-
Notifications
You must be signed in to change notification settings - Fork 828
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: User OIDC standard claims, if mapping is ambiguous
With #1925 there was a fix already, however using custom claims can lead to error situations. With this fix, that error situations are prevented if standard claims in id_token, e.g. name is an array with different values, but family_name and given_name are also in the token as string. This fix is for OIDC IdP integration, therefore it makes sense to use as fallback also OIDC standard claims.
- Loading branch information
Showing
2 changed files
with
76 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -429,4 +429,41 @@ public void getUser_doesThrowWhenIdTokenMappingIsWrongType() { | |
ExternalOAuthCodeToken oidcAuthentication = new ExternalOAuthCodeToken(null, origin, "http://google.com", idTokenJwt, "accesstoken", "signedrequest"); | ||
authManager.getUser(oidcAuthentication, authManager.getExternalAuthenticationDetails(oidcAuthentication)); | ||
} | ||
|
||
@Test | ||
public void getUser_doesNotThrowWhenIdTokenMappingIsArrayButAlsoOidcStandardClaims() { | ||
Map<String, Object> header = map( | ||
entry(HeaderParameterNames.ALGORITHM, JWSAlgorithm.HS256.getName()), | ||
entry(HeaderParameterNames.KEY_ID, OIDC_PROVIDER_KEY) | ||
); | ||
Signer signer = new RsaSigner(oidcProviderTokenSigningKey); | ||
Map<String, Object> claims = map( | ||
entry("family_name", "Foo"), | ||
entry("given_name", "Bar"), | ||
entry("email", "[email protected]"), | ||
entry("external_family_name", Arrays.asList("foo", "Foo")), | ||
entry("external_given_name", Arrays.asList("bar", "Bar")), | ||
entry(ISS, oidcConfig.getIssuer()), | ||
entry(AUD, "uaa-relying-party"), | ||
entry(EXPIRY_IN_SECONDS, ((int) (System.currentTimeMillis()/1000L)) + 60), | ||
entry(SUB, "abc-def-asdf") | ||
); | ||
Map<String, Object> externalGroupMapping = map( | ||
entry(FAMILY_NAME_ATTRIBUTE_NAME, "external_family_name"), | ||
entry(ExternalIdentityProviderDefinition.GIVEN_NAME_ATTRIBUTE_NAME, "external_given_name"), | ||
entry(ExternalIdentityProviderDefinition.EMAIL_ATTRIBUTE_NAME, "external_email"), | ||
entry(ExternalIdentityProviderDefinition.PHONE_NUMBER_ATTRIBUTE_NAME, "external_phone") | ||
); | ||
oidcConfig.setAttributeMappings(externalGroupMapping); | ||
provider.setConfig(oidcConfig); | ||
IdentityZoneHolder.get().getConfig().getTokenPolicy().setKeys(Collections.singletonMap("uaa-key", uaaIdentityZoneTokenSigningKey)); | ||
String idTokenJwt = UaaTokenUtils.constructToken(header, claims, signer); | ||
|
||
ExternalOAuthCodeToken oidcAuthentication = new ExternalOAuthCodeToken(null, origin, "http://google.com", idTokenJwt, "accesstoken", "signedrequest"); | ||
UaaUser uaaUser = authManager.getUser(oidcAuthentication, authManager.getExternalAuthenticationDetails(oidcAuthentication)); | ||
assertNotNull(uaaUser); | ||
assertEquals("Bar", uaaUser.getGivenName()); | ||
assertEquals("Foo", uaaUser.getFamilyName()); | ||
assertEquals("[email protected]", uaaUser.getEmail()); | ||
} | ||
} |