Comments (8)
Actually I found a work around by providing the --profile-url
command line argument. For some reason I was assuming that there would be some auto configuration magic with .well-known/openid-configuration
but whatever, I've got it working now ;)
from oauth2-proxy.
There might be situations where email is not provided at all (it is not mandatory), in that case it would be useful to default to the value of "sub" in the ID Token.
from oauth2-proxy.
This would be a sensible improvement to make but is probably a fairly substantial change, gonna leave this as help-wanted
for now and see if anyone picks it up. If not I might have some time in the not too distant future
from oauth2-proxy.
So this appears to be working in the current version of oauth2_proxy. I did run into an odd issue, in that the "email" field was being sent as "eMail" for my local OpenID system.
Would it be possible (and I'll open a new issue if needed, didn't open one now to avoid issue clutter) to make that match case insensitive?
from oauth2-proxy.
I did run into an odd issue, in that the "email" field was being sent as "eMail" for my local OpenID system.
Can you tell me which provider you use?
Would it be possible (and I'll open a new issue if needed, didn't open one now to avoid issue clutter) to make that match case insensitive?
I don't think we should be implementing case insensitivity when reading from IDTokens. OIDC tokens and userinfo endpoints encode data in JSON which is case sensitive. The OIDC Spec also lists the fields and their standard names that any provider should be using. I'd prefer not to have special logic for individual providers who are mis-implementing OIDC in the main codebase if possible.
from oauth2-proxy.
@JoelSpeed It's an "internal" supposedly Open ID compliant system.
I asked the people responsible for the setup, and there wasn't necessarily a reason that they set it up that way, they just did (and apparently didn't understand the whole Open ID spec and weren't thinking)... I had them add the email
key (lowercase) to get us in compliance.
I wouldn't be asking for anything from the IDTokens to be changed, I agree wholeheartedly that nothing should be touched there.
Email from the userinfo endpoint was the only field I was even suggesting be case insensitive, and I totally understand why you wouldn't want to do that.
That said, a method to override a keyname like email
to something like eMail
might add some flexibility for people like me who encounter brain dead corporate setups (though I understand that it would be a low priority).
from oauth2-proxy.
I'm trying to use jetbrains hub and I'm getting the Error redeeming code during OAuth2 callback: unable to update session: id_token did not contain an email
error.
I'm willing to do the work to get this fixed, I'm just not sure exactly what you all would be looking for here so some pointers would be cool.
from oauth2-proxy.
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.
from oauth2-proxy.
Related Issues (20)
- [Bug]: Not routing back to original Host (if not previously logged-in)
- [Feature]: [OIDC] Add a configuration to skip id_token expiration verification
- [Feature]: Allow entire YAML config via environment variable
- [Feature]: Docker: Add HEALTHCHECK command HOT 4
- [Bug]: Distroless docker container is unable to use unix domain socket. HOT 2
- [Bug]: Broken content-type in v7.6.0 (probably a breaking change from v7.4.0) HOT 2
- [Support]: oauth2-proxy running on a system behind a port-forwarding firewall
- [Feature]: Support for Redis alternatives HOT 6
- [Feature]: Implement CSRF token validation on oauth2-proxy
- [Bug]:/internal-auth/oauth2/auth not working HOT 1
- [Support]: show login screen instead of automatically redirecting to oAuth provider HOT 2
- [Bug]: Possible README Inaccuracy HOT 7
- [Support]: Can not get X-Auth-Request-Email and X-Auth-Request-User
- [Support]: Synology basic reverse proxy and sso server => oauth2-proxy => another docker application to protect by auth HOT 1
- [Support]: Getting CRSF cookie or cookie limit 4kb error HOT 2
- [Feature]: auto refresh token HOT 5
- "403: You do not have permission to access this resource." but only for some users HOT 1
- [Bug]: Docs - htpasswd-file description does not mention SHA1 encryption HOT 2
- [Bug]: 500 (Internal Server Error) on invalid cookie
- [Bug]: Infinite loop if the Csrf cookie is set twice
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-proxy.