vouch-proxy: ADFS custom claims sending X-Vouch-IdP-Claims-xx headers do not work

Adding custom claims on ADFS and configure Vouch to send them didn’t work. After debugging we found that into function handlers/handlers.go the customer claims are not found.

inside function: handlers/handlers.go

funcgetUserInfoFromADFS(r *http.Request, user *structs.User, customClaims *structs.CustomClaims, ptokens *structs.PTokens) (rerr error) {req, err := http.NewRequest("POST", cfg.GenOAuth.TokenURL, strings.NewReader(formData.Encode()))ptokens.PAccessToken = string(tokenRes.AccessToken) ptokens.PIdToken = string(tokenRes.IDToken)

After this Request data contains the complete reply from ADFS:

{\"access_token\":\"eyJ0e.....xzuZ_TQ\",\"token_type\":\"bearer\",\"expires_in\":3600,\"resource\":\"http://a.b.intern/auth\",\"refresh_token\":\"aZGO18.........1HSfEw\",\"refresh_token_expires_in\":28799,\"scope\":\"openid\",\"id_token\":\"eyJ0eX.....kvIRuKNG-FhH8CzA\"}"}

if err = mapClaims(data, customClaims); err != nil {

mapClaims is searching into “data” for custom claims but didn’t find it, in previous commit there was only a check for the idToken part

if err = mapClaims([]byte(idToken), user); err != nil {

In our situation the customclaims are supplied into the accessToken. After changing the code to use accessToken the custom claims and sending X-Vouch-IdP-Claims-xx headers are working.

if err = mapClaims([]byte(accessToken), user); err != nil {

Before submitting a merge request I would like to address this issue and understand why “data” is used in the last commit.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 18 (12 by maintainers)

Most upvoted comments

@artagel no real objections, thanks. That’s consistent with how some of the others providers are handled at this point.

I’ll add just the caveat that I have wondered for some time if we should move to using sub instead of username, which conforms to the OIDC spec, probably as a v1.0.0 breaking change. I suspect we’d still have to check for “sub” and fall back for a few of the providers.

see ID Tokens… https://oauth.net/articles/authentication/

Thanks as always @artagel and @simongottschlag for keeping a watchful eye on ADFS issues in VP.

+2
bnfinet on Oct 14, 2019

I tested this at one point, I’ll kick my lab VMs up again after the weekend and test it. ADFS is freaking weird, so It doesn’t surprise me that it is different.

+1
artagel on Oct 10, 2019
Read more comments on GitHub
← vouch-proxy: 502 Bad Gateway
vouch-proxy: ADFS error: MSIS9604 →