From 2a0354dbb6ac0388c61c4b385f0497bc28fc28fd Mon Sep 17 00:00:00 2001 From: Akshay Gaikwad Date: Wed, 18 May 2022 18:48:49 +0530 Subject: [PATCH] Added mapper configs for known OIdC providers - These mapper configs are prefilled in the UI automatically. - Removed description from required in Kratos identity schema. --- _kratos/identity.schema.json | 1 - _kratos/oidc-mappers/facebook.jsonnet | 14 ++++++++++++++ _kratos/oidc-mappers/github.jsonnet | 25 +++++++++++++++++++++++++ _kratos/oidc-mappers/gitlab.jsonnet | 25 +++++++++++++++++++++++++ _kratos/oidc-mappers/google.jsonnet | 16 ++++++++++++++++ _kratos/oidc-mappers/slack.jsonnet | 24 ++++++++++++++++++++++++ 6 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 _kratos/oidc-mappers/facebook.jsonnet create mode 100644 _kratos/oidc-mappers/github.jsonnet create mode 100644 _kratos/oidc-mappers/gitlab.jsonnet create mode 100644 _kratos/oidc-mappers/google.jsonnet create mode 100644 _kratos/oidc-mappers/slack.jsonnet diff --git a/_kratos/identity.schema.json b/_kratos/identity.schema.json index dd03208..4f09ae9 100644 --- a/_kratos/identity.schema.json +++ b/_kratos/identity.schema.json @@ -52,7 +52,6 @@ "required": [ "first_name", "last_name", - "description", "email" ], "additionalProperties": false diff --git a/_kratos/oidc-mappers/facebook.jsonnet b/_kratos/oidc-mappers/facebook.jsonnet new file mode 100644 index 0000000..b5f7959 --- /dev/null +++ b/_kratos/oidc-mappers/facebook.jsonnet @@ -0,0 +1,14 @@ +// scopes: email +// Issuer Url: https://www.facebook.com + +local claims = std.extVar('claims'); +{ + identity: { + traits: { + // The email might be empty if the user hasn't granted permissions for the email scope. + [if "email" in claims then "email" else null]: claims.email, + [if "given_name" in claims then "first_name" else null]: claims.given_name, + [if "family_name" in claims then "last_name" else null]: claims.family_name, + }, + }, +} diff --git a/_kratos/oidc-mappers/github.jsonnet b/_kratos/oidc-mappers/github.jsonnet new file mode 100644 index 0000000..fcf3b3e --- /dev/null +++ b/_kratos/oidc-mappers/github.jsonnet @@ -0,0 +1,25 @@ +// scopes: user:email +// Issuer Url: https://github.com/login/oauth/authorize + +local claims = { + email_verified: false +} + std.extVar('claims'); + +local fName = if "name" in claims && claims.name!=null && std.length(std.findSubstr(" ", claims.name)) > 0 then std.splitLimit(claims.name, " ", 1)[0] else "undefined"; +local lName = if "name" in claims && claims.name!=null && std.length(std.findSubstr(" ", claims.name)) > 0 then std.splitLimit(claims.name, " ", 1)[1] else "undefined"; + +{ + identity: { + traits: { + // Allowing unverified email addresses enables account + // enumeration attacks, especially if the value is used for + // e.g. verification or as a password login identifier. + // + // Therefore we only return the email if it (a) exists and (b) is marked verified + // by GitHub. + [if "email" in claims && claims.email_verified then "email" else null]: claims.email, + first_name: fName, + last_name: lName, + }, + }, +} diff --git a/_kratos/oidc-mappers/gitlab.jsonnet b/_kratos/oidc-mappers/gitlab.jsonnet new file mode 100644 index 0000000..8af6c7a --- /dev/null +++ b/_kratos/oidc-mappers/gitlab.jsonnet @@ -0,0 +1,25 @@ +// scopes: email, profile, read_user, openid +// Issuer Url: https://gitlab.com + +local claims = { +email_verified: false +} + std.extVar('claims'); + +local fName = if "name" in claims && claims.name!=null && std.length(std.findSubstr(" ", claims.name)) > 0 then std.splitLimit(claims.name, " ", 1)[0] else "undefined"; +local lName = if "name" in claims && claims.name!=null && std.length(std.findSubstr(" ", claims.name)) > 0 then std.splitLimit(claims.name, " ", 1)[1] else "undefined"; + +{ + identity: { + traits: { + // Allowing unverified email addresses enables account + // enumeration attacks, if the value is used for + // verification or as a password login identifier. + // + // Therefore we only return the email if it (a) exists and (b) is marked verified + // by GitLab. + [if "email" in claims && claims.email_verified then "email" else null]: claims.email, + first_name: fName, + last_name: lName, + }, + }, +} diff --git a/_kratos/oidc-mappers/google.jsonnet b/_kratos/oidc-mappers/google.jsonnet new file mode 100644 index 0000000..9ad2d28 --- /dev/null +++ b/_kratos/oidc-mappers/google.jsonnet @@ -0,0 +1,16 @@ +// scopes: email, profile +// Issuer Url: https://accounts.google.com + +local claims = { + email_verified: true +} + std.extVar('claims'); + +{ + identity: { + traits: { + [if "email" in claims && claims.email_verified then "email" else null]: claims.email, + [if "given_name" in claims then "first_name" else null]: claims.given_name, + [if "family_name" in claims then "last_name" else null]: claims.family_name, + }, + }, +} diff --git a/_kratos/oidc-mappers/slack.jsonnet b/_kratos/oidc-mappers/slack.jsonnet new file mode 100644 index 0000000..1dedb69 --- /dev/null +++ b/_kratos/oidc-mappers/slack.jsonnet @@ -0,0 +1,24 @@ +// scopes: identity.basic, identity.email +// Issuer Url: https://slack.com + +local claims = { + email_verified: true +} + std.extVar('claims'); + +local fName = if "name" in claims && claims.name!=null && std.length(std.findSubstr(" ", claims.name)) > 0 then std.splitLimit(claims.name, " ", 1)[0] else "undefined"; +local lName = if "name" in claims && claims.name!=null && std.length(std.findSubstr(" ", claims.name)) > 0 then std.splitLimit(claims.name, " ", 1)[1] else "undefined"; + +{ + identity: { + traits: { + // Allowing unverified email addresses enables account + // enumeration attacks, if the value is used for + // verification or as a password login identifier. + // + // It's assumed that Slack requires an email to be verified to be accessible via OAuth (because they don't provide a email_verified field). + email: claims.email, + first_name: fName, + last_name: lName, + }, + }, +}