From 1919cfdff38d0ac16493b0442e0c9df92e707b9e Mon Sep 17 00:00:00 2001 From: Matteo Saloni Date: Tue, 25 Jun 2019 10:50:55 +0200 Subject: [PATCH] Add option for checking group membership declared in JWT token --- authority/provisioner/oidc.go | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go index 378c4be1..0b2e2700 100644 --- a/authority/provisioner/oidc.go +++ b/authority/provisioner/oidc.go @@ -33,12 +33,13 @@ func (c openIDConfiguration) Validate() error { // openIDPayload represents the fields on the id_token JWT payload. type openIDPayload struct { jose.Claims - AtHash string `json:"at_hash"` - AuthorizedParty string `json:"azp"` - Email string `json:"email"` - EmailVerified bool `json:"email_verified"` - Hd string `json:"hd"` - Nonce string `json:"nonce"` + AtHash string `json:"at_hash"` + AuthorizedParty string `json:"azp"` + Email string `json:"email"` + EmailVerified bool `json:"email_verified"` + Hd string `json:"hd"` + Nonce string `json:"nonce"` + Groups []string `json:"groups"` } // OIDC represents an OAuth 2.0 OpenID Connect provider. @@ -52,6 +53,7 @@ type OIDC struct { ConfigurationEndpoint string `json:"configurationEndpoint"` Admins []string `json:"admins,omitempty"` Domains []string `json:"domains,omitempty"` + Groups []string `json:"groups,omitempty"` Claims *Claims `json:"claims,omitempty"` configuration openIDConfiguration keyStore *keyStore @@ -187,6 +189,22 @@ func (o *OIDC) ValidatePayload(p openIDPayload) error { } } + // Filter by oidc group claim + if len(o.Groups) > 0 { + var found bool + for _, group := range o.Groups { + for _, g := range p.Groups { + if g == group { + found = true + break + } + } + } + if !found { + return errors.New("validation failed: invalid group") + } + } + return nil }