Return a custom error when a token doesn't contain a groups claim. (#104

) * return a custom error when a token doesn't have a groups claim * return a custom error from a client when a token doesn't have a groups claim * codestyle fix * codestyle fix * claims parsing logic fix * claims parsing logic fix 2 * use a library to check token claims
sky-uk · Jun 28, 2024 · 6d511de · 6d511de
1 parent 076adef
commit 6d511de
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/client/azure.go b/client/azure.go
@@ -149,6 +149,12 @@ func (r *azureRetriever) RetrieveClusterDetailsAndAuthTokens(target Target) (*Ta
  if err != nil {
  return nil, err
  }
+
+ err = checkTokenForGroupsClaim(oauthToken.AccessToken)
+ if err != nil {
+ return nil, err
+ }
+
  r.accessToken = oauthToken.AccessToken
  }
 
@@ -248,6 +254,19 @@ func (r *azureRetriever) consumeClientConfigResponse(response *http.Response) (*
  return nil, fmt.Errorf("error fetching ClientConfig from API Server: %s", response.Status)
 }
 
+func checkTokenForGroupsClaim(token string) error {
+ jwt, err := jws.ParseJWT([]byte(token))
+ if err != nil {
+ return fmt.Errorf("oidc: malformed jwt: %v", err)
+ }
+
+ if jwt.Claims().Get("groups") == nil && jwt.Claims().Get("_claim_names") != nil {
+ return fmt.Errorf("users with more than 200 groups are not supported")
+ }
+
+ return nil
+}
+
 type configMap struct {
  Data configMapData `json:"data"`
 }

diff --git a/server/osprey/server.go b/server/osprey/server.go
@@ -284,6 +284,8 @@ type claims struct {
  Email string `json:"email"`
  Groups []string `json:"groups"`
  Name string `json:"name"`
+
+ ClaimNames map[string]string `json:"_claim_names"`
 }
 
 type loginForm struct {