search

mozilla / mozilla-django-oidc

A django OpenID Connect library
https://mozilla-django-oidc.readthedocs.io
Mozilla Public License 2.0
448 stars 167 forks source link

Using customized ADFS ID tokens #297

Closed draganHR closed 5 years ago

draganHR commented 5 years ago

I need to enable authentication via ADFS (Windows Server 2016) and OpenID Connect.

It seems that the ADFS userinfo endpoint always returns only "sub" claim and i don't see any way of making it return other user detils:

The ADFS userinfo endpoint always returns the subject claim as specified in the OpenID standards. AD FS does not provide additional claims requested via the UserInfo endpoint. If you need additional claims in ID token, refer to Custom ID Tokens in AD FS.

However it is possible to customize id_token [1, 2] and add additional user details, such as email, username, groups, etc. Here is how my id_token looks like now:

    >>> print(json.dumps(payload, indent=2))
    {
      "nonce": "X846lT18q7MmJC7JNFN3BveaO2i1N5F7", 
      "upn": "user1@devdomain.local", 
      "unique_name": "DEVDOMAIN\\user1", 
      "appid": "de933ef8-eba6-409f-9860-c8248e23bd06", 
      "group": [
        "devgroup2", 
        "devgroup1"
      ], 
      "aud": "ae913af1-aba1-123a-1230-a8248e21bd01", 
      "apptype": "Confidential", 
      "iss": "https://WINDEV.DEVDOMAIN.local/adfs", 
      "sid": "S-1-5-21-123684123-1031106123-3064591234-1236", 
      "authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", 
      "scp": "allatclaims openid", 
      "given_name": "user1", 
      "exp": 1549286843, 
      "auth_time": 1549270729, 
      "iat": 1549283243, 
      "email": "user1@example.com", 
      "ver": "1.0", 
      "sub": "BrszsTk+d1Y/qhOjWkiYqa+W6/0="
    }

Maybe i missed something but it seems that mozilla-django-oidc does not currently support using user details from id_token, is this correct?

I am considering overriding OIDCAuthenticationBackend.get_userinfo or OIDCAuthenticationBackend.get_or_create_user in order to use id_token data instead of userinfo, does that sound like a right approach?

johngian commented 5 years ago

mozilla-django-oidc is designed to use userinfo to get the claims. A workaround to what you describe is:

For more information:

Keep in mind that if you are using a cookie based session you might be leaking information to the client side so that needs careful handling.

Let me know if you need any further information. :rocket: