Do not collect IdP tokens unless configured to do so

vouch · Jul 23, 2020 · db32069 · db32069
1 parent dc5d4b6
commit db32069
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 4 deletions.
diff --git a/.defaults.yml b/.defaults.yml
@@ -42,8 +42,9 @@ vouch:
     redirect: X-Vouch-Requested-URI
     # claims:
     claimheader: X-Vouch-IdP-Claims-
-    accesstoken: X-Vouch-IdP-AccessToken
-    idtoken: X-Vouch-IdP-IdToken
+    # https://github.com/vouch/vouch-proxy/issues/287
+    # accesstoken: X-Vouch-IdP-AccessToken
+    # idtoken: X-Vouch-IdP-IdToken
   # test_url:
   # post_logout_redirect_uris:
 # oauth:

diff --git a/pkg/jwtmanager/jwtmanager.go b/pkg/jwtmanager/jwtmanager.go
@@ -36,8 +36,8 @@ type VouchClaims struct {
 	Username     string   `json:"username"`
 	Sites        []string `json:"sites"` // tempting to make this a map but the array is fewer characters in the jwt
 	CustomClaims map[string]interface{}
-//	PAccessToken string
-//	PIdToken     string
+	PAccessToken string
+	PIdToken     string
 	jwt.StandardClaims
 }
 
@@ -86,6 +86,15 @@ func CreateUserTokenString(u structs.User, customClaims structs.CustomClaims, pt
 		StandardClaims,
 	}
 
+	// https://github.com/vouch/vouch-proxy/issues/287
+	if cfg.Cfg.Headers.AccessToken == "" {
+		claims.PAccessToken = ""
+	} 
+
+	if cfg.Cfg.Headers.IDToken == "" {
+		claims.PIdToken = ""
+	}
+
 	claims.StandardClaims.ExpiresAt = time.Now().Add(time.Minute * time.Duration(cfg.Cfg.JWT.MaxAge)).Unix()
 
 	// https://godoc.org/github.com/dgrijalva/jwt-go#NewWithClaims