Comments (8)
Actually I found a work around by providing the --profile-url
command line argument. For some reason I was assuming that there would be some auto configuration magic with .well-known/openid-configuration
but whatever, I've got it working now ;)
from oauth2-proxy.
There might be situations where email is not provided at all (it is not mandatory), in that case it would be useful to default to the value of "sub" in the ID Token.
from oauth2-proxy.
This would be a sensible improvement to make but is probably a fairly substantial change, gonna leave this as help-wanted
for now and see if anyone picks it up. If not I might have some time in the not too distant future
from oauth2-proxy.
So this appears to be working in the current version of oauth2_proxy. I did run into an odd issue, in that the "email" field was being sent as "eMail" for my local OpenID system.
Would it be possible (and I'll open a new issue if needed, didn't open one now to avoid issue clutter) to make that match case insensitive?
from oauth2-proxy.
I did run into an odd issue, in that the "email" field was being sent as "eMail" for my local OpenID system.
Can you tell me which provider you use?
Would it be possible (and I'll open a new issue if needed, didn't open one now to avoid issue clutter) to make that match case insensitive?
I don't think we should be implementing case insensitivity when reading from IDTokens. OIDC tokens and userinfo endpoints encode data in JSON which is case sensitive. The OIDC Spec also lists the fields and their standard names that any provider should be using. I'd prefer not to have special logic for individual providers who are mis-implementing OIDC in the main codebase if possible.
from oauth2-proxy.
@JoelSpeed It's an "internal" supposedly Open ID compliant system.
I asked the people responsible for the setup, and there wasn't necessarily a reason that they set it up that way, they just did (and apparently didn't understand the whole Open ID spec and weren't thinking)... I had them add the email
key (lowercase) to get us in compliance.
I wouldn't be asking for anything from the IDTokens to be changed, I agree wholeheartedly that nothing should be touched there.
Email from the userinfo endpoint was the only field I was even suggesting be case insensitive, and I totally understand why you wouldn't want to do that.
That said, a method to override a keyname like email
to something like eMail
might add some flexibility for people like me who encounter brain dead corporate setups (though I understand that it would be a low priority).
from oauth2-proxy.
I'm trying to use jetbrains hub and I'm getting the Error redeeming code during OAuth2 callback: unable to update session: id_token did not contain an email
error.
I'm willing to do the work to get this fixed, I'm just not sure exactly what you all would be looking for here so some pointers would be cool.
from oauth2-proxy.
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.
from oauth2-proxy.
Related Issues (20)
- [Support]: <Keycloak-OIDC failed> HOT 1
- [Bug]: GitHub private repo check throwing 500 instead of 403 when user does not have access
- [Bug]: Keycloak OIDC Provider Multiple Calls to Fetch Keys to Verify JWT in Auth Header
- [Support]: Add scope field inside bearer token
- [Support]: How to configure oauth2 with kubernetes HOT 1
- Trying to implement simple Oauth2-proxy/nginx configuration HOT 3
- [Bug]: wait-for-redis fails to detect redis with default image HOT 3
- [Support]: Connection refused to Keycloak instance running in the separate container
- [Bug]: Alpha-configuration environment variables are not being replaced HOT 1
- [Bug]: local-environment example for keycloak does not run HOT 1
- [--cookie-secret-file option]: new option to ease cookie-secret rotation HOT 1
- [Bug]: CVE-2024-24786 google.golang.org/protobuf HOT 1
- [Bug]: CVE-2023-45288 golang.org/x/net HOT 3
- [Bug]: CVE-2023-45288 github.com/go-jose/go-jose/v3 HOT 2
- [upstream with basic auth]: upstream may require basic auth
- [Feature]: Include sequence diagram in the documentation
- [Feature]: Don't require email for OIDC
- [Support]: unable to verify bearer token, failed to verify token: oidc: id token issued by a different provider HOT 1
- [Feature]: User.Read scope required for Azure Provider?
- [Support]: Problem with OAuth2 and Keycloak-oidc on Kibana in a Minikube Cluster
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-proxy.