On further reflection, I think this is definitely a bug?

I had a user make a web app that used this proxy for use with CLI tools that did OIDC via PKSE and passed the IDToken as the bearer. He got the X-Forwarded-User as the email claim, vs all the other normal webapps made with our OneLogin OIDC provider had the subject claim as the X-Forwarded-User.

I was very confused at the time, but this is definitely why.

I still owe you an interactive test on this, I haven't dockerized this branch yet to test how it all works deployed as a sidecar in a local kubernetes environment that is setup for OIDC projected service account tokens.

Should I make the default_provider aware of the --user-id-claim flag when mapping claims to a session.Email just the same as the OIDC provider?

@JoelSpeed Let me know what you find out as far as the history of the forced session.Email and not allowing it to be "".

This commit is my take on allowing it: 1dd6ba5

I can ditch it if needed (or cherry pick it to a separate PR to keep this PR purely about the bearer bugs).

I still owe you an interactive test on this, I haven't dockerized this branch yet to test how it all works deployed as a sidecar in a local kubernetes environment that is setup for OIDC projected service account tokens.

This is done, looks good in a kubernetes environment allowing both OneLogin IDTokens (configured provider) OR kubernetes projected service account tokens (extra bearer JWT):

[2020/06/03 17:15:09] [oauthproxy.go:283] Skipping JWT tokens from configured OIDC issuer: "https://greenhouse.onelogin.com/oidc/2"
[2020/06/03 17:15:09] [oauthproxy.go:285] Skipping JWT tokens from extra JWT issuer: "http://oidc.default.svc.cluster.local=sample-app"
...
192.168.144.128 - nick.meves@greenhouse.io [2020/06/03 17:21:27] sample-app.local GET 127.0.0.1:5000 "/sso" HTTP/1.1 "Ruby" 200 1336 0.003
192.168.144.128 - system:serviceaccount:default:dummy [2020/06/03 17:23:46] sample-app.local GET 127.0.0.1:5000 "/sso" HTTP/1.1 "Ruby" 200 1174 0.005

I had the /sso endpoint just spit back the X-Forwarded-* auth headers, you can see the behavior allowing empty session.Email in the service account token output (the experimental commit we can remove from this this PR if desired):

OneLogin OIDC Human IDToken:

{
  "data": {
     "username":  "[REDACTED]",
     "prefered_username": "nick.meves@greenhouse.io",
     "email":  "nick.meves@greenhouse.io"
  }
}

Kubernetes Projected Service Account IDToken:

{
  "data": {
    "username": "system:serviceaccount:default:dummy",
    "prefered_username": null,
    "email": null
  }
}

So I did some archaeology today, my conclusion is that, if the scope contained email, then the response and the userinfo endpoint should have the email value, but if email is not in the scope, then we don't need for it to fallback to anything I don't think

As far as I can tell, the OAuth2 Proxy doesn't require the email to be returned from the provider anywhere, so I think we can get away with not setting it. It's probably better that I rework this into #560

This will likely be a breaking change, though, technically better than the existing behaviour.
I think we should probably look into the user-id-claim work and work out how we move forward with that.

So I did some archaeology today, my conclusion is that, if the scope contained email, then the response and the userinfo endpoint should have the email value, but if email is not in the scope, then we don't need for it to fallback to anything I don't think

As far as I can tell, the OAuth2 Proxy doesn't require the email to be returned from the provider anywhere, so I think we can get away with not setting it. It's probably better that I rework this into #560

This will likely be a breaking change, though, technically better than the existing behaviour.
I think we should probably look into the user-id-claim work and work out how we move forward with that.

I can remove that commit, isn't the end of the world to have a session.Email that isn't an email in cases where the subject claim isn't an email (with it as blank or a non-email from the subject -- both routes require --emails-domains=* to validate appropriately).

I'm not sure this is best handled in the #560 -- its that weird middle ground for how do we agnostically treat extra JWT bearers that aren't from the main provider in a generic way.

IE my case, I like my OIDC provider settings have the user-id claim to email like the default, but I don't want to change that to something just to appease compatibility with whatever extra JWT Bearer Verifiers I add since their IDToken structures could feasibly be all over the place (subject/audience is likely the only thing we can rely on it having).

@NickMeves Can you just confirm this is good to go from your perspective, I believe it is and have no further comments

@steakunderscore I'd appreciate if you could also review this one before merging

Yup, ready to go. I ran some manual tests in a local kubernetes environment and it looked good.

Only area I had a lingering question is the new unit test I added that feels a little sloppy.

Give me the heads up when we're ready and I'll rebase before the merge. I think I keep dismissing your reviews when I push up rebases 😄

I think let's just get this merged, can you rebase?