From 5292aea89e15bf24f32b2cc3bd230b8d95ae2cf3 Mon Sep 17 00:00:00 2001
From: Daniel Jiang <jiangd@vmware.com>
Date: Fri, 19 Apr 2019 13:07:06 +0800
Subject: [PATCH] Skip verifying OIDC token for local user

If a user does not have OIDC meta data in DB, it means he's not
onboarded via OIDC authn, hence, we should not check the token.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
---
 src/core/filter/security.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/core/filter/security.go b/src/core/filter/security.go
index 27e9faa80..f09a562c6 100644
--- a/src/core/filter/security.go
+++ b/src/core/filter/security.go
@@ -467,9 +467,12 @@ func (s *sessionReqCtxModifier) Modify(ctx *beegoctx.Context) bool {
 			log.Errorf("Failed to get OIDC user info, error: %v", err)
 			return false
 		}
-		if err := oidc.VerifyAndPersistToken(ctx.Request.Context(), ou); err != nil {
-			log.Errorf("Failed to verify secret, error: %v", err)
-			return false
+		if ou != nil { // If user does not have OIDC metadata, it means he is not onboarded via OIDC authn,
+			// so we can skip checking the token.
+			if err := oidc.VerifyAndPersistToken(ctx.Request.Context(), ou); err != nil {
+				log.Errorf("Failed to verify secret, error: %v", err)
+				return false
+			}
 		}
 	}
 	log.Debug("using local database project manager")