-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check for sub
claim, not username
, when validating
#310
base: master
Are you sure you want to change the base?
Conversation
GitHub doesn't provide username, createdon, lastupdate, or sub in the user info JSON it returns.
Not all IdPs provide a `username` or `email` claim in the UserInfo response, and many IdPs allow users to change their username or email address. Co-authored-by: Benjamin Foote <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When using this code in my setup, I was able to solve the exact problem described in #309, so thank you!
@rhansen I think that there should also be a check here for preferred_username which is the defined claim in OIDC per: https://openid.net/specs/openid-connect-basic-1_0.html#StandardClaims sub should always be the "primary key" but preferred_username is the correct username claim to use, and then you should fall back to username if preferred_username was not presented. |
From the openid spec about the
This is meant for display purposes, but not meant to differentiate between accounts. This is not at all the same as |
I ... mentioned that. sub is the primary key, and preferred username is for display. |
Unless I'm horribly out of date, Vouch doesn't have the concept of a display username, so it should never use |
@aaronpk that's correct, VP does not utilize |
From my experience though, Vouch does however expect a generic OIDC provider to return 'Username' in order to evaluate things such as its username 'whitelist', which is equally as wrong. This is overridden for certain specific vendor OPs supported in Vouch, but not for the generic provider. In my own OP, the claim is called something like The best solution would be to allow specifying the claim param that is to be treated as the Username. As has been mentioned here, the technically-correct value per the spec is that of the 'sub'. But in practical terms, for things like 'whitelist' or other evaluations on a 'human friendly' name, it would be good to be able to configure it. Apache's mod_authz_openid for example lets you do |
Hello. I would like to use vouch-proxy but seeing this open since Aug 12, 2020 is sort of blocking for me. Is there any plan on how to address the issue? |
Not all IdPs provide a
username
oremail
claim in the UserInfo response.This is a partial fix to #309. A more complete fix would:
sub
andiss
for whitelisting instead ofusername
. (Or at least addsub
+iss
filtering as a separate option, and add warnings tousername
whitelisting that explain its security flaws.)iss
fromid_token
and save it instructs.User
andjwtmanager.VouchClaims
.