add oauth2_metadata option

hashicorp · Jun 19, 2020 · f57d734 · f57d734
1 parent fffbc4e
commit f57d734
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/path_oidc.go b/path_oidc.go
@@ -216,6 +216,7 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request,
 
 	var rawToken string
 	var oauth2Token *oauth2.Token
+	oauth2Metadata := make(map[string]string)
 
 	code := d.Get("code").(string)
 	if code == noCode {
@@ -239,6 +240,14 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request,
 		if !ok {
 			return logical.ErrorResponse(errTokenVerification + " No id_token found in response."), nil
 		}
+
+		for _, mdname := range role.Oauth2Metadata {
+			md, ok := oauth2Token.Extra(mdname).(string)
+			if !ok {
+				return logical.ErrorResponse(errTokenVerification + " No " + mdname + " found in response."), nil
+			}
+			oauth2Metadata[mdname] = md
+		}
 	}
 
 	if role.VerboseOIDCLogging {
@@ -292,6 +301,9 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request,
 	for k, v := range alias.Metadata {
 		tokenMetadata[k] = v
 	}
+	for k, v := range oauth2Metadata {
+		tokenMetadata["oauth2_" + k] = v
+	}
 
 	auth := &logical.Auth{
 		Policies:     role.Policies,

diff --git a/path_role.go b/path_role.go
@@ -122,6 +122,10 @@ Defaults to 60 (1 minute) if set to 0 and can be disabled if set to -1.`,
 				Type:        framework.TypeKVPairs,
 				Description: `Mappings of claims (key) that will be copied to a metadata field (value)`,
 			},
+			"oauth2_metadata": {
+				Type:        framework.TypeCommaStringSlice,
+				Description: `Comma-separated list of one or more of access_token, id_token, refresh_token to return in metadata`,
+			},
 			"user_claim": {
 				Type:        framework.TypeString,
 				Description: `The claim to use for the Identity entity alias name`,
@@ -197,6 +201,7 @@ type jwtRole struct {
 	BoundClaimsType     string                 `json:"bound_claims_type"`
 	BoundClaims         map[string]interface{} `json:"bound_claims"`
 	ClaimMappings       map[string]string      `json:"claim_mappings"`
+	Oauth2Metadata      []string               `json:"oauth2_metadata"`
 	UserClaim           string                 `json:"user_claim"`
 	GroupsClaim         string                 `json:"groups_claim"`
 	OIDCScopes          []string               `json:"oidc_scopes"`
@@ -303,6 +308,7 @@ func (b *jwtAuthBackend) pathRoleRead(ctx context.Context, req *logical.Request,
 		"bound_claims_type":     role.BoundClaimsType,
 		"bound_claims":          role.BoundClaims,
 		"claim_mappings":        role.ClaimMappings,
+		"oauth2_metadata":       role.Oauth2Metadata,
 		"user_claim":            role.UserClaim,
 		"groups_claim":          role.GroupsClaim,
 		"allowed_redirect_uris": role.AllowedRedirectURIs,
@@ -489,6 +495,10 @@ func (b *jwtAuthBackend) pathRoleCreateUpdate(ctx context.Context, req *logical.
 		role.ClaimMappings = claimMappings
 	}
 
+	if oauth2Metadata, ok := data.GetOk("oauth2_metadata"); ok {
+		role.Oauth2Metadata = oauth2Metadata.([]string)
+	}
+
 	if userClaim, ok := data.GetOk("user_claim"); ok {
 		role.UserClaim = userClaim.(string)
 	}