Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support userinfo endpoint for Generic OIDC SSO #5330

Open
hosht opened this issue Nov 12, 2024 · 2 comments
Open

Support userinfo endpoint for Generic OIDC SSO #5330

hosht opened this issue Nov 12, 2024 · 2 comments
Assignees
Labels
area/server kind/enhancement New feature or request

Comments

@hosht
Copy link
Contributor

hosht commented Nov 12, 2024

What would you like to be added:

If userInfoEndpoint is provided by property, I'd like the application to fetch claims by making a request to the userinfo endpoint.
Is it possible to implement this feature?

Why is this needed:

Hi, PipeCD dev team.
Since the release v0.49.0, I have been trying to configure SSO using Generic OIDC.
Our team is using Okta as an identity provider.
I'm encountering an issue where Okta doesn't seem to be returning custom claims within the ID token.
The Documentation says the following:

The full set of claims for the requested scopes is available via the /oauth2/v1/userinfo endpoint. Call this endpoint using the access token.

https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#scope-dependent-claims-not-always-returned

it seems that the userInfoEndpoint property in SSOConfigOIDC isn't being used.(authorizationEndpoint and tokenEndpoint too)
https://pipecd.dev/docs-v0.49.x/user-guide/managing-controlplane/configuration-reference/#ssoconfigoidc

These are additional references from Okta.
https://support.okta.com/help/s/article/How-To-Add-Custom-Profile-Attributes-As-Claims-In-a-ID-Token-or-userinfo?language=en_US
https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/OrgAS/#tag/OrgAS/operation/userinfo

@hosht hosht added the kind/enhancement New feature or request label Nov 12, 2024
@t-kikuc
Copy link
Member

t-kikuc commented Nov 25, 2024

@hosht
Thank you for trying the SSO by OIDC!

Please wait some weeks until supporting userInfoEndpoint. We're investigating the solution.
(authorizationEndpoint and tokenEndpoint will be later)

it seems that the userInfoEndpoint property in SSOConfigOIDC isn't being used.(authorizationEndpoint and tokenEndpoint too)

As you mentioned, userInfoEndpoint, authorizationEndpoint, and tokenEndpoint are not used...

Probably we need to fix around here:

func (c *OAuthClient) GetUser(ctx context.Context, clientId string) (*model.User, error) {
idTokenRAW, ok := c.Token.Extra("id_token").(string)
if !ok {
return nil, fmt.Errorf("no id_token in oauth2 token")
}
verifier := c.Provider.Verifier(&oidc.Config{ClientID: clientId})
idToken, err := verifier.Verify(ctx, idTokenRAW)
if err != nil {
return nil, err
}
var claims jwt.MapClaims

@kumo-rn5s
Copy link
Contributor

@t-kikuc let me take a look

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/server kind/enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants