Oauth2-proxy: Support for custom claims

Created on 27 Aug 2019  路  4Comments  路  Source: oauth2-proxy/oauth2-proxy

It would be great to be able to check not only against email but also custom claims and their values. This way if custom claim is included in id_token then only users with specific values in that custom claim would be allowed in, right now only the email is checked, which allows all users that have a id_token for specific email domain.

Hacktoberfest Stale enhancement good first issue help wanted

Most helpful comment

To extend this issue a bit, I'd really like to have support for _exporting_ arbitrary claims akin to how user and email are exported (either in x-auth-request-* or x-forwarded-*). Claims could come from either the id_token or the userinfo endpoint, both are valid.

For what it's worth, I don't feel oauth2_proxy is the best place to be doing access control decisions past answering, "is this id_token valid?" I have better tools in apache/nginx/haproxy for making those decisions. Already I'm running afoul of the email checks as my applications don't need them so I don't want to ask my users for them, they just need a valid identifier (sub). But oauth2_proxy requires email to be present and bombs if it's not set.

All 4 comments

To extend this issue a bit, I'd really like to have support for _exporting_ arbitrary claims akin to how user and email are exported (either in x-auth-request-* or x-forwarded-*). Claims could come from either the id_token or the userinfo endpoint, both are valid.

For what it's worth, I don't feel oauth2_proxy is the best place to be doing access control decisions past answering, "is this id_token valid?" I have better tools in apache/nginx/haproxy for making those decisions. Already I'm running afoul of the email checks as my applications don't need them so I don't want to ask my users for them, they just need a valid identifier (sub). But oauth2_proxy requires email to be present and bombs if it's not set.

I would at least be very useful to be able to restrict by 'group claim'.

I believe, the Keycloak provider does support a 'groups' claim but it would be nice to have something similar (or better as the issue suggests, custom claims) in the OIDC provider.

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

+1 on a feature like this, am playing around with Dex and would love to validate GH team membership in individual oauth2-proxy instances for finer grained access.

Was this page helpful?
0 / 5 - 0 ratings