Skip to content

Commit

Permalink
Added support for email_verified being a string or bool (sigstore#1744)
Browse files Browse the repository at this point in the history
Signed-off-by: Andrew Block <[email protected]>
  • Loading branch information
sabre1041 authored and lance committed Sep 5, 2024
1 parent fbccd05 commit 7ad677a
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 3 deletions.
27 changes: 27 additions & 0 deletions pkg/identity/email/principal_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,33 @@ func TestPrincipalFromIDToken(t *testing.T) {
},
WantErr: false,
},
`String email verified value`: {
Claims: map[string]interface{}{
"aud": "sigstore",
"iss": "https://dex.other.com",
"sub": "doesntmatter",
"email": "[email protected]",
"email_verified": "true",
"federated": map[string]string{
"issuer": "https://example.com",
},
},
Config: config.FulcioConfig{
OIDCIssuers: map[string]config.OIDCIssuer{
"https://dex.other.com": {
IssuerURL: "https://dex.other.com",
IssuerClaim: "$.federated.issuer",
Type: config.IssuerTypeEmail,
ClientID: "sigstore",
},
},
},
ExpectedPrincipal: principal{
issuer: "https://example.com",
address: "[email protected]",
},
WantErr: false,
},
`Custom issuer claim missing`: {
Claims: map[string]interface{}{
"aud": "sigstore",
Expand Down
20 changes: 17 additions & 3 deletions pkg/oauthflow/oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,25 @@ import (
"github.com/coreos/go-oidc/v3/oidc"
)

type stringAsBool bool

func (sb *stringAsBool) UnmarshalJSON(b []byte) error {
switch string(b) {
case "true", `"true"`, "True", `"True"`:
*sb = true
case "false", `"false"`, "False", `"False"`:
*sb = false
default:
return errors.New("invalid value for boolean")
}
return nil
}

func EmailFromIDToken(token *oidc.IDToken) (string, bool, error) {
// Extract custom claims
var claims struct {
Email string `json:"email"`
Verified bool `json:"email_verified"`
Email string `json:"email"`
Verified stringAsBool `json:"email_verified"`
}
if err := token.Claims(&claims); err != nil {
return "", false, err
Expand All @@ -36,7 +50,7 @@ func EmailFromIDToken(token *oidc.IDToken) (string, bool, error) {
return "", false, errors.New("token missing email claim")
}

return claims.Email, claims.Verified, nil
return claims.Email, bool(claims.Verified), nil
}

func IssuerFromIDToken(token *oidc.IDToken, claimJSONPath string) (string, error) {
Expand Down

0 comments on commit 7ad677a

Please sign in to comment.