oauth2-proxy/providers/provider_default.go

package providers

import (
	"bytes"
	"context"
	"errors"
	"fmt"
	"net/url"
	"time"

	"github.com/coreos/go-oidc"

	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
)

var (
	// ErrNotImplemented is returned when a provider did not override a default
	// implementation method that doesn't have sensible defaults
	ErrNotImplemented = errors.New("not implemented")

	_ Provider = (*ProviderData)(nil)
)

// Redeem provides a default implementation of the OAuth2 token redemption process
func (p *ProviderData) Redeem(ctx context.Context, redirectURL, code string) (s *sessions.SessionState, err error) {
	if code == "" {
		err = errors.New("missing code")
		return
	}
	clientSecret, err := p.GetClientSecret()
	if err != nil {
		return
	}

	params := url.Values{}
	params.Add("redirect_uri", redirectURL)
	params.Add("client_id", p.ClientID)
	params.Add("client_secret", clientSecret)
	params.Add("code", code)
	params.Add("grant_type", "authorization_code")
	if p.ProtectedResource != nil && p.ProtectedResource.String() != "" {
		params.Add("resource", p.ProtectedResource.String())
	}

	result := requests.New(p.RedeemURL.String()).
		WithContext(ctx).
		WithMethod("POST").
		WithBody(bytes.NewBufferString(params.Encode())).
		SetHeader("Content-Type", "application/x-www-form-urlencoded").
		Do()
	if result.Error() != nil {
		return nil, result.Error()
	}

	// blindly try json and x-www-form-urlencoded
	var jsonResponse struct {
		AccessToken string `json:"access_token"`
	}
	err = result.UnmarshalInto(&jsonResponse)
	if err == nil {
		s = &sessions.SessionState{
			AccessToken: jsonResponse.AccessToken,
		}
		return
	}

	var v url.Values
	v, err = url.ParseQuery(string(result.Body()))
	if err != nil {
		return
	}
	if a := v.Get("access_token"); a != "" {
		created := time.Now()
		s = &sessions.SessionState{AccessToken: a, CreatedAt: &created}
	} else {
		err = fmt.Errorf("no access token found %s", result.Body())
	}
	return
}

// GetLoginURL with typical oauth parameters
func (p *ProviderData) GetLoginURL(redirectURI, state string) string {
	extraParams := url.Values{}
	a := makeLoginURL(p, redirectURI, state, extraParams)
	return a.String()
}

// GetEmailAddress returns the Account email address
// DEPRECATED: Migrate to EnrichSessionState
func (p *ProviderData) GetEmailAddress(_ context.Context, _ *sessions.SessionState) (string, error) {
	return "", ErrNotImplemented
}

// ValidateGroup validates that the provided email exists in the configured provider
// email group(s).
func (p *ProviderData) ValidateGroup(_ string) bool {
	return true
}

// EnrichSessionState is called after Redeem to allow providers to enrich session fields
// such as User, Email, Groups with provider specific API calls.
func (p *ProviderData) EnrichSessionState(_ context.Context, _ *sessions.SessionState) error {
	return nil
}

// ValidateSessionState validates the AccessToken
func (p *ProviderData) ValidateSessionState(ctx context.Context, s *sessions.SessionState) bool {
	return validateToken(ctx, p, s.AccessToken, nil)
}

// RefreshSessionIfNeeded should refresh the user's session if required and
// do nothing if a refresh is not required
func (p *ProviderData) RefreshSessionIfNeeded(_ context.Context, _ *sessions.SessionState) (bool, error) {
	return false, nil
}

// CreateSessionStateFromBearerToken should be implemented to allow providers
// to convert ID tokens into sessions
func (p *ProviderData) CreateSessionStateFromBearerToken(_ context.Context, _ string, _ *oidc.IDToken) (*sessions.SessionState, error) {
	return nil, ErrNotImplemented
}
Github provider 2015-05-20 23:23:48 -04:00			`package providers`

			`import (`
			`"bytes"`
Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-06 00:53:33 +09:00			`"context"`
Github provider 2015-05-20 23:23:48 -04:00			`"errors"`
More complete HTTP error logging 2015-06-06 14:15:43 -04:00			`"fmt"`
Github provider 2015-05-20 23:23:48 -04:00			`"net/url"`
Add CreatedAt to SessionState 2019-05-07 15:32:46 +01:00			`"time"`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00
Feature/configurable userid claim minimal (#499) * Add -user-id-claim to support other claims than email Fix #431 - This is a minimal change to allow the user to configure which claim is the source of the "user ID". - Add the option `user-id-claim` (defaults to email) - OIDC extracts this claim into session.Email (to be renamed later) - providers: add `CreateSessionStateFromBearerToken` with a default impl taken from `GetJwtSession` and overridden by oidc to respect `user-id-claim` Once #466 is merged, I can continue to rename SessionState.Email to .UserID and add HTTP headers with a corresponding name. * Apply suggestions from code review Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Review feedback: Don't extract claims manually Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves. * Fix indentation Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-04-28 08:46:46 +02:00			`"github.com/coreos/go-oidc"`

Fix import path for v7 (#800) * fix import path for v7 find ./ -name ".go" \| xargs sed -i -e 's\|"github.com/oauth2-proxy/oauth2-proxy\|"github.com/oauth2-proxy/oauth2-proxy/v7\|' fix module path * go mod tidy * fix installation docs * update CHANGELOG * Update CHANGELOG.md Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-09-30 01:44:42 +09:00			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"`
			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"`
Github provider 2015-05-20 23:23:48 -04:00			`)`

Setup provider.ErrNotImplemented sentinel error 2020-09-26 14:06:52 -07:00			`var (`
			`// ErrNotImplemented is returned when a provider did not override a default`
			`// implementation method that doesn't have sensible defaults`
			`ErrNotImplemented = errors.New("not implemented")`

			`_ Provider = (*ProviderData)(nil)`
			`)`
Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-06 00:53:33 +09:00
Add comments to exported methods for providers package 2018-12-20 10:37:59 +00:00			`// Redeem provides a default implementation of the OAuth2 token redemption process`
Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-06 00:53:33 +09:00			`func (p ProviderData) Redeem(ctx context.Context, redirectURL, code string) (s sessions.SessionState, err error) {`
Github provider 2015-05-20 23:23:48 -04:00			`if code == "" {`
			`err = errors.New("missing code")`
			`return`
			`}`
Support for client secret file. (#355) * added ClientSecretFile in ProviderData * add documentation notes on client secret file * added Changelog entry for Client Secret File PR * fixing configuration.md * addressing PR issue of ClientSecret property naming * Update providers/provider_data.go Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * corrected changelog entry * fixed typo in GetClientSecret Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-02-15 14:44:39 +01:00			`clientSecret, err := p.GetClientSecret()`
			`if err != nil {`
			`return`
			`}`
Github provider 2015-05-20 23:23:48 -04:00
			`params := url.Values{}`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-09 00:47:44 +01:00			`params.Add("redirect_uri", redirectURL)`
Github provider 2015-05-20 23:23:48 -04:00			`params.Add("client_id", p.ClientID)`
Support for client secret file. (#355) * added ClientSecretFile in ProviderData * add documentation notes on client secret file * added Changelog entry for Client Secret File PR * fixing configuration.md * addressing PR issue of ClientSecret property naming * Update providers/provider_data.go Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * corrected changelog entry * fixed typo in GetClientSecret Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-02-15 14:44:39 +01:00			`params.Add("client_secret", clientSecret)`
Github provider 2015-05-20 23:23:48 -04:00			`params.Add("code", code)`
			`params.Add("grant_type", "authorization_code")`
Add Azure Provider 2015-11-09 09:28:34 +01:00			`if p.ProtectedResource != nil && p.ProtectedResource.String() != "" {`
			`params.Add("resource", p.ProtectedResource.String())`
			`}`

Migrate all requests to result pattern 2020-07-06 17:42:26 +01:00			`result := requests.New(p.RedeemURL.String()).`
Migrate all requests to new builder pattern 2020-07-03 19:27:25 +01:00			`WithContext(ctx).`
			`WithMethod("POST").`
			`WithBody(bytes.NewBufferString(params.Encode())).`
			`SetHeader("Content-Type", "application/x-www-form-urlencoded").`
			`Do()`
Migrate all requests to result pattern 2020-07-06 17:42:26 +01:00			`if result.Error() != nil {`
			`return nil, result.Error()`
More complete HTTP error logging 2015-06-06 14:15:43 -04:00			`}`

Github provider 2015-05-20 23:23:48 -04:00			`// blindly try json and x-www-form-urlencoded`
			`var jsonResponse struct {`
			AccessToken string `json:"access_token"`
			`}`
Migrate all requests to result pattern 2020-07-06 17:42:26 +01:00			`err = result.UnmarshalInto(&jsonResponse)`
Github provider 2015-05-20 23:23:48 -04:00			`if err == nil {`
Move SessionState to its own package 2019-05-05 13:33:13 +01:00			`s = &sessions.SessionState{`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`AccessToken: jsonResponse.AccessToken,`
			`}`
			`return`
Github provider 2015-05-20 23:23:48 -04:00			`}`

SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`var v url.Values`
Migrate all requests to result pattern 2020-07-06 17:42:26 +01:00			`v, err = url.ParseQuery(string(result.Body()))`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`if err != nil {`
			`return`
			`}`
			`if a := v.Get("access_token"); a != "" {`
Improvements to Session State code (#536) * Drop SessionStateJSON wrapper * Use EncrpytInto/DecryptInto to reduce sessionstate Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-30 08:53:38 +01:00			`created := time.Now()`
			`s = &sessions.SessionState{AccessToken: a, CreatedAt: &created}`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`} else {`
Migrate all requests to result pattern 2020-07-06 17:42:26 +01:00			`err = fmt.Errorf("no access token found %s", result.Body())`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`}`
			`return`
Github provider 2015-05-20 23:23:48 -04:00			`}`
More complete HTTP error logging 2015-06-06 14:15:43 -04:00
Move actual implementation of default provider GetLoginURL into DefaultGetLoginURL This allows us to reuse code from different providers in case slight modifications to the URL are needed. 2020-09-14 13:22:53 +02:00			`// GetLoginURL with typical oauth parameters`
			`func (p *ProviderData) GetLoginURL(redirectURI, state string) string {`
Refactor makeLoginURL to accept extraParams And don't require the caller to know how to use the returned params. 2020-09-15 10:20:10 +02:00			`extraParams := url.Values{}`
			`a := makeLoginURL(p, redirectURI, state, extraParams)`
immediately redeem refresh token for provider==Google 2015-06-23 13:23:47 -04:00			`return a.String()`
More complete HTTP error logging 2015-06-06 14:15:43 -04:00			`}`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00
Add comments to exported methods for providers package 2018-12-20 10:37:59 +00:00			`// GetEmailAddress returns the Account email address`
Add EnrichSessionState as main post-Redeem session updater 2020-09-27 11:46:29 -07:00			`// DEPRECATED: Migrate to EnrichSessionState`
			`func (p ProviderData) GetEmailAddress(_ context.Context, _ sessions.SessionState) (string, error) {`
Setup provider.ErrNotImplemented sentinel error 2020-09-26 14:06:52 -07:00			`return "", ErrNotImplemented`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`}`

google: Support restricting access to a specific group(s) 2015-08-20 03:07:02 -07:00			`// ValidateGroup validates that the provided email exists in the configured provider`
			`// email group(s).`
Add EnrichSessionState as main post-Redeem session updater 2020-09-27 11:46:29 -07:00			`func (p *ProviderData) ValidateGroup(_ string) bool {`
google: Support restricting access to a specific group(s) 2015-08-20 03:07:02 -07:00			`return true`
			`}`

Add EnrichSessionState as main post-Redeem session updater 2020-09-27 11:46:29 -07:00			`// EnrichSessionState is called after Redeem to allow providers to enrich session fields`
			`// such as User, Email, Groups with provider specific API calls.`
			`func (p ProviderData) EnrichSessionState(_ context.Context, _ sessions.SessionState) error {`
			`return nil`
			`}`

Add comments to exported methods for providers package 2018-12-20 10:37:59 +00:00			`// ValidateSessionState validates the AccessToken`
Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-06 00:53:33 +09:00			`func (p ProviderData) ValidateSessionState(ctx context.Context, s sessions.SessionState) bool {`
			`return validateToken(ctx, p, s.AccessToken, nil)`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`}`

Lint for non-comment linter errors 2018-11-29 14:26:41 +00:00			`// RefreshSessionIfNeeded should refresh the user's session if required and`
			`// do nothing if a refresh is not required`
Add EnrichSessionState as main post-Redeem session updater 2020-09-27 11:46:29 -07:00			`func (p ProviderData) RefreshSessionIfNeeded(_ context.Context, _ sessions.SessionState) (bool, error) {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`return false, nil`
			`}`
Feature/configurable userid claim minimal (#499) * Add -user-id-claim to support other claims than email Fix #431 - This is a minimal change to allow the user to configure which claim is the source of the "user ID". - Add the option `user-id-claim` (defaults to email) - OIDC extracts this claim into session.Email (to be renamed later) - providers: add `CreateSessionStateFromBearerToken` with a default impl taken from `GetJwtSession` and overridden by oidc to respect `user-id-claim` Once #466 is merged, I can continue to rename SessionState.Email to .UserID and add HTTP headers with a corresponding name. * Apply suggestions from code review Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Review feedback: Don't extract claims manually Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves. * Fix indentation Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-04-28 08:46:46 +02:00
Integrate sessions middlewares 2020-07-18 00:42:51 +01:00			`// CreateSessionStateFromBearerToken should be implemented to allow providers`
			`// to convert ID tokens into sessions`
Add EnrichSessionState as main post-Redeem session updater 2020-09-27 11:46:29 -07:00			`func (p ProviderData) CreateSessionStateFromBearerToken(_ context.Context, _ string, _ oidc.IDToken) (*sessions.SessionState, error) {`
Setup provider.ErrNotImplemented sentinel error 2020-09-26 14:06:52 -07:00			`return nil, ErrNotImplemented`
Feature/configurable userid claim minimal (#499) * Add -user-id-claim to support other claims than email Fix #431 - This is a minimal change to allow the user to configure which claim is the source of the "user ID". - Add the option `user-id-claim` (defaults to email) - OIDC extracts this claim into session.Email (to be renamed later) - providers: add `CreateSessionStateFromBearerToken` with a default impl taken from `GetJwtSession` and overridden by oidc to respect `user-id-claim` Once #466 is merged, I can continue to rename SessionState.Email to .UserID and add HTTP headers with a corresponding name. * Apply suggestions from code review Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Review feedback: Don't extract claims manually Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves. * Fix indentation Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-04-28 08:46:46 +02:00			`}`