worried-breakfast-57531
01/29/2022, 6:08 PMpicture
in my github social login (the scope is “user”, which should allow getting all user profile info). Here’s my mapper jsonnet and identity schema:proud-plumber-24205
01/31/2022, 3:46 PMpicture
property being returned from the github OAuth user
scopes.
https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps
Maybe check out:
https://stackoverflow.com/questions/22932422/get-github-avatar-from-email-or-nameworried-breakfast-57531
01/31/2022, 4:39 PMclaims
jsonnet receives and it looks like picture should be included: https://github.com/ory/kratos/blob/v0.2.1-alpha.1/selfservice/strategy/oidc/provider_github.go#L72-L98 . Scope shouldn’t be an issue since github’s User endpoint (which is what the scope “user” grants access to AFAIK) includes avatar_url
which Kratos code seems to be mapping to claims.Picture?proud-plumber-24205
01/31/2022, 4:44 PMpicture
.
https://github.com/ory/kratos/blob/16463ead91a009f33373150d10095aa3857b38f4/selfservice/strategy/oidc/provider.go#L27
maybe it is a bug somewhere 🤔worried-breakfast-57531
01/31/2022, 4:45 PMproud-plumber-24205
01/31/2022, 5:08 PMworried-breakfast-57531
01/31/2022, 5:09 PM{
"$id": "<https://kratos.sidetrek.com/registration.schema.json>",
"$schema": "<http://json-schema.org/draft-07/schema#>",
"title": "Person",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"<http://ory.sh/kratos|ory.sh/kratos>": {
"credentials": {
"password": {
"identifier": true
}
}
}
},
"name": {
"type": "string"
},
"picture": {
"type": "string"
}
}
}
}
}
courier:
smtp:
connection_uri: smtp://
serve:
admin:
base_url: <http://127.0.0.1:4434/>
public:
base_url: <http://127.0.0.1:4433/>
cors:
enabled: true
allowed_origins:
- <http://127.0.0.1:3002>
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Cookie
- Content-Type
exposed_headers:
- Content-Type
- Set-Cookie
identity:
default_schema_url: file://./default.schema.json
dsn: postgres://
selfservice:
default_browser_return_url: <https://sidetrek.com>
whitelisted_return_urls:
- <https://sidetrek.com>
flows:
registration:
after:
oidc:
hooks:
- hook: session
logout:
after:
default_browser_return_url: '<http://127.0.0.1:3002/login>'
error:
ui_url: '<http://127.0.0.1:3002/error>'
methods:
oidc:
enabled: true
config:
providers:
- id: github
provider: github
mapper_url: 'file://./oidc.github.jsonnet'
client_id: ''
client_secret: ''
scope:
- 'user'
# claims contains all the data sent by the upstream.
local claims = std.extVar('claims');
{
identity: {
traits: {
// [if std.objectHas(claims, "issuer") then "issuer" else null]: claims.issuer,
[if std.objectHas(claims, "email") && claims.email_verified then "email" else null]: claims.email,
[if std.objectHas(claims, "name") then "name" else null]: claims.name,
[if std.objectHas(claims, "picture") then "picture" else null]: claims.picture,
},
},
}
proud-plumber-24205
01/31/2022, 5:10 PMscope:
- user:email
worried-breakfast-57531
01/31/2022, 5:11 PMproud-plumber-24205
01/31/2022, 5:12 PMGNU nano 4.8 oidc.github.jsonnet
local claims = {
email_verified: false
} + std.extVar('claims');
{
identity: {
traits: {
// Allowing unverified email addresses enables account
// enumeration attacks, especially if the value is used for
// e.g. verification or as a password login identifier.
//
// Therefore we only return the email if it (a) exists and (b) is marked verified
// by GitHub.
[if "email" in claims && claims.email_verified then "email" else null]: claims.email,
[if "picture" in claims then "picture" else null]: claims.picture,
},
},
}
worried-breakfast-57531
01/31/2022, 5:12 PMproud-plumber-24205
01/31/2022, 5:13 PMworried-breakfast-57531
01/31/2022, 5:13 PMdomain_aliases: [
{
match_domain: `<http://sidetrek.com|sidetrek.com>`,
base_path: '/',
scheme: 'https',
},
{
match_domain: `<http://staging.sidetrek.com|staging.sidetrek.com>`,
base_path: '/',
scheme: 'https',
},
],
domain_aliases: [
{
match_domain: `<http://sidetrek.com|sidetrek.com>`,
base_path: '/',
scheme: 'https',
},
{
match_domain: `*.<http://sidetrek.com|sidetrek.com>`,
base_path: '/',
scheme: 'https',
},
],
proud-plumber-24205
01/31/2022, 9:57 PMworried-breakfast-57531
01/31/2022, 9:59 PM<http://staging.sidetrek.com|staging.sidetrek.com>
and <http://jhub.sidetrek.com|jhub.sidetrek.com>
- but possibly more things that users can dynamically add like <http://mlflow.sidetrek.com|mlflow.sidetrek.com>
Access to XMLHttpRequest at '<https://kratos.sidetrek.com/self-service/login?flow=60ce0306-a201-4042-8cbe-58e23e7a5ff5>' from origin '<https://auth.sidetrek.com>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
cors: {
enabled: true,
allowed_origins: [
`https://${appApexHostname}`,
`https://${appWildcardHostname}`,
// `<https://auth.sidetrek.com>`,
],
allowed_methods: ['POST', 'GET', 'PUT', 'PATCH', 'DELETE'],
allowed_headers: ['Authorization', 'Cookie', 'Content-Type'],
exposed_headers: ['Content-Type', 'Set-Cookie'],
},
GET <https://kratos.sidetrek.com/self-service/login/browser>
proud-plumber-24205
02/01/2022, 10:48 AM