Skip to content

feat: Allow calling of the UserInfo endpoint to be configurable #172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: Allow calling of the UserInfo endpoint to be configurable #172

wants to merge 1 commit into from

Conversation

petewalker
Copy link

Allows the calling of the UserInfo endpoint to be configurable.

As mentioned in #148, ADFS does not support the email or profile claims, and calling the UserInfo endpoint is pointless, as it only returns the subject.

As the UserInfo endpoint is not required, this PR adds a new config item - call_userinfo_endpoint (default true), which allows the skipping of this endpoint.

Resolves #145

@petewalker
feat: Allow calling of userinfo to be configurable
4f75419 
Allows the calling of the userinfo endpoint to be configurable, resolving omniauth#145
@petewalker
Copy link
Author

@stanhu @bufferoverflow - Would it be possible to get some feedback on this?

bufferoverflow
bufferoverflow requested changes Jan 29, 2024
View reviewed changes
lib/omniauth/strategies/openid_connect.rb
Comment on lines 260 to 270
if access_token.id_token
decoded = decode_id_token(access_token.id_token).raw_attributes
merge_with = JSON::JWS.new({})
merge_with = access_token.userinfo!.raw_attributes if options.call_userinfo_endpoint

@user_info = ::OpenIDConnect::ResponseObject::UserInfo.new access_token.userinfo!.raw_attributes.merge(decoded)
else
@user_info = ::OpenIDConnect::ResponseObject::UserInfo.new merge_with.merge(decoded)
elsif options.call_userinfo_endpoint
@user_info = access_token.userinfo!
else
@user_info = ::OpenIDConnect::ResponseObject::UserInfo.new
end
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest to keep the default case as is and put this extra handling into elsif !options.call_userinfo_endpoint and a test case would be great.

stanhu
stanhu reviewed Jun 27, 2024
View reviewed changes
lib/omniauth/strategies/openid_connect.rb
@@ -258,10 +259,14 @@ def user_info

if access_token.id_token
decoded = decode_id_token(access_token.id_token).raw_attributes
merge_with = JSON::JWS.new({})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I can tell, ::OpenIDConnect::ResponseObject::UserInfo.new works on a regular Hash; what's the deal with using JSON::JWS?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stanhu stanhu stanhu left review comments

@bufferoverflow bufferoverflow bufferoverflow requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OpenID-provider without userinfo_endpoint
3 participants
@petewalker @bufferoverflow @stanhu