oauth2-proxy/providers/provider_default.go

package providers

import (
	"bytes"
	"context"
	"errors"
	"fmt"
	"net/url"
	"time"

	"github.com/coreos/go-oidc"

	"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions"
	"github.com/oauth2-proxy/oauth2-proxy/pkg/requests"
)

var _ Provider = (*ProviderData)(nil)

// Redeem provides a default implementation of the OAuth2 token redemption process
func (p *ProviderData) Redeem(ctx context.Context, redirectURL, code string) (s *sessions.SessionState, err error) {
	if code == "" {
		err = errors.New("missing code")
		return
	}
	clientSecret, err := p.GetClientSecret()
	if err != nil {
		return
	}

	params := url.Values{}
	params.Add("redirect_uri", redirectURL)
	params.Add("client_id", p.ClientID)
	params.Add("client_secret", clientSecret)
	params.Add("code", code)
	params.Add("grant_type", "authorization_code")
	if p.ProtectedResource != nil && p.ProtectedResource.String() != "" {
		params.Add("resource", p.ProtectedResource.String())
	}

	result := requests.New(p.RedeemURL.String()).
		WithContext(ctx).
		WithMethod("POST").
		WithBody(bytes.NewBufferString(params.Encode())).
		SetHeader("Content-Type", "application/x-www-form-urlencoded").
		Do()
	if result.Error() != nil {
		return nil, result.Error()
	}

	// blindly try json and x-www-form-urlencoded
	var jsonResponse struct {
		AccessToken string `json:"access_token"`
	}
	err = result.UnmarshalInto(&jsonResponse)
	if err == nil {
		s = &sessions.SessionState{
			AccessToken: jsonResponse.AccessToken,
		}
		return
	}

	var v url.Values
	v, err = url.ParseQuery(string(result.Body()))
	if err != nil {
		return
	}
	if a := v.Get("access_token"); a != "" {
		created := time.Now()
		s = &sessions.SessionState{AccessToken: a, CreatedAt: &created}
	} else {
		err = fmt.Errorf("no access token found %s", result.Body())
	}
	return
}

// GetLoginURL with typical oauth parameters
func (p *ProviderData) GetLoginURL(redirectURI, state string) string {
	a, params := makeLoginURL(p, redirectURI, state)
	a.RawQuery = params.Encode()
	return a.String()
}

// GetEmailAddress returns the Account email address
func (p *ProviderData) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error) {
	return "", errors.New("not implemented")
}

// GetUserName returns the Account username
func (p *ProviderData) GetUserName(ctx context.Context, s *sessions.SessionState) (string, error) {
	return "", errors.New("not implemented")
}

// ValidateGroup validates that the provided email exists in the configured provider
// email group(s).
func (p *ProviderData) ValidateGroup(email string) bool {
	return true
}

// ValidateSessionState validates the AccessToken
func (p *ProviderData) ValidateSessionState(ctx context.Context, s *sessions.SessionState) bool {
	return validateToken(ctx, p, s.AccessToken, nil)
}

// RefreshSessionIfNeeded should refresh the user's session if required and
// do nothing if a refresh is not required
func (p *ProviderData) RefreshSessionIfNeeded(ctx context.Context, s *sessions.SessionState) (bool, error) {
	return false, nil
}

// CreateSessionStateFromBearerToken should be implemented to allow providers
// to convert ID tokens into sessions
func (p *ProviderData) CreateSessionStateFromBearerToken(ctx context.Context, rawIDToken string, idToken *oidc.IDToken) (*sessions.SessionState, error) {
	return nil, errors.New("not implemented")
}
Github provider 2015-05-20 23:23:48 -04:00			`package providers`

			`import (`
			`"bytes"`
Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-06 00:53:33 +09:00			`"context"`
Github provider 2015-05-20 23:23:48 -04:00			`"errors"`
More complete HTTP error logging 2015-06-06 14:15:43 -04:00			`"fmt"`
Github provider 2015-05-20 23:23:48 -04:00			`"net/url"`
Add CreatedAt to SessionState 2019-05-07 15:32:46 +01:00			`"time"`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00
Feature/configurable userid claim minimal (#499) * Add -user-id-claim to support other claims than email Fix #431 - This is a minimal change to allow the user to configure which claim is the source of the "user ID". - Add the option `user-id-claim` (defaults to email) - OIDC extracts this claim into session.Email (to be renamed later) - providers: add `CreateSessionStateFromBearerToken` with a default impl taken from `GetJwtSession` and overridden by oidc to respect `user-id-claim` Once #466 is merged, I can continue to rename SessionState.Email to .UserID and add HTTP headers with a corresponding name. * Apply suggestions from code review Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Review feedback: Don't extract claims manually Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves. * Fix indentation Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-04-28 08:46:46 +02:00			`"github.com/coreos/go-oidc"`

Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 14:54:36 +01:00			`"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions"`
Migrate all requests to new builder pattern 2020-07-03 19:27:25 +01:00			`"github.com/oauth2-proxy/oauth2-proxy/pkg/requests"`
Github provider 2015-05-20 23:23:48 -04:00			`)`

Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-06 00:53:33 +09:00			`var _ Provider = (*ProviderData)(nil)`

Add comments to exported methods for providers package 2018-12-20 10:37:59 +00:00			`// Redeem provides a default implementation of the OAuth2 token redemption process`
Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-06 00:53:33 +09:00			`func (p ProviderData) Redeem(ctx context.Context, redirectURL, code string) (s sessions.SessionState, err error) {`
Github provider 2015-05-20 23:23:48 -04:00			`if code == "" {`
			`err = errors.New("missing code")`
			`return`
			`}`
Support for client secret file. (#355) * added ClientSecretFile in ProviderData * add documentation notes on client secret file * added Changelog entry for Client Secret File PR * fixing configuration.md * addressing PR issue of ClientSecret property naming * Update providers/provider_data.go Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * corrected changelog entry * fixed typo in GetClientSecret Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-02-15 14:44:39 +01:00			`clientSecret, err := p.GetClientSecret()`
			`if err != nil {`
			`return`
			`}`
Github provider 2015-05-20 23:23:48 -04:00
			`params := url.Values{}`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-09 00:47:44 +01:00			`params.Add("redirect_uri", redirectURL)`
Github provider 2015-05-20 23:23:48 -04:00			`params.Add("client_id", p.ClientID)`
Support for client secret file. (#355) * added ClientSecretFile in ProviderData * add documentation notes on client secret file * added Changelog entry for Client Secret File PR * fixing configuration.md * addressing PR issue of ClientSecret property naming * Update providers/provider_data.go Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * corrected changelog entry * fixed typo in GetClientSecret Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-02-15 14:44:39 +01:00			`params.Add("client_secret", clientSecret)`
Github provider 2015-05-20 23:23:48 -04:00			`params.Add("code", code)`
			`params.Add("grant_type", "authorization_code")`
Add Azure Provider 2015-11-09 09:28:34 +01:00			`if p.ProtectedResource != nil && p.ProtectedResource.String() != "" {`
			`params.Add("resource", p.ProtectedResource.String())`
			`}`

Migrate all requests to result pattern 2020-07-06 17:42:26 +01:00			`result := requests.New(p.RedeemURL.String()).`
Migrate all requests to new builder pattern 2020-07-03 19:27:25 +01:00			`WithContext(ctx).`
			`WithMethod("POST").`
			`WithBody(bytes.NewBufferString(params.Encode())).`
			`SetHeader("Content-Type", "application/x-www-form-urlencoded").`
			`Do()`
Migrate all requests to result pattern 2020-07-06 17:42:26 +01:00			`if result.Error() != nil {`
			`return nil, result.Error()`
More complete HTTP error logging 2015-06-06 14:15:43 -04:00			`}`

Github provider 2015-05-20 23:23:48 -04:00			`// blindly try json and x-www-form-urlencoded`
			`var jsonResponse struct {`
			AccessToken string `json:"access_token"`
			`}`
Migrate all requests to result pattern 2020-07-06 17:42:26 +01:00			`err = result.UnmarshalInto(&jsonResponse)`
Github provider 2015-05-20 23:23:48 -04:00			`if err == nil {`
Move SessionState to its own package 2019-05-05 13:33:13 +01:00			`s = &sessions.SessionState{`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`AccessToken: jsonResponse.AccessToken,`
			`}`
			`return`
Github provider 2015-05-20 23:23:48 -04:00			`}`

SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`var v url.Values`
Migrate all requests to result pattern 2020-07-06 17:42:26 +01:00			`v, err = url.ParseQuery(string(result.Body()))`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`if err != nil {`
			`return`
			`}`
			`if a := v.Get("access_token"); a != "" {`
Improvements to Session State code (#536) * Drop SessionStateJSON wrapper * Use EncrpytInto/DecryptInto to reduce sessionstate Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-30 08:53:38 +01:00			`created := time.Now()`
			`s = &sessions.SessionState{AccessToken: a, CreatedAt: &created}`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`} else {`
Migrate all requests to result pattern 2020-07-06 17:42:26 +01:00			`err = fmt.Errorf("no access token found %s", result.Body())`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`}`
			`return`
Github provider 2015-05-20 23:23:48 -04:00			`}`
More complete HTTP error logging 2015-06-06 14:15:43 -04:00
Move actual implementation of default provider GetLoginURL into DefaultGetLoginURL This allows us to reuse code from different providers in case slight modifications to the URL are needed. 2020-09-14 13:22:53 +02:00			`// GetLoginURL with typical oauth parameters`
			`func (p *ProviderData) GetLoginURL(redirectURI, state string) string {`
Move DefaultGetLoginURL into util.go 2020-09-15 10:12:25 +02:00			`a, params := makeLoginURL(p, redirectURI, state)`
immediately redeem refresh token for provider==Google 2015-06-23 13:23:47 -04:00			`a.RawQuery = params.Encode()`
			`return a.String()`
More complete HTTP error logging 2015-06-06 14:15:43 -04:00			`}`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00
Add comments to exported methods for providers package 2018-12-20 10:37:59 +00:00			`// GetEmailAddress returns the Account email address`
Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-06 00:53:33 +09:00			`func (p ProviderData) GetEmailAddress(ctx context.Context, s sessions.SessionState) (string, error) {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`return "", errors.New("not implemented")`
			`}`

Github provider: use login as user - Save both user and email in session state: Encoding/decoding methods save both email and user field in session state, for use cases when User is not derived from email's local-parth, like for GitHub provider. For retrocompatibility, if no user is obtained by the provider, (e.g. User is an empty string) the encoding/decoding methods fall back to the previous behavior and use the email's local-part Updated also related tests and added two more tests to show behavior when session contains a non-empty user value. - Added first basic GitHub provider tests - Added GetUserName method to Provider interface The new GetUserName method is intended to return the User value when this is not the email's local-part. Added also the default implementation to provider_default.go - Added call to GetUserName in redeemCode the new GetUserName method is used in redeemCode to get SessionState User value. For backward compatibility, if GetUserName error is "not implemented", the error is ignored. - Added GetUserName method and tests to github provider. 2017-09-26 23:31:27 +02:00			`// GetUserName returns the Account username`
Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-06 00:53:33 +09:00			`func (p ProviderData) GetUserName(ctx context.Context, s sessions.SessionState) (string, error) {`
Add preferred_username support (OIDC provider) (#420) * Add support for preferred username. * Add missing TOC entries. * Add note about preferred_username support. * Adjust tests. * Check on not implemented error for GetPreferredUsername() call. Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-03-01 16:02:51 +01:00			`return "", errors.New("not implemented")`
			`}`

google: Support restricting access to a specific group(s) 2015-08-20 03:07:02 -07:00			`// ValidateGroup validates that the provided email exists in the configured provider`
			`// email group(s).`
			`func (p *ProviderData) ValidateGroup(email string) bool {`
			`return true`
			`}`

Add comments to exported methods for providers package 2018-12-20 10:37:59 +00:00			`// ValidateSessionState validates the AccessToken`
Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-06 00:53:33 +09:00			`func (p ProviderData) ValidateSessionState(ctx context.Context, s sessions.SessionState) bool {`
			`return validateToken(ctx, p, s.AccessToken, nil)`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`}`

Lint for non-comment linter errors 2018-11-29 14:26:41 +00:00			`// RefreshSessionIfNeeded should refresh the user's session if required and`
			`// do nothing if a refresh is not required`
Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-06 00:53:33 +09:00			`func (p ProviderData) RefreshSessionIfNeeded(ctx context.Context, s sessions.SessionState) (bool, error) {`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`return false, nil`
			`}`
Feature/configurable userid claim minimal (#499) * Add -user-id-claim to support other claims than email Fix #431 - This is a minimal change to allow the user to configure which claim is the source of the "user ID". - Add the option `user-id-claim` (defaults to email) - OIDC extracts this claim into session.Email (to be renamed later) - providers: add `CreateSessionStateFromBearerToken` with a default impl taken from `GetJwtSession` and overridden by oidc to respect `user-id-claim` Once #466 is merged, I can continue to rename SessionState.Email to .UserID and add HTTP headers with a corresponding name. * Apply suggestions from code review Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Review feedback: Don't extract claims manually Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves. * Fix indentation Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-04-28 08:46:46 +02:00
Integrate sessions middlewares 2020-07-18 00:42:51 +01:00			`// CreateSessionStateFromBearerToken should be implemented to allow providers`
			`// to convert ID tokens into sessions`
Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-06 00:53:33 +09:00			`func (p ProviderData) CreateSessionStateFromBearerToken(ctx context.Context, rawIDToken string, idToken oidc.IDToken) (*sessions.SessionState, error) {`
Integrate sessions middlewares 2020-07-18 00:42:51 +01:00			`return nil, errors.New("not implemented")`
Feature/configurable userid claim minimal (#499) * Add -user-id-claim to support other claims than email Fix #431 - This is a minimal change to allow the user to configure which claim is the source of the "user ID". - Add the option `user-id-claim` (defaults to email) - OIDC extracts this claim into session.Email (to be renamed later) - providers: add `CreateSessionStateFromBearerToken` with a default impl taken from `GetJwtSession` and overridden by oidc to respect `user-id-claim` Once #466 is merged, I can continue to rename SessionState.Email to .UserID and add HTTP headers with a corresponding name. * Apply suggestions from code review Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Review feedback: Don't extract claims manually Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves. * Fix indentation Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-04-28 08:46:46 +02:00			`}`