Add possibility to add userinfo claims (#680)

Author: p53

docs/content/_index.md

@@ -751,7 +751,7 @@ option is set to `true`.
 
 ## Custom claim headers
 
-You can inject additional claims from the access token and from version 4.6.0 also from ID token into the
+You can inject additional claims from the access token and from version 4.6.0 also from ID token and userinfo into the
 upstream headers with the `--add-claims` option. For example, a
 token from a Keycloak provider might include the following
 claims:

docs/content/configuration/_index.md

@@ -158,6 +158,7 @@ weight: 2
 |    \--enable-request-upstream-compression    | enables asking upstream for compression, by adding Accept-Encoding: gzip header and decompressing response from upstream | true | PROXY_ENABLE_REQUEST_UPSTREAM_COMPRESSION
 |    \--enable-accept-encoding-header          | pass Accept-Encoding header from client to upstream | false | PROXY_ENABLE_ACCEPT_ENCODING_HEADER
 |    \--enable-id-token-claims                 | extract claims also from ID token, you can then use --add-claims option to specify claims from ID token | false | PROXY_ENABLE_ID_TOKEN_CLAIMS
+|    \--enable-userinfo-claims                 | extract claims also from userinfo, you can then use --add-claims option to specify claims | false | PROXY_ENABLE_USER_INFO_CLAIMS
 |    \--enable-loa                             | enable level of authentication            | false |
 |    \--enable-store-ha                        | enable RedisCluster HA client             | false | PROXY_ENABLE_STORE_HA
 |    \--disable-all-logging                    | disables all logging to stdout and stderr | false | PROXY_DISABLE_ALL_LOGGING

e2e/e2e_test.go

@@ -593,7 +593,9 @@ var _ = Describe("Code Flow login/logout", func() {
 			"--enable-encrypted-token=false",
 			"--enable-id-token-claims=true",
 			"--enable-id-token-cookie=true",
+			"--enable-user-info-claims=true",
 			"--add-claims=email_verified",
+			"--add-claims=email",
 			"--enable-pkce=false",
 			"--tls-cert=" + tlsCertificate,
 			"--tls-private-key=" + tlsPrivateKey,
@@ -655,9 +657,11 @@ var _ = Describe("Code Flow login/logout", func() {
 				Expect(err).NotTo(HaveOccurred())
 				Expect(resp.Header().Get("Proxy-Accepted")).To(Equal("true"))
 				body = resp.Body()
+				By(string(body))
 				Expect(resp.StatusCode()).To(Equal(http.StatusOK))
 				Expect(strings.Contains(string(body), anyURI)).To(BeTrue())
-				Expect(body).To(ContainSubstring("X-Auth-Email-Verified"))
+				Expect(body).To(ContainSubstring(`"X-Auth-Email-Verified":["true"]`))
+				Expect(body).To(ContainSubstring(`"X-Auth-Email":["somebody@somewhere.com"]`))
 
 				By("log out")
 				resp, err = rClient.R().Get(proxyAddress + logoutURI)
@@ -832,6 +836,7 @@ var _ = Describe("Code Flow login/logout mTLS", func() {
 			"--enable-register-handler=true",
 			"--enable-encrypted-token=false",
 			"--enable-pkce=false",
+			"--add-claims=email",
 			"--tls-cert=" + tlsCertificate,
 			"--tls-private-key=" + tlsPrivateKey,
 			"--upstream-ca=" + tlsCaCertificate,
@@ -911,6 +916,7 @@ var _ = Describe("Code Flow login/logout mTLS", func() {
 				body = resp.Body()
 				Expect(strings.Contains(string(body), anyURI)).To(BeTrue())
 				Expect(resp.StatusCode()).To(Equal(http.StatusOK))
+				Expect(body).To(ContainSubstring(`"X-Auth-Email":[""]`))
 
 				By("log out")
 				resp, err = rClient.R().Get(proxyAddress + logoutURI)

e2e/k8s/manifest.yml

@@ -1025,8 +1025,8 @@ data:
               "config": {
                 "userinfo.token.claim": "true",
                 "user.attribute": "email",
-                "id.token.claim": "true",
-                "access.token.claim": "true",
+                "id.token.claim": "false",
+                "access.token.claim": "false",
                 "claim.name": "email",
                 "jsonType.label": "String"
               }

pkg/keycloak/config/config.go

@@ -201,6 +201,7 @@ type Config struct {
 	EnableRequestUpstreamCompression   bool `env:"ENABLE_REQUEST_UPSTREAM_COMPRESSION" json:"enable-request-upstream-compression" usage:"enables asking upstream for compression, by adding Accept-Encoding: gzip header and decompressing response from upstream" yaml:"enable-request-upstream-compression"`
 	EnableAcceptEncodingHeader         bool `env:"ENABLE_ACCEPT_ENCODING_HEADER" json:"enable-accept-encoding-header" usage:"pass Accept-Encoding header from client to upstream" yaml:"enable-accept-encoding-header"`
 	EnableIDTokenClaims                bool `env:"ENABLE_ID_TOKEN_CLAIMS" json:"enable-id-token-claims" usage:"extract claims also from id token, you can then use --add-claims option to specify claims from id token" yaml:"enable-id-token-claims"`
+	EnableUserInfoClaims               bool `env:"ENABLE_USER_INFO_CLAIMS" json:"enable-user-info-claims" usage:"extract information from userinfo endpoint, you can then use --add-claims to specify claims" yaml:"enable-user-info-claims"`
 	IsDiscoverURILegacy                bool
 }
 

pkg/keycloak/proxy/server.go

@@ -564,6 +564,7 @@ func (r *OauthProxy) CreateReverseProxy() error {
 		r.Config.EnableOptionalEncryption,
 		r.Config.EnableCompressToken,
 		r.Config.EnableIDTokenClaims,
+		r.Config.EnableUserInfoClaims,
 		compressTokenPool,
 	)
 
@@ -858,6 +859,7 @@ func (r *OauthProxy) CreateReverseProxy() error {
 			r.Config.EnableAuthorizationCookies,
 			r.Config.EnableHeaderEncoding,
 			r.Config.EnableIDTokenClaims,
+			r.Config.EnableUserInfoClaims,
 		)
 
 		middlewares := []func(http.Handler) http.Handler{

pkg/proxy/middleware/base.go

@@ -227,6 +227,7 @@ func IdentityHeadersMiddleware(
 	enableAuthzCookies bool,
 	enableHeaderEncoding bool,
 	enableIDTokenClaims bool,
+	enableUserInfoClaims bool,
 ) func(http.Handler) http.Handler {
 	customClaims := make(map[string]string)
 
@@ -317,6 +318,17 @@ func IdentityHeadersMiddleware(
 							headers.Set(header, val)
 						}
 					}
+
+					if enableUserInfoClaims {
+						if claim, found := user.UserInfoClaims[claim]; found {
+							val := fmt.Sprintf("%v", claim)
+							if enableHeaderEncoding {
+								val = mime.BEncoding.Encode(encoding, val)
+							}
+
+							headers.Set(header, val)
+						}
+					}
 				}
 			}
 

pkg/proxy/middleware/oauth.go

@@ -50,6 +50,7 @@ func AuthenticationMiddleware(
 	enableOptionalEncryption bool,
 	enableCompressToken bool,
 	enableIDTokenClaims bool,
+	enableUserInfoClaims bool,
 	compressTokenPool *utils.LimitedBufferPool,
 ) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
@@ -430,19 +431,34 @@ func AuthenticationMiddleware(
 				scope.Identity = user
 			}
 
-			if enableIDPSessionCheck {
+			if enableIDPSessionCheck || enableUserInfoClaims {
 				tokenSource := oauth2.StaticTokenSource(
 					&oauth2.Token{AccessToken: scope.Identity.RawToken},
 				)
 
-				_, err := provider.UserInfo(oidcLibCtx, tokenSource)
+				userInfo, err := provider.UserInfo(oidcLibCtx, tokenSource)
 				if err != nil {
 					scope.Logger.Error(err.Error())
 					core.RevokeProxy(logger, req)
 					next.ServeHTTP(wrt, req)
 
 					return
 				}
+
+				if enableUserInfoClaims {
+					claims := map[string]any{}
+
+					err = userInfo.Claims(&claims)
+					if err != nil {
+						scope.Logger.Error(err.Error())
+						core.RevokeProxy(logger, req)
+						next.ServeHTTP(wrt, req)
+
+						return
+					}
+
+					scope.Identity.UserInfoClaims = claims
+				}
 			}
 
 			*req = *(req.WithContext(ctx))

pkg/proxy/models/user.go

@@ -77,4 +77,6 @@ type UserContext struct {
 	Permissions Permissions
 	// IDClaims
 	IDTokenClaims map[string]any
+	// UserInfoClaims
+	UserInfoClaims map[string]any
 }