oauth2-proxy userInfo API returns too little data. how to get more granual user data?

1.3k views Asked by At

I have integrated oauth2-proxy with AWS Cognito leveraging Istio as described in jetstack's article, all is running in K8S.

Now I am looking for an approach to get users' data and other attributes like gender, phone_number, or even get cognito:groups value in my frontend app. All this info is present in a JWT payload but not on the frontend side.

Ideas:

  1. An API call to oauth2-proxy's /auth2/userinfo endpoint that returns users' email. Not much, right?
  2. I found that Cognito's oauth2/userInfo should return much more but I don't like the idea to lock my frontend with the aws-sdk or have any deals with JWT on FE side.
  3. Build a backend service that returns a JWT's payload output in custom header leveraging outputPayloadToHeader Istio's RequestAuthentication feature, like whoami does. But wait, one more microservice?

None of these seems right to me.

Is there a better approach that I should take? For example, to extend the oauth2-proxy's /auth2/userinfo endpoint to return more than just an email

I would appreciate any help
Thanks!

1

There are 1 answers

0
Gary Archer On BEST ANSWER

Looks like you are using a Backend for Frontend approach, with OAuth Proxy performing the BFF role. A frontend should be able to ask for userinfo or information from the ID token, as in this Curity example.

However, there seems to be a long outstanding issue with this implementation that you'll need to work around.

Feels like the cleanest workaround should be done in an existing API, in an endpoint such as GET /userclaims. The API receives access tokens so can send them to the Cognito userinfo endpoint, then return results to the client. This avoids the need to use JWTs in the client, or AWS libraries.

Here is some API code of mine that calls Cognito's userinfo endpoint. This can also be a mechanism for including domain specific claims in the userinfo returned to the UI.