From c4aaf29bab5979962d0db3611466adfd71a5cd37 Mon Sep 17 00:00:00 2001 From: Thomas Boerger Date: Mon, 29 Jan 2024 14:07:55 +0100 Subject: [PATCH] fix(oidc): parse right claims for GitHub authentication Before this change the authentication via GitHub always errored out within getProfileNameFromEmail because the rune list had a zero length, after my investigation I have been able to pin it down to a lacking email address fetched from the GitHub provider. Since there are various claims like the username, email and fullname which aren't part of the generated claims I have added a switch to properly read all relevant information from the right claims within the GitHub provider. This commit is still lacking proper error display on the login page, but this should be added on another commit in general. --- api/login.go | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/api/login.go b/api/login.go index 1f1ddbb80..ef433a9c4 100644 --- a/api/login.go +++ b/api/login.go @@ -475,13 +475,38 @@ func oidcRedirect(w http.ResponseWriter, r *http.Request) { userInfo, err = _oidc.UserInfo(ctx, oauth2.StaticTokenSource(oauth2Token)) if err == nil { - claims.email = userInfo.Email - claims.username = getRandomUsername() - - if userInfo.Profile != "" { - claims.name = userInfo.Profile - } else { - claims.name = getRandomProfileName() + switch pid { + case "github": + type githubClaims struct { + Login string `json:"login"` + Email string `json:"email"` + Name string `json:"name"` + } + + var rawClaims githubClaims + + if err := userInfo.Claims(&rawClaims); err != nil { + log.Error(err.Error()) + http.Redirect(w, r, "/auth/login", http.StatusTemporaryRedirect) + return + } + + claims.email = rawClaims.Email + claims.username = rawClaims.Login + claims.name = rawClaims.Name + + if claims.email == "" { + claims.email = fmt.Sprintf("%s@users.noreply.github.com", rawClaims.Login) + } + default: + claims.email = userInfo.Email + claims.username = getRandomUsername() + + if userInfo.Profile != "" { + claims.name = userInfo.Profile + } else { + claims.name = getRandomProfileName() + } } } }