ory / kratos

The most scalable and customizable identity server on the market. Replace your Homegrown, Auth0, Okta, Firebase with better UX and DX. Has all the tablestakes: Passkeys, Social Sign In, Multi-Factor Auth, SMS, SAML, TOTP, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=kratos
Apache License 2.0
11.35k stars 963 forks source link

Support for optional claims from OIDC providers #2641

Closed gheibia closed 2 years ago

gheibia commented 2 years ago

Preflight checklist

Describe your problem

Current Claim struct only support common claims amongst all providers. There is no way to include optional claims.

For instance, with Azure AD one can add Application Roles to the ID Token: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

These roles could then be added to an identity's metadata or traits to be used later (e.g.: Fine-grained authorization).

Describe your ideal solution

I thought about different solutions and the one that stood out to me and is least impactful is this (I can put out a PR if needed):

  1. Update the Claims struct to include a map[string]string for optional claims.
  2. Update Microsoft Provider to implement verifyAndDecodeClaimsWithProvider (from the embedded ProviderGenericOIDC) to populate the new map when building a claims object. This requires:
    1. Adding a local struct (e.g.: microsoftClaims) to Microsoft Provider embedding Claims struct. This new struct will contain any new claim in the ID Token as a field. We'll pass a reference to a microsoftClaims object to the Claims method of goodic.IDToken instead.
    2. Once populated, copy the optional claims from microsoftClaims to Claims' new optional claims map.

With this approach any provider that needs extra claims can implement this method and populate them in the new map.

Workarounds or alternatives

I couldn't find a work around for this. There are endpoints in Azure AD which I can call (using hooks for example) to get assigned roles, but they need elevated permissions.

Version

0.10.1

Additional Context

No response

gheibia commented 2 years ago

Alternatively, I can update the existing microsoftUnverifiedClaims struct and add a field for Roles. Keep everything else as is and simply copy the roles from microsoftUnverifiedClaims to Claims struct's new map.

gheibia commented 2 years ago

Hello, was wondering if someone could give me a feedback on this. I'd like to start working on this.

aeneasr commented 2 years ago

This is now merged on master :)

gheibia commented 2 years ago

Could you please point me to the PR? Neither Claims struct nor Microsoft Provider seem to have been changed.

aeneasr commented 2 years ago

https://github.com/ory/kratos/pull/2765

gheibia commented 2 years ago

Awesome! I'm gonna try this. Thank you.