mirror of
https://github.com/ZeroTier/ZeroTierOne
synced 2025-08-23 06:35:49 -07:00
because okta is a special snowflake when adding groups to the ID token
This commit is contained in:
Grant Limberg
parent
8ea9d96c77
commit
a0331720cc
1 changed files with 33 additions and 13 deletions
|
|
@ -59,6 +59,7 @@ pub struct ZeroIDC {
|
||||||
))]
|
))]
|
||||||
struct Inner {
|
struct Inner {
|
||||||
running: bool,
|
running: bool,
|
||||||
|
issuer: String,
|
||||||
auth_endpoint: String,
|
auth_endpoint: String,
|
||||||
oidc_thread: Option<JoinHandle<()>>,
|
oidc_thread: Option<JoinHandle<()>>,
|
||||||
oidc_client: Option<openidconnect::core::CoreClient>,
|
oidc_client: Option<openidconnect::core::CoreClient>,
|
||||||
|
|
@ -120,6 +121,7 @@ impl ZeroIDC {
|
||||||
let idc = ZeroIDC {
|
let idc = ZeroIDC {
|
||||||
inner: Arc::new(Mutex::new(Inner {
|
inner: Arc::new(Mutex::new(Inner {
|
||||||
running: false,
|
running: false,
|
||||||
|
issuer: issuer.to_string(),
|
||||||
auth_endpoint: auth_ep.to_string(),
|
auth_endpoint: auth_ep.to_string(),
|
||||||
oidc_thread: None,
|
oidc_thread: None,
|
||||||
oidc_client: None,
|
oidc_client: None,
|
||||||
|
|
@ -439,20 +441,38 @@ impl ZeroIDC {
|
||||||
if need_verifier || csrf_diff || nonce_diff {
|
if need_verifier || csrf_diff || nonce_diff {
|
||||||
let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
|
let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
|
||||||
let r = i.oidc_client.as_ref().map(|c| {
|
let r = i.oidc_client.as_ref().map(|c| {
|
||||||
let (auth_url, csrf_token, nonce) = c
|
if i.issuer.contains("okta") {
|
||||||
.authorize_url(
|
let (auth_url, csrf_token, nonce) = c
|
||||||
AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
|
.authorize_url(
|
||||||
csrf_func(csrf_token),
|
AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
|
||||||
nonce_func(nonce),
|
csrf_func(csrf_token),
|
||||||
)
|
nonce_func(nonce),
|
||||||
.add_scope(Scope::new("profile".to_string()))
|
)
|
||||||
.add_scope(Scope::new("email".to_string()))
|
.add_scope(Scope::new("profile".to_string()))
|
||||||
.add_scope(Scope::new("offline_access".to_string()))
|
.add_scope(Scope::new("email".to_string()))
|
||||||
.add_scope(Scope::new("openid".to_string()))
|
.add_scope(Scope::new("offline_access".to_string()))
|
||||||
.set_pkce_challenge(pkce_challenge)
|
.add_scope(Scope::new("openid".to_string()))
|
||||||
.url();
|
.add_scope(Scope::new("groups".to_string()))
|
||||||
|
.set_pkce_challenge(pkce_challenge)
|
||||||
|
.url();
|
||||||
|
|
||||||
(auth_url, csrf_token, nonce)
|
(auth_url, csrf_token, nonce)
|
||||||
|
} else {
|
||||||
|
let (auth_url, csrf_token, nonce) = c
|
||||||
|
.authorize_url(
|
||||||
|
AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
|
||||||
|
csrf_func(csrf_token),
|
||||||
|
nonce_func(nonce),
|
||||||
|
)
|
||||||
|
.add_scope(Scope::new("profile".to_string()))
|
||||||
|
.add_scope(Scope::new("email".to_string()))
|
||||||
|
.add_scope(Scope::new("offline_access".to_string()))
|
||||||
|
.add_scope(Scope::new("openid".to_string()))
|
||||||
|
.set_pkce_challenge(pkce_challenge)
|
||||||
|
.url();
|
||||||
|
|
||||||
|
(auth_url, csrf_token, nonce)
|
||||||
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
if let Some(r) = r {
|
if let Some(r) = r {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue