Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to add email claim using oidc_user_claims ? #91

Open
funkypenguin opened this issue Jul 7, 2023 · 5 comments
Open

How to add email claim using oidc_user_claims ? #91

funkypenguin opened this issue Jul 7, 2023 · 5 comments

Comments

@funkypenguin
Copy link

Hey folks!

I'm trying to use this in conjection with https://github.com/mesosphere/traefik-forward-auth - I need an email claim to validate, so I tried the following client setup:

add_filter( 'oidc_registered_clients', 'my_oidc_clients' );
function my_oidc_clients() {
	return array(
		'clientid' => array(
			'name' => 'My Awesome Name',
			'secret' => 'clientsecret',
			'grant_types' => array( 'authorization_code' ),
			'scope' => 'openid profile email'
		),
	);
}

And then I added:

add_filter( 'oidc_user_claims', 'my_user_claims', 10, 2 );
function my_user_claims($claims, $user) {
    $claims['email'] = $user->user_email; 
    return $claims;
}

Hoping to get the email address returned. However, my claim (when debugged with https://openidconnect.net/), doesn't show the email field.

Have I misunderstood how to achieve this? :)

Thanks!
D
@ashfame
Copy link
Member

ashfame commented Jul 7, 2023

Hi, That's totally correct & should work. I am not familiar with Traefik forward auth setup, so that could have something to do here. This would require deeper debugging of exact data returned by endpoints vs expectations, in your setup. https://oauth.tools/ would be helpful here.

@funkypenguin
Copy link
Author

I used openidconnect.net (so avoiding traefik-forward-auth), and confirmed that I the jtw didn't include an email claim, even though I asked for it (config above).

I'm not sure, but could it be related to https://github.com/Automattic/wp-openid-connect-server/blob/main/src/Http/Handlers/ConfigurationHandler.php#L31 ?

D

@funkypenguin
Copy link
Author

Been debugging this a bit.. adding this die() code in src/Storage/UserClaimsStorage.php doesn't seem to get executed, i expect the entire function isn't being called for some reason...

class UserClaimsStorage implements UserClaimsInterface {
	public function getUserClaims( $user_id, $scope ) {
		die('to be clear, this is never executed');

@psrpinto
Copy link
Member

AFAICT, the getUserClaims() method is called when a request is made to either the authorize endpoint or the userinfo endpoint.

@funkypenguin
Copy link
Author

I don't understand enough to know why, but I found that I needed to edit buildAuthorizeParameters in openid-connect-server/vendor/bshaffer/oauth2-server-php/src/OAuth2/OpenID/Controller/AuthorizeController.php, and insert this:

		$user = get_user_by( 'login', $user_id );
		$field_map = array(
			'email'    => 'user_email',
		);

		foreach ( $field_map as $key => $value ) {
			if ( $user->$value ) {
				$claims[ $key ] = $user->$value;
			}
		}

Before this, (to which I added the $claims variable):

        if ($this->needsIdToken($this->getScope()) && $this->getResponseType() == self::RESPONSE_TYPE_AUTHORIZATION_CODE) {
            $params['id_token'] = $this->responseTypes['id_token']->createIdToken($this->getClientId(), $user_id, $this->nonce, $claims);
        }

It's working, but I'll happily take instruction on why, and how I could have done it better :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@psrpinto @ashfame @funkypenguin