Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support email scope in authentication flow #598

Open
VJalili opened this issue Mar 27, 2019 · 2 comments
Open

Support email scope in authentication flow #598

VJalili opened this issue Mar 27, 2019 · 2 comments

Comments

@VJalili
Copy link
Contributor

VJalili commented Mar 27, 2019

When I set scopes in my authentication request to ['openid', 'user'], I get an ID token whose context decodes as:

  "context": {
    "user": {
      "phone_number": null,
      "display_name": null,
      "name": "[email protected]",
      "is_admin": false,
      "policies": [],
      "email": null,
      "projects": {}
    }
  },

where name filed contains the email address, and the email field is null.

I changed the scope to ['openid', 'user', 'email'], but then I get the Unauthorized exception:

fence/fence/auth.py

Lines 98 to 104 in 31744be

def check_scope_and_call(*args, **kwargs):
if "_all" in flask.g.scopes or scope in flask.g.scopes:
return f(*args, **kwargs)
else:
raise Unauthorized(
"Requested scope {} can't access this endpoint".format(scope)
)

because email is not a currently supported scope:

fence/fence/jwt/token.py

Lines 50 to 56 in 8337488

CLIENT_ALLOWED_SCOPES = [
"openid",
"user",
"data",
"google_credentials",
"google_service_account",
]

I was wondering if can add a support for the email scope so a future context would decode as:

  "context": {
    "user": {
      "phone_number": null,
      "display_name": null,
      "name": "xyz",
      "is_admin": false,
      "policies": [],
      "email": "[email protected]",
      "projects": {}
    }
  },
@Avantol13
Copy link
Contributor

Hey @VJalili ! thanks for the input, we actually don't support email as a separate field, we bundle all the user info into the context field and provide that under the user scope. The fact that you're not seeing an email in the email field has to do with how we create users for different identity providers. I'm assuming you have Google configured as the IDP, and when we create users from Google profiles, we use their email as their username. It's definitely a valid suggestion for us to also put that in the email field for Google as well, I will create a ticket on our end to support this

@Avantol13
Copy link
Contributor

we could additionally support the email field as the OIDC spec defines, but then the email field would end up outside the context block, per the spec. Furher conformance to the optional features in OIDC are something we are continuing to pursue as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@VJalili @Avantol13