OIDC connector claimMapping has no impact

[michalvanco]

Hi folks,

I have a question about the possibilities how to troubleshoot the situation when the claimMapping configuration of OIDC connector has no impact and keeps the original value.

My situation:

• I have deployed dex which has following claims supported:

"claims_supported": [
  "aud",
  "email",
  "email_verified",
  "exp",
  "iat",
  "iss",
  "locale",
  "name",
  "sub"
]

• I have configured OIDC connector other provider like:

connectors:
- type: oidc
  id: idp-test
  name: Custom OIDC
  config:
    issuer: https://<HOST>
    clientID: <CLIENT-ID>
    clientSecret: <SECRET>
    redirectURI: https://<DEX-HOST>/dex/callback
    scopes:
    - email
    - profile
    - openid
    - customBase
    getUserInfo: true
    insecureSkipEmailVerified: true
  claimMapping:
    email: customEmailID

• the connected provider has following claims supported:

"claims_supported": [
  "aud",
  "iss",
  "sub",
  "iat",
  "exp",
  "acr",
  "auth_time",
  "email",
  "email_verified",
  "name",
  "family_name",
  "given_name",
  "customEmailID",
],

• required claim customEmailID is part of the customBase scope

After the connector configuration is applied to dex, claim mapping after logging in custom provider has no effect (I can see that the information is released from provider).

I also tried some other variants like email: "customBase:customEmailID" or email: sub but I am always getting the original value.

Is there alternatively some way how to troubleshoot such OIDC integration? e.g. to see exactly what claims are being returned with which values etc.?

Dex version: v2.27.0

Thank you in advance for any help.

[nabokihms]

It looks like you need to indent the claimMapping field a little more.
example:

connectors:
- type: oidc
  id: idp-test
  name: Custom OIDC
  config:
    issuer: https://<HOST>
    clientID: <CLIENT-ID>
    clientSecret: <SECRET>
    redirectURI: https://<DEX-HOST>/dex/callback
    scopes:
    - email
    - profile
    - openid
    - customBase
    getUserInfo: true
    insecureSkipEmailVerified: true
    claimMapping:
      email: customEmailID

You can find the example with a detailed description here https://dexidp.io/docs/connectors/oidc/#configuration

[michalvanco]

Thanks @nabokihms for the hint, anyway it is still behaving the same and I am not getting the value I expect in email.

I tried again:

claimMapping:
  email: customEmailID

and

claimMapping:
  email: "customBase:customEmailID"

(which one is correct btw..?)

Thanks!

[nabokihms]

The first one seems correct.

[michalvanco]

We have just discovered in the code that the claimMapping is only applied the original claim is not available.

https://github.com/dexidp/dex/blob/master/connector/oidc/oidc.go#L304-L310

But this is not the case here, we actually want to change the default mapping of email claim to other claim.

So we have customEmailID and email and we would like to use customEmailID as the right claim for email.

@nabokihms - that should be doable in either in specific code above or by using other configuration option (so that the behavior is properly described).

Thanks!

[nabokihms]

In fact, it's me who should thank you. I opened an issue to track the problem
#2162

[jonra82]

I'm also having troubles with claim mapping. I have a Dex instance connected to a ADFS 2019 server. When I authenticate against Dex and ADFS I get an exception about "missing name claim". I know ADFS does not return a "name: something" claim. I can see it when I inspect the id-token it returns. In the token it has claims:

{
"upn": "[email protected]",
"unique_name": "addomain\username",
}

I want Dex to map the upn claim to name.

In Dex Config I have the following:

- config:
  id: adfs
  name: adfs
  type: oidc
  config:
    issuer: https://fs.something*/adfs
    clientID: someclientid
    clientSecret: somesecret
    redirectURI: https://somethingdex/callback
    scopes:
    - profile
    - email
    - groups
    - openid
    - allatclaims
    insecureEnableGroups: true
    getUserInfo: true
    insecureSkipEmailVerified: true
    claimMapping: #this seems to have no effect, Dex still complains about missing name claim
      name: upn #this seems to have no effect, Dex still complains about missing name claim

any tips?

[jonra82]

Nevermind, got this working!