Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add possibility to configure the "claims" query parameter in the auth_url of OIDC providers to request individial id_token claims #735

Closed
NickUfer opened this issue Oct 4, 2020 · 6 comments
Closed

Add possibility to configure the "claims" query parameter in the auth_url of OIDC providers to request individial id_token claims #735

NickUfer opened this issue Oct 4, 2020 · 6 comments
Labels
feat New feature or request. good first issue A good issue to tackle when being a novice to the project. help wanted We are looking for help on this one. package/selfservice/oidc Affects the OpenID Connect Self Service Strategy
Milestone
v0.6.0-alpha.1

Comments

@NickUfer
Copy link
Contributor

NickUfer commented Oct 4, 2020
edited
Loading

Is your feature request related to a problem? Please describe.

I tried to configure https://twitch.tv/ as an OIDC provider, but the id_token does not contain the email or email_verified fields by default which I want to use. These fields are only present when the request to the authorization endpoint contains the claims query parameter with the value {"id_token":{"email":null, "email_verified":null}}. The claims parameter is by default optional, but you have to explicitly set the parameter at twitch to get both fields.

Therefore would it be nice to configure a provider to request specific claims in an id_token.

Specification: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter

Describe the solution you'd like

The URL should contain the claims parameter if one is configured. Example: https://id.twitch.tv/oauth2/authorize?claims={"id_token":{"email":null,"email_verified":null}}&client_id=any_client_id&redirect_uri=http://127.0.0.1:7001/redirect&response_type=code&scope=openid+user:read:email&state=any_state

The configuration could simply look like this:

strategies:
  oidc:
    enabled: true
    config:
      providers:
        - id: twitch
          provider: generic
          client_id: any_client_id
          client_secret: any_secret
          mapper_url: file:///etc/config/kratos/oidc.twitch.jsonnet
          issuer_url: https://id.twitch.tv/oauth2
          token_url: https://id.twitch.tv/oauth2/token
          scope:
            - openid
            - 'user:read:email' # required in the near future for email and email_verified claims
          requested_claims: '{"id_token":{"email":null,"email_verified":null}}'
@NickUfer NickUfer changed the title Add possibility to configure "claims" query parameter in OIDC provider auth url Add possibility to configure the "claims" query parameter in the auth_url of OIDC providers Oct 4, 2020
@NickUfer NickUfer changed the title Add possibility to configure the "claims" query parameter in the auth_url of OIDC providers Add possibility to configure the "claims" query parameter in the auth_url of OIDC providers to request individial id_token claims Oct 4, 2020
@NickUfer
Copy link
Contributor Author

NickUfer commented Oct 4, 2020

I've just looked at the code and it seems to be relatively easy to implement... adding a new field in the Configuration struct used by each provider and adding the claims AuthURLParam in provider_generic_oidc.go's AuthCodeURLOptions function when it is not an empty string, correct?

If that's the case or something similar then I could create a PR if that's okay. I'm by the way new to go, trying to learn it (currently on day 4).

@aeneasr
Copy link
Member

aeneasr commented Oct 6, 2020

Hey, yeah - this makes sense to me! Is the claims format always an unstructured JSON?

@aeneasr aeneasr added feat New feature or request. package/selfservice/oidc Affects the OpenID Connect Self Service Strategy corp/next and removed feat New feature or request. labels Oct 6, 2020
@aeneasr aeneasr added this to the v0.6.0-alpha.1 milestone Oct 6, 2020
@aeneasr aeneasr added good first issue A good issue to tackle when being a novice to the project. help wanted We are looking for help on this one. labels Oct 6, 2020
@NickUfer
Copy link
Contributor Author

NickUfer commented Oct 6, 2020

Yes it is always. The claims can also be different for each provider.

@aeneasr
Copy link
Member

aeneasr commented Oct 6, 2020

Ok, then I think the proposal makes sense! Would you be open to contribute this?

@NickUfer
Copy link
Contributor Author

NickUfer commented Oct 6, 2020

Sure!

@aeneasr
Copy link
Member

aeneasr commented Oct 7, 2020

Nice! :)

@aeneasr aeneasr removed the corp/next label Oct 7, 2020
@NickUfer NickUfer mentioned this issue Oct 10, 2020
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat New feature or request. good first issue A good issue to tackle when being a novice to the project. help wanted We are looking for help on this one. package/selfservice/oidc Affects the OpenID Connect Self Service Strategy
Projects
None yet
Milestone
v0.6.0-alpha.1
Development

No branches or pull requests
2 participants
@aeneasr @NickUfer