vouch-proxy: ADFS custom claims sending X-Vouch-IdP-Claims-xx headers do not work
Adding custom claims on ADFS and configure Vouch to send them didn’t work. After debugging we found that into function handlers/handlers.go the customer claims are not found.
inside function: handlers/handlers.go
funcgetUserInfoFromADFS(r *http.Request, user *structs.User, customClaims *structs.CustomClaims, ptokens *structs.PTokens) (rerr error) {
…
req, err := http.NewRequest("POST", cfg.GenOAuth.TokenURL, strings.NewReader(formData.Encode()))
…
ptokens.PAccessToken = string(tokenRes.AccessToken)
ptokens.PIdToken = string(tokenRes.IDToken)
After this Request data contains the complete reply from ADFS:
{\"access_token\":\"eyJ0e.....xzuZ_TQ\",\"token_type\":\"bearer\",\"expires_in\":3600,\"resource\":\"http://a.b.intern/auth\",\"refresh_token\":\"aZGO18.........1HSfEw\",\"refresh_token_expires_in\":28799,\"scope\":\"openid\",\"id_token\":\"eyJ0eX.....kvIRuKNG-FhH8CzA\"}"}
…
if err = mapClaims(data, customClaims); err != nil {
mapClaims is searching into “data” for custom claims but didn’t find it, in previous commit there was only a check for the idToken part
if err = mapClaims([]byte(idToken), user); err != nil {
In our situation the customclaims are supplied into the accessToken. After changing the code to use accessToken the custom claims and sending X-Vouch-IdP-Claims-xx headers are working.
if err = mapClaims([]byte(accessToken), user); err != nil {
Before submitting a merge request I would like to address this issue and understand why “data” is used in the last commit.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 18 (12 by maintainers)
@artagel no real objections, thanks. That’s consistent with how some of the others providers are handled at this point.
I’ll add just the caveat that I have wondered for some time if we should move to using
sub
instead ofusername
, which conforms to the OIDC spec, probably as av1.0.0
breaking change. I suspect we’d still have to check for “sub” and fall back for a few of the providers.see ID Tokens… https://oauth.net/articles/authentication/
Thanks as always @artagel and @simongottschlag for keeping a watchful eye on ADFS issues in VP.
I tested this at one point, I’ll kick my lab VMs up again after the weekend and test it. ADFS is freaking weird, so It doesn’t surprise me that it is different.