cc'ing in Frode who wrote the original LDAP integration. He may have thoughts.
Brandon On Tue, May 3, 2016 at 5:22 PM Christopher L. Cousins <[email protected]> wrote: > Hello, > > > I am planning on using dex to authenticate users with credentials stored > in LDAP. In addition to the information returned in oidc.Identity, I need > to enrich the JWT with additional claims for the users using information > that is also stored in LDAP and I would prefer to collect this information > right after the user authenticates using their LDAP credentials. > > > Since the LDAP searches and other logic I need to use to collect this > additional information are of no use to anyone else, and I don't like the > idea of maintaining a custom branch of dex (modifying the existing LDAP > connector), I was thinking about creating a new 'local-http' connector that > would allow me to run a companion application next to every dex-worker > instance that would handle all of the connector functionally over an HTTP > API on the loopback interface. In my case, this would be sidecar > Kubernetes container in a pod that also contains a (hopefully eventually > stock) dex-worker container. > > > I assume there are other users or potential users of dex that have some > legacy systems like I do, and it would be easier for them to maintain a > separate application with small HTTP API than adding or maintaining > connectors to dex that are not necessarily useful to others. Is this > something that anyone else has expressed interest in? > > > For this type of a connector to be useful to me, I would still need to be > able to then enrich the JWTs with additional claims. oidc.Identity as > returned by Identity() today does not allow/encourage this. Is there > another extension point (real or planned) for connectors that would allow > me to pass along additional information? > > > user.AddToClaims() is another potential extension point I found. I like > that it would work for enriching JWTs for oauth2.GrantTypeRefreshToken > requests too, however adding the additional claims to this function would > require me to use LDAP credentials other than the users, as they are no > longer available at the time of this call. Does anyone think it would be > better to add additional claims here instead of from a connector? > > > Any other ideas on how best to add additional claims? > > > Thanks, > >
