Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
1f253190
Commit
1f253190
authored
Mar 21, 2018
by
rithu john
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
oidc authentication: email_verified claim is not required for JWT validation
parent
6c96dfd8
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
43 additions
and
8 deletions
+43
-8
oidc.go
....io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go
+18
-7
oidc_test.go
...piserver/plugin/pkg/authenticator/token/oidc/oidc_test.go
+25
-1
No files found.
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go
View file @
1f253190
...
@@ -284,14 +284,18 @@ func (a *Authenticator) AuthenticateToken(token string) (user.Info, bool, error)
...
@@ -284,14 +284,18 @@ func (a *Authenticator) AuthenticateToken(token string) (user.Info, bool, error)
}
}
if
a
.
usernameClaim
==
"email"
{
if
a
.
usernameClaim
==
"email"
{
//
Check the email_verified claim to
ensure the email is valid.
//
If the email_verified claim is present,
ensure the email is valid.
// https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
// https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
var
emailVerified
bool
if
hasEmailVerified
:=
c
.
hasClaim
(
"email_verified"
);
hasEmailVerified
{
if
err
:=
c
.
unmarshalClaim
(
"email_verified"
,
&
emailVerified
);
err
!=
nil
{
var
emailVerified
bool
return
nil
,
false
,
fmt
.
Errorf
(
"oidc: parse 'email_verified' claim: %v"
,
err
)
if
err
:=
c
.
unmarshalClaim
(
"email_verified"
,
&
emailVerified
);
err
!=
nil
{
}
return
nil
,
false
,
fmt
.
Errorf
(
"oidc: parse 'email_verified' claim: %v"
,
err
)
if
!
emailVerified
{
}
return
nil
,
false
,
fmt
.
Errorf
(
"oidc: email not verified"
)
// If the email_verified claim is present we have to verify it is set to `true`.
if
!
emailVerified
{
return
nil
,
false
,
fmt
.
Errorf
(
"oidc: email not verified"
)
}
}
}
}
}
...
@@ -347,3 +351,10 @@ func (c claims) unmarshalClaim(name string, v interface{}) error {
...
@@ -347,3 +351,10 @@ func (c claims) unmarshalClaim(name string, v interface{}) error {
}
}
return
json
.
Unmarshal
([]
byte
(
val
),
v
)
return
json
.
Unmarshal
([]
byte
(
val
),
v
)
}
}
func
(
c
claims
)
hasClaim
(
name
string
)
bool
{
if
_
,
ok
:=
c
[
name
];
!
ok
{
return
false
}
return
true
}
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc_test.go
View file @
1f253190
...
@@ -287,7 +287,7 @@ func TestToken(t *testing.T) {
...
@@ -287,7 +287,7 @@ func TestToken(t *testing.T) {
wantErr
:
true
,
wantErr
:
true
,
},
},
{
{
// If "email_verified" isn't present, assume
fals
e
// If "email_verified" isn't present, assume
tru
e
name
:
"no-email-verified-claim"
,
name
:
"no-email-verified-claim"
,
options
:
Options
{
options
:
Options
{
IssuerURL
:
"https://auth.example.com"
,
IssuerURL
:
"https://auth.example.com"
,
...
@@ -305,6 +305,30 @@ func TestToken(t *testing.T) {
...
@@ -305,6 +305,30 @@ func TestToken(t *testing.T) {
"email": "jane@example.com",
"email": "jane@example.com",
"exp": %d
"exp": %d
}`
,
valid
.
Unix
()),
}`
,
valid
.
Unix
()),
want
:
&
user
.
DefaultInfo
{
Name
:
"jane@example.com"
,
},
},
{
name
:
"invalid-email-verified-claim"
,
options
:
Options
{
IssuerURL
:
"https://auth.example.com"
,
ClientID
:
"my-client"
,
UsernameClaim
:
"email"
,
now
:
func
()
time
.
Time
{
return
now
},
},
signingKey
:
loadRSAPrivKey
(
t
,
"testdata/rsa_1.pem"
,
jose
.
RS256
),
pubKeys
:
[]
*
jose
.
JSONWebKey
{
loadRSAKey
(
t
,
"testdata/rsa_1.pem"
,
jose
.
RS256
),
},
// string value for "email_verified"
claims
:
fmt
.
Sprintf
(
`{
"iss": "https://auth.example.com",
"aud": "my-client",
"email": "jane@example.com",
"email_verified": "false",
"exp": %d
}`
,
valid
.
Unix
()),
wantErr
:
true
,
wantErr
:
true
,
},
},
{
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment