pkg/apis/middleware/session.go

package middleware

import (
	"context"
	"fmt"

	"github.com/coreos/go-oidc/v3/oidc"
	sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util/ptr"
)

// TokenToSessionFunc takes a raw ID Token and converts it into a SessionState.
type TokenToSessionFunc func(ctx context.Context, token string) (*sessionsapi.SessionState, error)

// VerifyFunc takes a raw bearer token and verifies it returning the converted
// oidc.IDToken representation of the token.
type VerifyFunc func(ctx context.Context, token string) (*oidc.IDToken, error)

// CreateTokenToSessionFunc provides a handler that is a default implementation
// for converting a JWT into a session.
func CreateTokenToSessionFunc(verify VerifyFunc) TokenToSessionFunc {
	return func(ctx context.Context, token string) (*sessionsapi.SessionState, error) {
		var claims struct {
			Subject           string   `json:"sub"`
			Email             string   `json:"email"`
			Verified          *bool    `json:"email_verified"`
			PreferredUsername string   `json:"preferred_username"`
			Groups            []string `json:"groups"`
		}

		idToken, err := verify(ctx, token)
		if err != nil {
			return nil, err
		}

		if err := idToken.Claims(&claims); err != nil {
			return nil, fmt.Errorf("failed to parse bearer token claims: %v", err)
		}

		if claims.Email == "" {
			claims.Email = claims.Subject
		}

		// Ensure email is verified
		// If the email is not verified, return an error
		// If the email_verified claim is missing, assume it is verified
		if !ptr.Deref(claims.Verified, true) {
			return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
		}

		newSession := &sessionsapi.SessionState{
			Email:             claims.Email,
			User:              claims.Subject,
			Groups:            claims.Groups,
			PreferredUsername: claims.PreferredUsername,
			AccessToken:       token,
			IDToken:           token,
			RefreshToken:      "",
			ExpiresOn:         &idToken.Expiry,
		}

		return newSession, nil
	}
}
Add JWT session loader middleware 2020-07-04 19:19:36 +01:00			`package middleware`

			`import (`
			`"context"`
Generalize and extend default CreateSessionFromToken 2020-11-15 18:57:48 -08:00			`"fmt"`
Add JWT session loader middleware 2020-07-04 19:19:36 +01:00
Upgrade go-oidc to v3 (#1264) 2021-07-17 09:55:05 -07:00			`"github.com/coreos/go-oidc/v3/oidc"`
Fix import path for v7 (#800) * fix import path for v7 find ./ -name ".go" \| xargs sed -i -e 's\|"github.com/oauth2-proxy/oauth2-proxy\|"github.com/oauth2-proxy/oauth2-proxy/v7\|' fix module path * go mod tidy * fix installation docs * update CHANGELOG * Update CHANGELOG.md Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-09-30 01:44:42 +09:00			`sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"`
feat: add ensure defaults to all migrated structs Signed-off-by: Jan Larwig <jan@larwig.com> 2025-10-30 09:26:14 +01:00			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util/ptr"`
Add JWT session loader middleware 2020-07-04 19:19:36 +01:00			`)`

Generalize and extend default CreateSessionFromToken 2020-11-15 18:57:48 -08:00			`// TokenToSessionFunc takes a raw ID Token and converts it into a SessionState.`
			`type TokenToSessionFunc func(ctx context.Context, token string) (*sessionsapi.SessionState, error)`
Decouple TokenToSession from OIDC & add a generic VerifyFunc 2020-10-23 23:34:06 -07:00
Generalize and extend default CreateSessionFromToken 2020-11-15 18:57:48 -08:00			`// VerifyFunc takes a raw bearer token and verifies it returning the converted`
			`// oidc.IDToken representation of the token.`
			`type VerifyFunc func(ctx context.Context, token string) (*oidc.IDToken, error)`
Add JWT session loader middleware 2020-07-04 19:19:36 +01:00
Generalize and extend default CreateSessionFromToken 2020-11-15 18:57:48 -08:00			`// CreateTokenToSessionFunc provides a handler that is a default implementation`
			`// for converting a JWT into a session.`
			`func CreateTokenToSessionFunc(verify VerifyFunc) TokenToSessionFunc {`
			`return func(ctx context.Context, token string) (*sessionsapi.SessionState, error) {`
			`var claims struct {`
Add groups to session too when creating session from token 2022-03-07 18:54:24 +02:00			Subject string `json:"sub"`
			Email string `json:"email"`
			Verified *bool `json:"email_verified"`
			PreferredUsername string `json:"preferred_username"`
			Groups []string `json:"groups"`
Generalize and extend default CreateSessionFromToken 2020-11-15 18:57:48 -08:00			`}`
Add JWT session loader middleware 2020-07-04 19:19:36 +01:00
Generalize and extend default CreateSessionFromToken 2020-11-15 18:57:48 -08:00			`idToken, err := verify(ctx, token)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if err := idToken.Claims(&claims); err != nil {`
			`return nil, fmt.Errorf("failed to parse bearer token claims: %v", err)`
			`}`

			`if claims.Email == "" {`
			`claims.Email = claims.Subject`
			`}`

adapting unit tests and fixing minor issues introduced with the derefing Signed-off-by: Jan Larwig <jan@larwig.com> 2025-11-07 23:26:00 +01:00			`// Ensure email is verified`
			`// If the email is not verified, return an error`
			`// If the email_verified claim is missing, assume it is verified`
			`if !ptr.Deref(claims.Verified, true) {`
Generalize and extend default CreateSessionFromToken 2020-11-15 18:57:48 -08:00			`return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)`
			`}`

			`newSession := &sessionsapi.SessionState{`
			`Email: claims.Email,`
			`User: claims.Subject,`
Add groups to session too when creating session from token 2022-03-07 18:54:24 +02:00			`Groups: claims.Groups,`
Generalize and extend default CreateSessionFromToken 2020-11-15 18:57:48 -08:00			`PreferredUsername: claims.PreferredUsername,`
			`AccessToken: token,`
			`IDToken: token,`
			`RefreshToken: "",`
			`ExpiresOn: &idToken.Expiry,`
			`}`

			`return newSession, nil`
			`}`
Add JWT session loader middleware 2020-07-04 19:19:36 +01:00			`}`