diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go index 4141171c..0a85875e 100644 --- a/authority/provisioner/oidc.go +++ b/authority/provisioner/oidc.go @@ -40,14 +40,14 @@ func (c openIDConfiguration) Validate() error { // openIDPayload represents the fields on the id_token JWT payload. type openIDPayload struct { jose.Claims - AtHash string `json:"at_hash"` - AuthorizedParty string `json:"azp"` - Email string `json:"email"` - EmailVerified bool `json:"email_verified"` - Username string `json:"preferred_username"` - Hd string `json:"hd"` - Nonce string `json:"nonce"` - Groups []string `json:"groups"` + AtHash string `json:"at_hash"` + AuthorizedParty string `json:"azp"` + Email string `json:"email"` + EmailVerified bool `json:"email_verified"` + PreferredUsername string `json:"preferred_username"` + Hd string `json:"hd"` + Nonce string `json:"nonce"` + Groups []string `json:"groups"` } // OIDC represents an OAuth 2.0 OpenID Connect provider. @@ -90,10 +90,10 @@ func (o *OIDC) IsAdmin(email string) bool { // IsAdmin returns true if the given groups is in the Admins allowlist, false // otherwise. func (o *OIDC) IsAdminGroup(groups []string) bool { - for _,g := range groups { + for _, g := range groups { // The groups and emails can be in the same array for now, but consider // making a specialized option later. - for _,gadmin := range o.Admins { + for _, gadmin := range o.Admins { if g == gadmin { return true } @@ -394,9 +394,9 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHSign") } // Reuse the contains function provided for simplicity - if !containsAllMembers(iden.Usernames, []string{claims.Username}){ + if !containsAllMembers(iden.Usernames, []string{claims.PreferredUsername}) { // Add preferred_username to the identity's Username - iden.Usernames = append(iden.Usernames, claims.Username) + iden.Usernames = append(iden.Usernames, claims.PreferredUsername) } // Certificate templates. @@ -416,7 +416,7 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption // Use the default template unless no-templates are configured and email is // an admin, in that case we will use the parameters in the request. isAdmin := o.IsAdmin(claims.Email) - if !isAdmin && len(claims.Groups)>0 { + if !isAdmin && len(claims.Groups) > 0 { isAdmin = o.IsAdminGroup(claims.Groups) } defaultTemplate := sshutil.DefaultTemplate