Username from /userinfo (#14038)

This patch enabled Harbor to receive the username from the /userinfo endpoint
instead of only from the ID Token.

Closes #14037

Signed-off-by: Sven Haardiek <sven@haardiek.de>
This commit is contained in:
Sven Haardiek 2021-01-22 11:48:53 +01:00 committed by GitHub
parent f013d88efc
commit b2fe254974
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -264,6 +264,10 @@ func UserInfoFromToken(ctx context.Context, token *Token) (*UserInfo, error) {
if err != nil { if err != nil {
log.Warningf("Failed to get userInfo by calling remote userinfo endpoint, error: %v ", err) log.Warningf("Failed to get userInfo by calling remote userinfo endpoint, error: %v ", err)
} }
if setting.UserClaim != "" && local.Username == "" && remote.Username == "" {
return nil, fmt.Errorf("OIDC. Failed to recover Username from claim. Claim '%s' is invalid or not a string", setting.UserClaim)
}
if remote != nil && local != nil { if remote != nil && local != nil {
if remote.Subject != local.Subject { if remote.Subject != local.Subject {
return nil, fmt.Errorf("the subject from userinfo: %s does not match the subject from ID token: %s, probably a security attack happened", remote.Subject, local.Subject) return nil, fmt.Errorf("the subject from userinfo: %s does not match the subject from ID token: %s, probably a security attack happened", remote.Subject, local.Subject)
@ -338,11 +342,11 @@ func userInfoFromClaims(c claimsProvider, setting models.OIDCSetting) (*UserInfo
return nil, err return nil, err
} }
username, ok := allClaims[setting.UserClaim].(string) if username, ok := allClaims[setting.UserClaim].(string); ok {
if !ok { res.Username = username
return nil, fmt.Errorf("OIDC. Failed to recover Username from claim. Claim '%s' is invalid or not a string", setting.UserClaim) } else {
log.Warningf("OIDC. Failed to recover Username from claim. Claim '%s' is invalid or not a string", setting.UserClaim)
} }
res.Username = username
} }
res.Groups, res.hasGroupClaim = groupsFromClaims(c, setting.GroupsClaim) res.Groups, res.hasGroupClaim = groupsFromClaims(c, setting.GroupsClaim)
if len(setting.AdminGroup) > 0 { if len(setting.AdminGroup) > 0 {