Add support for extra claims to authproxy connector

Signed-off-by: Matt Pryor <matt@stackhpc.com>
dexidp · Nov 10, 2023 · 4cc9ac5 · 4cc9ac5
1 parent e41a28b
commit 4cc9ac5
Showing 1 changed file with 43 additions and 13 deletions.
diff --git a/connector/authproxy/authproxy.go b/connector/authproxy/authproxy.go
@@ -19,33 +19,53 @@ import (
 // Headers retrieved to fetch user's email and group can be configured
 // with userHeader and groupHeader.
 type Config struct {
-	UserHeader  string   `json:"userHeader"`
-	GroupHeader string   `json:"groupHeader"`
-	Groups      []string `json:"staticGroups"`
+	UserIdHeader string   `json:"userIdHeader"`
+	UserHeader   string   `json:"userHeader"`
+	EmailHeader  string   `json:"emailHeader"`
+	GroupHeader  string   `json:"groupHeader"`
+	Groups       []string `json:"staticGroups"`
 }
 
 // Open returns an authentication strategy which requires no user interaction.
 func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) {
+	userIdHeader := c.UserIdHeader
+	if userIdHeader == "" {
+		userIdHeader = "X-Remote-User-Id"
+	}
 	userHeader := c.UserHeader
 	if userHeader == "" {
 		userHeader = "X-Remote-User"
 	}
+	emailHeader := c.EmailHeader
+	if emailHeader == "" {
+		emailHeader = "X-Remote-User-Email"
+	}
 	groupHeader := c.GroupHeader
 	if groupHeader == "" {
 		groupHeader = "X-Remote-Group"
 	}
 
-	return &callback{userHeader: userHeader, groupHeader: groupHeader, logger: logger, pathSuffix: "/" + id, groups: c.Groups}, nil
+	return &callback{
+		userIdHeader: userIdHeader,
+		userHeader:   userHeader,
+		emailHeader:  emailHeader,
+		groupHeader:  groupHeader,
+		groups:       c.Groups,
+		logger:       logger,
+		pathSuffix:   "/" + id,
+	}, nil
 }
 
 // Callback is a connector which returns an identity with the HTTP header
 // X-Remote-User as verified email.
 type callback struct {
-	userHeader  string
-	groupHeader string
-	groups      []string
-	logger      log.Logger
-	pathSuffix  string
+	userIdHeader string
+	userHeader   string
+	emailHeader  string
+	groupHeader  string
+	groups       []string
+	logger       log.Logger
+	pathSuffix   string
 }
 
 // LoginURL returns the URL to redirect the user to login with.
@@ -67,6 +87,14 @@ func (m *callback) HandleCallback(s connector.Scopes, r *http.Request) (connecto
 	if remoteUser == "" {
 		return connector.Identity{}, fmt.Errorf("required HTTP header %s is not set", m.userHeader)
 	}
+	remoteUserId := r.Header.Get(m.userIdHeader)
+	if remoteUserId == "" {
+		remoteUserId = remoteUser
+	}
+	remoteUserEmail := r.Header.Get(m.emailHeader)
+	if remoteUserEmail == "" {
+		remoteUserEmail = remoteUser
+	}
 	groups := m.groups
 	headerGroup := r.Header.Get(m.groupHeader)
 	if headerGroup != "" {
@@ -77,9 +105,11 @@ func (m *callback) HandleCallback(s connector.Scopes, r *http.Request) (connecto
 		groups = append(splitheaderGroup, groups...)
 	}
 	return connector.Identity{
-		UserID:        remoteUser, // TODO: figure out if this is a bad ID value.
-		Email:         remoteUser,
-		EmailVerified: true,
-		Groups:        groups,
+		UserID:            remoteUserId,
+		Username:          remoteUser,
+		PreferredUsername: remoteUser,
+		Email:             remoteUserEmail,
+		EmailVerified:     true,
+		Groups:            groups,
 	}, nil
 }