-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
oidc provider assumes username or email claim exists and is stable, VP should use sub
#309
Comments
sub
@rhansen Thanks for opening this issue. There has been talk from time to time of moving to I know you've tested the PR against |
No, I have not. |
@rhansen I've added the Sub adjustment for |
I noticed this issue today when playing around with authenticating guest users in Azure AD through OIDC. In AAD guest users are not in the directory themselves, just authorized to log in to the directory with an external email. The user info has sub and email but no username so it fails. |
@UberKitten that sounds like #314 |
@bnfinet Ah yes, it is. I've been getting the "no User found in jwt" error but that's the root cause. Thanks! |
I ran against this problem too. I need this fix, because I need to have multiple domains in |
@rissson have you tried 'allowAllUsers' config item? |
Yes, that works, but then I can't use vouch proxy under different domains. |
@rissson If your users are not all within the set of protected domains you may need to run multiple VPs, one for each domain, each with
|
We designed a custom OIDC system where that's all UserInfo is giving back (and checking token's validity). Per https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
VouchCookie gets set, when /validate is called, it's errors "no User found in jwt", because the Username field is blank https://github.com/vouch/vouch-proxy/blob/master/handlers/validate.go#L48
that way, at least /validate has something to fall back on. edit: sorry, finally read PR #310 and saw @bnfinet 's fix for github, think you've got the problem described well. Think you solved it better than my little hack of jamming Sub in to Username, and instead making Sub the real heart of the user. |
@djcrabhat thanks for the kind words and for taking a look at this. Have you tested #310 against your OIDC setup? Does it work? from Dec 6th to @rhansen ..
Would you be in a position to perform such an audit and/or add tests for such? |
@bnfinet will compile and test locally tomorrow (hopefully). Once I get that going I'd be happy to take a whack at getting it well exercised in the tests. |
Hi @bnfinet, any idea when can we except this to be merged ? In our scenario we do not expose Also for case when authentication is enough ( |
@plachor no I can't provide you with an estimate at this time. Thanks for your patience. Everything else you say seems correct. |
Thnx for clarification. |
I have allowAllUsers: true, but still, user gets redirect loop, if it does not have email. |
When
oauth.provider
is set tooidc
, Vouch assumes that eitherusername
oremail
exists in the UserInfo response. If neither exists (as is the case with GitLab whenscope=openid
),structs.User.Username
is the empty string and the/validate
endpoint fails with "no User found in jwt".Furthermore, the
username
(oremail
) claim is used as a unique identifier for the user (e.g., in the user whitelist). This is forbidden by section 5.7 of the core spec: "Thesub
(subject) andiss
(issuer) Claims, used together, are the only Claims that an RP can rely upon as a stable identifier for the End-User, [...] other Claims such asemail
,phone_number
, andpreferred_username
MUST NOT be used as unique identifiers for the End-User."The text was updated successfully, but these errors were encountered: