.6.1` | Settings to use username as ID: set `Scopes` to `openid` and `User Identifier` to `sub` | -| Bookstack | `21.10` | | +| Application | Minimal Version | Notes | +|:----------------:|:------------------------------:|:-----------------------------------------------------------------------------------------------------------:| +| Gitea | `1.14.6` | | +| GitLab | `13.0.0` | | +| Grafana | `8.0.5` | | +| Hashicorp Vault | `1.8.1` | | +| MinIO | `RELEASE.2021-11-09T03-21-45Z` | must set `MINIO_IDENTITY_OPENID_CLAIM_NAME: groups` in MinIO and set [MinIO policies] as groups in Authelia | +| Nextcloud | `22.1.0` | Tested using the `nextcloud-oidc-login` app - [Link](https://github.com/pulsejet/nextcloud-oidc-login) | +| Wekan | `5.41` | | +| Portainer CE | `2.6.1` | Settings to use username as ID: set `Scopes` to `openid` and `User Identifier` to `preferred_username` | +| Bookstack | `21.10` | | [MinIO policies]: https://docs.min.io/minio/baremetal/security/minio-identity-management/policy-based-access-control.html#minio-policy @@ -33,13 +33,13 @@ If you do not find the application in the list below, you will need to search fo `` needs to be substituted with the full URL on which the application runs on. If GitLab, as an example, was reachable under `https://gitlab.example.com`, `` would be exactly the same. -| Application | Version | Callback URL | Notes | -| :-----------: | :-----------------------------------: | :------------------------------------------------------: |:-----:| -| Gitea | `1.14.6` | `/user/oauth2/authelia/callback` |`ROOT_URL` in `[server]` section of `app.ini` must be configured correctly. Typically it is `/`. The string `authelia` in the callback url is the `Authentication Name` of the configured Authentication Source in Gitea (Authentication Type: OAuth2, OAuth2 Provider: OpenID Connect). -| GitLab | `14.0.1` | `/users/auth/openid_connect/callback` | | -| Hasicorp Vault| `14.0.1` | `/oidc/callback` and `/ui/vault/auth/oidc/oidc/callback` | | -| MinIO | `RELEASE.2021-07-12T02-44-53Z` | `/oauth_callback` | | -| Nextcloud | `22.1.0` + `nextcloud-oidc-login` app | `/apps/oidc_login/oidc` | | -| Wekan | `5.41` | `/_oauth_oidc` | | -| Portainer CE | `2.6.1` | `` | | -| Bookstack | `21.10` | `/oidc/callback` | | +| Application | Version | Callback URL | Notes | +|:---------------:|:-------------------------------------:|:------------------------------------------------------------------------:|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:| +| Gitea | `1.14.6` | `/user/oauth2/authelia/callback` | `ROOT_URL` in `[server]` section of `app.ini` must be configured correctly. Typically it is `/`. The string `authelia` in the callback url is the `Authentication Name` of the configured Authentication Source in Gitea (Authentication Type: OAuth2, OAuth2 Provider: OpenID Connect). | +| GitLab | `14.0.1` | `/users/auth/openid_connect/callback` | | +| Hasicorp Vault | `14.0.1` | `/oidc/callback` and `/ui/vault/auth/oidc/oidc/callback` | | +| MinIO | `RELEASE.2021-07-12T02-44-53Z` | `/oauth_callback` | | +| Nextcloud | `22.1.0` + `nextcloud-oidc-login` app | `/apps/oidc_login/oidc` | | +| Wekan | `5.41` | `/_oauth_oidc` | | +| Portainer CE | `2.6.1` | `` | | +| Bookstack | `21.10` | `/oidc/callback` | | \ No newline at end of file diff --git a/docs/configuration/identity-providers/oidc.md b/docs/configuration/identity-providers/oidc.md index a46b4f810..a72b3945a 100644 --- a/docs/configuration/identity-providers/oidc.md +++ b/docs/configuration/identity-providers/oidc.md @@ -114,7 +114,7 @@ for which stage will have each feature, and may evolve over time: General Availability after previous stages are vetted for bug fixes - misc + misc List of other features that may be implemented @@ -126,6 +126,15 @@ for which stage will have each feature, and may evolve over time: OpenID Connect Session Management 2 + + End-User Scope Grants 2 + + + Client RBAC 2 + + + Preferred Username Claim (implemented in 4.33.2) + @@ -133,6 +142,7 @@ for which stage will have each feature, and may evolve over time: ² _This individual feature has not been implemented as of yet_. + ## Configuration The following snippet provides a sample-configuration for the OIDC identity provider explaining each field in detail. diff --git a/internal/handlers/handler_oidc_wellknown.go b/internal/handlers/handler_oidc_wellknown.go index 2f42cc675..3582a45b8 100644 --- a/internal/handlers/handler_oidc_wellknown.go +++ b/internal/handlers/handler_oidc_wellknown.go @@ -51,11 +51,11 @@ func oidcWellKnown(ctx *middlewares.AutheliaCtx) { "fragment", }, ScopesSupported: []string{ - "openid", "offline_access", - "profile", - "groups", - "email", + oidc.ScopeOpenID, + oidc.ScopeProfile, + oidc.ScopeGroups, + oidc.ScopeEmail, }, ClaimsSupported: []string{ "aud", @@ -67,11 +67,12 @@ func oidcWellKnown(ctx *middlewares.AutheliaCtx) { "sub", "auth_time", "nonce", - "email", - "email_verified", - "alt_emails", - "groups", - "name", + oidc.ClaimEmail, + oidc.ClaimEmailVerified, + oidc.ClaimEmailAlts, + oidc.ClaimGroups, + oidc.ClaimPreferredUsername, + oidc.ClaimDisplayName, }, RequestURIParameterSupported: false, diff --git a/internal/handlers/oidc.go b/internal/handlers/oidc.go index 65247fbaf..aa9c961e1 100644 --- a/internal/handlers/oidc.go +++ b/internal/handlers/oidc.go @@ -51,7 +51,7 @@ func oidcGrantRequests(ar fosite.AuthorizeRequester, scopes, audiences []string, if len(userSession.Emails) != 0 { extraClaims[oidc.ClaimEmail] = userSession.Emails[0] if len(userSession.Emails) > 1 { - extraClaims[oidc.ClaimAltEmails] = userSession.Emails[1:] + extraClaims[oidc.ClaimEmailAlts] = userSession.Emails[1:] } // TODO (james-d-elliott): actually verify emails and record that information. extraClaims[oidc.ClaimEmailVerified] = true diff --git a/internal/handlers/oidc_test.go b/internal/handlers/oidc_test.go index 9e96f49d4..7a5041212 100644 --- a/internal/handlers/oidc_test.go +++ b/internal/handlers/oidc_test.go @@ -79,9 +79,9 @@ func TestShouldGrantAppropriateClaimsForScopeOpenIDAndEmail(t *testing.T) { require.Contains(t, extraClaims, oidc.ClaimEmail) assert.Equal(t, "j.smith@authelia.com", extraClaims[oidc.ClaimEmail]) - require.Contains(t, extraClaims, oidc.ClaimAltEmails) - assert.Len(t, extraClaims[oidc.ClaimAltEmails], 1) - assert.Contains(t, extraClaims[oidc.ClaimAltEmails], "admin@authelia.com") + require.Contains(t, extraClaims, oidc.ClaimEmailAlts) + assert.Len(t, extraClaims[oidc.ClaimEmailAlts], 1) + assert.Contains(t, extraClaims[oidc.ClaimEmailAlts], "admin@authelia.com") require.Contains(t, extraClaims, oidc.ClaimEmailVerified) assert.Equal(t, true, extraClaims[oidc.ClaimEmailVerified]) diff --git a/internal/oidc/const.go b/internal/oidc/const.go index 6fae69575..b084a3b53 100644 --- a/internal/oidc/const.go +++ b/internal/oidc/const.go @@ -15,5 +15,5 @@ const ( ClaimPreferredUsername = "preferred_username" ClaimEmail = "email" ClaimEmailVerified = "email_verified" - ClaimAltEmails = "alt_emails" + ClaimEmailAlts = "alt_emails" )