2020-02-06 20:09:30 +02:00
|
|
|
package providers
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2021-04-21 11:33:27 +02:00
|
|
|
"encoding/base64"
|
2020-02-06 20:09:30 +02:00
|
|
|
"encoding/json"
|
2021-04-21 11:33:27 +02:00
|
|
|
"fmt"
|
2020-02-06 20:09:30 +02:00
|
|
|
"net/http"
|
|
|
|
|
"net/http/httptest"
|
|
|
|
|
"net/url"
|
|
|
|
|
"testing"
|
2020-03-14 12:14:15 +02:00
|
|
|
|
2021-07-17 18:55:05 +02:00
|
|
|
"github.com/coreos/go-oidc/v3/oidc"
|
2022-02-15 13:18:32 +02:00
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
|
2020-09-29 18:44:42 +02:00
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
|
2021-04-21 11:33:27 +02:00
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/encryption"
|
2022-02-15 19:24:48 +02:00
|
|
|
internaloidc "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/providers/oidc"
|
2020-11-28 02:17:59 +02:00
|
|
|
"github.com/stretchr/testify/assert"
|
2020-02-06 20:09:30 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type redeemTokenResponse struct {
|
|
|
|
|
AccessToken string `json:"access_token"`
|
|
|
|
|
RefreshToken string `json:"refresh_token"`
|
|
|
|
|
ExpiresIn int64 `json:"expires_in"`
|
|
|
|
|
TokenType string `json:"token_type"`
|
|
|
|
|
IDToken string `json:"id_token,omitempty"`
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-15 13:18:32 +02:00
|
|
|
func newOIDCProvider(serverURL *url.URL, skipNonce bool) *OIDCProvider {
|
2022-02-16 16:06:25 +02:00
|
|
|
verificationOptions := internaloidc.IDTokenVerificationOptions{
|
2022-02-15 18:12:22 +02:00
|
|
|
AudienceClaims: []string{"aud"},
|
|
|
|
|
ClientID: "https://test.myapp.com",
|
|
|
|
|
}
|
2020-02-06 20:09:30 +02:00
|
|
|
providerData := &ProviderData{
|
|
|
|
|
ProviderName: "oidc",
|
2020-11-28 02:17:59 +02:00
|
|
|
ClientID: oidcClientID,
|
|
|
|
|
ClientSecret: oidcSecret,
|
2020-02-06 20:09:30 +02:00
|
|
|
LoginURL: &url.URL{
|
|
|
|
|
Scheme: serverURL.Scheme,
|
|
|
|
|
Host: serverURL.Host,
|
|
|
|
|
Path: "/login/oauth/authorize"},
|
|
|
|
|
RedeemURL: &url.URL{
|
|
|
|
|
Scheme: serverURL.Scheme,
|
|
|
|
|
Host: serverURL.Host,
|
|
|
|
|
Path: "/login/oauth/access_token"},
|
|
|
|
|
ProfileURL: &url.URL{
|
|
|
|
|
Scheme: serverURL.Scheme,
|
|
|
|
|
Host: serverURL.Host,
|
|
|
|
|
Path: "/profile"},
|
|
|
|
|
ValidateURL: &url.URL{
|
|
|
|
|
Scheme: serverURL.Scheme,
|
|
|
|
|
Host: serverURL.Host,
|
|
|
|
|
Path: "/api"},
|
2020-11-28 02:17:59 +02:00
|
|
|
Scope: "openid profile offline_access",
|
|
|
|
|
EmailClaim: "email",
|
|
|
|
|
GroupsClaim: "groups",
|
2021-06-26 12:49:08 +02:00
|
|
|
UserClaim: "sub",
|
2022-02-15 18:12:22 +02:00
|
|
|
Verifier: internaloidc.NewVerifier(oidc.NewVerifier(
|
2020-11-28 02:17:59 +02:00
|
|
|
oidcIssuer,
|
|
|
|
|
mockJWKS{},
|
|
|
|
|
&oidc.Config{ClientID: oidcClientID},
|
2022-02-15 18:12:22 +02:00
|
|
|
), verificationOptions),
|
2020-11-16 04:57:48 +02:00
|
|
|
}
|
|
|
|
|
|
2022-02-15 13:18:32 +02:00
|
|
|
p := NewOIDCProvider(providerData, options.OIDCOptions{
|
|
|
|
|
InsecureSkipNonce: skipNonce,
|
|
|
|
|
})
|
2020-02-06 20:09:30 +02:00
|
|
|
|
|
|
|
|
return p
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func newOIDCServer(body []byte) (*url.URL, *httptest.Server) {
|
|
|
|
|
s := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
|
|
|
|
rw.Header().Add("content-type", "application/json")
|
|
|
|
|
_, _ = rw.Write(body)
|
|
|
|
|
}))
|
|
|
|
|
u, _ := url.Parse(s.URL)
|
|
|
|
|
return u, s
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-30 00:58:01 +02:00
|
|
|
func newTestOIDCSetup(body []byte) (*httptest.Server, *OIDCProvider) {
|
2020-02-06 20:09:30 +02:00
|
|
|
redeemURL, server := newOIDCServer(body)
|
2022-02-15 13:18:32 +02:00
|
|
|
provider := newOIDCProvider(redeemURL, false)
|
2020-02-06 20:09:30 +02:00
|
|
|
return server, provider
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-21 11:33:27 +02:00
|
|
|
func TestOIDCProviderGetLoginURL(t *testing.T) {
|
|
|
|
|
serverURL := &url.URL{
|
|
|
|
|
Scheme: "https",
|
|
|
|
|
Host: "oauth2proxy.oidctest",
|
|
|
|
|
}
|
2022-02-15 13:18:32 +02:00
|
|
|
provider := newOIDCProvider(serverURL, true)
|
2021-04-21 11:33:27 +02:00
|
|
|
|
2022-03-13 12:08:33 +02:00
|
|
|
n, err := encryption.Nonce(32)
|
2021-04-21 11:33:27 +02:00
|
|
|
assert.NoError(t, err)
|
|
|
|
|
nonce := base64.RawURLEncoding.EncodeToString(n)
|
|
|
|
|
|
|
|
|
|
// SkipNonce defaults to true
|
2022-02-16 18:18:51 +02:00
|
|
|
skipNonce := provider.GetLoginURL("http://redirect/", "", nonce, url.Values{})
|
2021-04-21 11:33:27 +02:00
|
|
|
assert.NotContains(t, skipNonce, "nonce")
|
2020-02-06 20:09:30 +02:00
|
|
|
|
2021-04-21 11:33:27 +02:00
|
|
|
provider.SkipNonce = false
|
2022-02-16 18:18:51 +02:00
|
|
|
withNonce := provider.GetLoginURL("http://redirect/", "", nonce, url.Values{})
|
2021-04-21 11:33:27 +02:00
|
|
|
assert.Contains(t, withNonce, fmt.Sprintf("nonce=%s", nonce))
|
2022-03-13 12:08:33 +02:00
|
|
|
assert.NotContains(t, withNonce, "code_challenge")
|
|
|
|
|
assert.NotContains(t, withNonce, "code_challenge_method")
|
2021-04-21 11:33:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestOIDCProviderRedeem(t *testing.T) {
|
2020-02-06 20:09:30 +02:00
|
|
|
idToken, _ := newSignedTestIDToken(defaultIDToken)
|
|
|
|
|
body, _ := json.Marshal(redeemTokenResponse{
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
ExpiresIn: 10,
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
})
|
|
|
|
|
|
2020-11-30 00:58:01 +02:00
|
|
|
server, provider := newTestOIDCSetup(body)
|
2020-02-06 20:09:30 +02:00
|
|
|
defer server.Close()
|
|
|
|
|
|
2022-03-13 12:08:33 +02:00
|
|
|
session, err := provider.Redeem(context.Background(), provider.RedeemURL.String(), "code1234", "")
|
2020-02-06 20:09:30 +02:00
|
|
|
assert.Equal(t, nil, err)
|
|
|
|
|
assert.Equal(t, defaultIDToken.Email, session.Email)
|
|
|
|
|
assert.Equal(t, accessToken, session.AccessToken)
|
|
|
|
|
assert.Equal(t, idToken, session.IDToken)
|
|
|
|
|
assert.Equal(t, refreshToken, session.RefreshToken)
|
|
|
|
|
assert.Equal(t, "123456789", session.User)
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-28 08:46:46 +02:00
|
|
|
func TestOIDCProviderRedeem_custom_userid(t *testing.T) {
|
|
|
|
|
idToken, _ := newSignedTestIDToken(defaultIDToken)
|
|
|
|
|
body, _ := json.Marshal(redeemTokenResponse{
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
ExpiresIn: 10,
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
})
|
|
|
|
|
|
2020-11-30 00:58:01 +02:00
|
|
|
server, provider := newTestOIDCSetup(body)
|
2020-11-27 05:00:30 +02:00
|
|
|
provider.EmailClaim = "phone_number"
|
2020-04-28 08:46:46 +02:00
|
|
|
defer server.Close()
|
|
|
|
|
|
2022-03-13 12:08:33 +02:00
|
|
|
session, err := provider.Redeem(context.Background(), provider.RedeemURL.String(), "code1234", "")
|
2020-04-28 08:46:46 +02:00
|
|
|
assert.Equal(t, nil, err)
|
|
|
|
|
assert.Equal(t, defaultIDToken.Phone, session.Email)
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-06 20:09:30 +02:00
|
|
|
func TestOIDCProviderRefreshSessionIfNeededWithoutIdToken(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
idToken, _ := newSignedTestIDToken(defaultIDToken)
|
|
|
|
|
body, _ := json.Marshal(redeemTokenResponse{
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
ExpiresIn: 10,
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
})
|
|
|
|
|
|
2020-11-30 00:58:01 +02:00
|
|
|
server, provider := newTestOIDCSetup(body)
|
2020-02-06 20:09:30 +02:00
|
|
|
defer server.Close()
|
|
|
|
|
|
|
|
|
|
existingSession := &sessions.SessionState{
|
|
|
|
|
AccessToken: "changeit",
|
|
|
|
|
IDToken: idToken,
|
2020-05-30 09:53:38 +02:00
|
|
|
CreatedAt: nil,
|
|
|
|
|
ExpiresOn: nil,
|
2020-02-06 20:09:30 +02:00
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
Email: "janedoe@example.com",
|
|
|
|
|
User: "11223344",
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-07 01:33:13 +02:00
|
|
|
refreshed, err := provider.RefreshSession(context.Background(), existingSession)
|
2020-02-06 20:09:30 +02:00
|
|
|
assert.Equal(t, nil, err)
|
|
|
|
|
assert.Equal(t, refreshed, true)
|
|
|
|
|
assert.Equal(t, "janedoe@example.com", existingSession.Email)
|
|
|
|
|
assert.Equal(t, accessToken, existingSession.AccessToken)
|
|
|
|
|
assert.Equal(t, idToken, existingSession.IDToken)
|
|
|
|
|
assert.Equal(t, refreshToken, existingSession.RefreshToken)
|
|
|
|
|
assert.Equal(t, "11223344", existingSession.User)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestOIDCProviderRefreshSessionIfNeededWithIdToken(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
idToken, _ := newSignedTestIDToken(defaultIDToken)
|
|
|
|
|
body, _ := json.Marshal(redeemTokenResponse{
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
ExpiresIn: 10,
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
IDToken: idToken,
|
|
|
|
|
})
|
|
|
|
|
|
2020-11-30 00:58:01 +02:00
|
|
|
server, provider := newTestOIDCSetup(body)
|
2020-02-06 20:09:30 +02:00
|
|
|
defer server.Close()
|
|
|
|
|
|
|
|
|
|
existingSession := &sessions.SessionState{
|
|
|
|
|
AccessToken: "changeit",
|
|
|
|
|
IDToken: "changeit",
|
2020-05-30 09:53:38 +02:00
|
|
|
CreatedAt: nil,
|
|
|
|
|
ExpiresOn: nil,
|
2020-02-06 20:09:30 +02:00
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
Email: "changeit",
|
|
|
|
|
User: "changeit",
|
|
|
|
|
}
|
2021-03-07 01:33:13 +02:00
|
|
|
refreshed, err := provider.RefreshSession(context.Background(), existingSession)
|
2020-02-06 20:09:30 +02:00
|
|
|
assert.Equal(t, nil, err)
|
|
|
|
|
assert.Equal(t, refreshed, true)
|
|
|
|
|
assert.Equal(t, defaultIDToken.Email, existingSession.Email)
|
|
|
|
|
assert.Equal(t, defaultIDToken.Subject, existingSession.User)
|
|
|
|
|
assert.Equal(t, accessToken, existingSession.AccessToken)
|
|
|
|
|
assert.Equal(t, idToken, existingSession.IDToken)
|
|
|
|
|
assert.Equal(t, refreshToken, existingSession.RefreshToken)
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-26 21:53:41 +02:00
|
|
|
func TestOIDCProviderCreateSessionFromToken(t *testing.T) {
|
2020-07-27 23:51:29 +02:00
|
|
|
testCases := map[string]struct {
|
2020-07-28 20:42:09 +02:00
|
|
|
IDToken idTokenClaims
|
|
|
|
|
GroupsClaim string
|
|
|
|
|
ExpectedUser string
|
|
|
|
|
ExpectedEmail string
|
2020-11-30 00:58:01 +02:00
|
|
|
ExpectedGroups []string
|
2020-07-27 23:51:29 +02:00
|
|
|
}{
|
|
|
|
|
"Default IDToken": {
|
2020-07-28 20:42:09 +02:00
|
|
|
IDToken: defaultIDToken,
|
|
|
|
|
GroupsClaim: "groups",
|
2020-11-28 02:17:59 +02:00
|
|
|
ExpectedUser: "123456789",
|
|
|
|
|
ExpectedEmail: "janed@me.com",
|
2020-07-28 20:42:09 +02:00
|
|
|
ExpectedGroups: []string{"test:a", "test:b"},
|
2020-07-27 23:51:29 +02:00
|
|
|
},
|
2020-08-10 03:18:02 +02:00
|
|
|
"Minimal IDToken with no email claim": {
|
2020-07-28 20:42:09 +02:00
|
|
|
IDToken: minimalIDToken,
|
|
|
|
|
GroupsClaim: "groups",
|
2020-11-28 02:17:59 +02:00
|
|
|
ExpectedUser: "123456789",
|
|
|
|
|
ExpectedEmail: "123456789",
|
2020-11-30 00:58:01 +02:00
|
|
|
ExpectedGroups: nil,
|
2020-07-28 20:42:09 +02:00
|
|
|
},
|
|
|
|
|
"Custom Groups Claim": {
|
|
|
|
|
IDToken: defaultIDToken,
|
2020-11-28 02:17:59 +02:00
|
|
|
GroupsClaim: "roles",
|
|
|
|
|
ExpectedUser: "123456789",
|
|
|
|
|
ExpectedEmail: "janed@me.com",
|
2020-07-28 20:42:09 +02:00
|
|
|
ExpectedGroups: []string{"test:c", "test:d"},
|
2020-07-27 23:51:29 +02:00
|
|
|
},
|
2020-11-28 02:17:59 +02:00
|
|
|
"Complex Groups Claim": {
|
2021-06-26 12:49:08 +02:00
|
|
|
IDToken: complexGroupsIDToken,
|
|
|
|
|
GroupsClaim: "groups",
|
|
|
|
|
ExpectedUser: "123456789",
|
|
|
|
|
ExpectedEmail: "complex@claims.com",
|
|
|
|
|
ExpectedGroups: []string{
|
|
|
|
|
"{\"groupId\":\"Admin Group Id\",\"roles\":[\"Admin\"]}",
|
|
|
|
|
"12345",
|
|
|
|
|
"Just::A::String",
|
|
|
|
|
},
|
2020-11-03 20:10:08 +02:00
|
|
|
},
|
2020-07-27 23:51:29 +02:00
|
|
|
}
|
|
|
|
|
for testName, tc := range testCases {
|
|
|
|
|
t.Run(testName, func(t *testing.T) {
|
2020-11-30 00:58:01 +02:00
|
|
|
server, provider := newTestOIDCSetup([]byte(`{}`))
|
2020-07-28 20:42:09 +02:00
|
|
|
provider.GroupsClaim = tc.GroupsClaim
|
2020-07-27 23:51:29 +02:00
|
|
|
defer server.Close()
|
|
|
|
|
|
|
|
|
|
rawIDToken, err := newSignedTestIDToken(tc.IDToken)
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
2020-11-16 04:57:48 +02:00
|
|
|
ss, err := provider.CreateSessionFromToken(context.Background(), rawIDToken)
|
2020-07-27 23:51:29 +02:00
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
2020-08-10 03:18:02 +02:00
|
|
|
assert.Equal(t, tc.ExpectedUser, ss.User)
|
|
|
|
|
assert.Equal(t, tc.ExpectedEmail, ss.Email)
|
2020-11-30 00:58:01 +02:00
|
|
|
assert.Equal(t, tc.ExpectedGroups, ss.Groups)
|
2020-07-27 23:51:29 +02:00
|
|
|
assert.Equal(t, rawIDToken, ss.IDToken)
|
|
|
|
|
assert.Equal(t, rawIDToken, ss.AccessToken)
|
|
|
|
|
assert.Equal(t, "", ss.RefreshToken)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
