Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support for email_verified being a string or bool #1744

Merged
merged 1 commit into from
Jul 30, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions pkg/identity/email/principal_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,33 @@ func TestPrincipalFromIDToken(t *testing.T) {
},
WantErr: false,
},
`String email verified value`: {
Claims: map[string]interface{}{
"aud": "sigstore",
"iss": "https://dex.other.com",
"sub": "doesntmatter",
"email": "alice@example.com",
"email_verified": "true",
"federated": map[string]string{
"issuer": "https://example.com",
},
},
Config: config.FulcioConfig{
OIDCIssuers: map[string]config.OIDCIssuer{
"https://dex.other.com": {
IssuerURL: "https://dex.other.com",
IssuerClaim: "$.federated.issuer",
Type: config.IssuerTypeEmail,
ClientID: "sigstore",
},
},
},
ExpectedPrincipal: principal{
issuer: "https://example.com",
address: "alice@example.com",
},
WantErr: false,
},
`Custom issuer claim missing`: {
Claims: map[string]interface{}{
"aud": "sigstore",
Expand Down
20 changes: 17 additions & 3 deletions pkg/oauthflow/oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,25 @@ import (
"github.com/coreos/go-oidc/v3/oidc"
)

type stringAsBool bool

func (sb *stringAsBool) UnmarshalJSON(b []byte) error {
switch string(b) {
case "true", `"true"`, "True", `"True"`:
*sb = true
case "false", `"false"`, "False", `"False"`:
*sb = false
default:
return errors.New("invalid value for boolean")
}
return nil
}

func EmailFromIDToken(token *oidc.IDToken) (string, bool, error) {
// Extract custom claims
var claims struct {
Email string `json:"email"`
Verified bool `json:"email_verified"`
Email string `json:"email"`
Verified stringAsBool `json:"email_verified"`
}
if err := token.Claims(&claims); err != nil {
return "", false, err
Expand All @@ -36,7 +50,7 @@ func EmailFromIDToken(token *oidc.IDToken) (string, bool, error) {
return "", false, errors.New("token missing email claim")
}

return claims.Email, claims.Verified, nil
return claims.Email, bool(claims.Verified), nil
}

func IssuerFromIDToken(token *oidc.IDToken, claimJSONPath string) (string, error) {
Expand Down
Loading