> On 6. mai 2016, at 02.39, Christopher L. Cousins <[email protected]> wrote: > > Hello Bobby, > > For this type of a connector to be useful to me, I would still need to be > able to then enrich the JWTs with additional claims. oidc.Identity as > returned by Identity() today does not allow/encourage this. Is there another > extension point (real or planned) for connectors that would allow me to pass > along additional information? > > I agree with the limitedness of oidc.Identity. A little background here: > originally dex was an internal project and in comprised what is now dex, and > what is now go-oidc in one project. When we decided to opensource it, we > split it up into dex, the IdP, and go-oidc, the OIDC library. Some stuff made > it into go-oidc which, in retrospect, probably is dex-specific. > > Identity I think is one of those things. off the top of my head: I would do > something like the following: remove dex's dependency on the Identity type, > and create one within dex. This might be a big change in terms of LOC, but > fairly mechanical (I think). Then add something like "other claims" which > could just be a Claims object. Then connectors could populate it with > whatever they want. > > Rather than creating a type specific to dex, is there any reason to not > modify the existing oidc.Identity type to support additional claims? For my > specific needs, the changes I'm interested in for the type are not really dex > specific, but are specific to oidc.
I tend to agree. Have a look at http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims> I’m in the process of preparing a patch to extend the go-oidc Identity with all the standard claims as well as a way to handle additional claims. -- Frode Nordahl
