oauth2-proxy/providers/keycloak.go

package providers

import (
	"context"
	"fmt"
	"net/url"

	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
)

type KeycloakProvider struct {
	*ProviderData
}

var _ Provider = (*KeycloakProvider)(nil)

const (
	keycloakProviderName = "Keycloak"
	keycloakDefaultScope = "api"
)

var (
	// Default Login URL for Keycloak.
	// Pre-parsed URL of https://keycloak.org/oauth/authorize.
	keycloakDefaultLoginURL = &url.URL{
		Scheme: "https",
		Host:   "keycloak.org",
		Path:   "/oauth/authorize",
	}

	// Default Redeem URL for Keycloak.
	// Pre-parsed URL of ttps://keycloak.org/oauth/token.
	keycloakDefaultRedeemURL = &url.URL{
		Scheme: "https",
		Host:   "keycloak.org",
		Path:   "/oauth/token",
	}

	// Default Validation URL for Keycloak.
	// Pre-parsed URL of https://keycloak.org/api/v3/user.
	keycloakDefaultValidateURL = &url.URL{
		Scheme: "https",
		Host:   "keycloak.org",
		Path:   "/api/v3/user",
	}
)

// NewKeycloakProvider creates a KeyCloakProvider using the passed ProviderData
func NewKeycloakProvider(p *ProviderData) *KeycloakProvider {
	p.setProviderDefaults(providerDefaults{
		name:        keycloakProviderName,
		loginURL:    keycloakDefaultLoginURL,
		redeemURL:   keycloakDefaultRedeemURL,
		profileURL:  nil,
		validateURL: keycloakDefaultValidateURL,
		scope:       keycloakDefaultScope,
	})
	return &KeycloakProvider{ProviderData: p}
}

// EnrichSession uses the Keycloak userinfo endpoint to populate the session's
// email and groups.
func (p *KeycloakProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error {
	// Fallback to ValidateURL if ProfileURL not set for legacy compatibility
	userinfoURL := p.ValidateURL.String()
	if p.ProfileURL != nil {
		userinfoURL = p.ProfileURL.String()
	}

	json, err := requests.New(userinfoURL).
		WithContext(ctx).
		SetHeader("Authorization", "Bearer "+s.AccessToken).
		Do().
		UnmarshalJSON()
	if err != nil {
		logger.Errorf("failed making request %v", err)
		return err
	}

	groups, err := json.Get("groups").StringArray()
	if err == nil {
		for _, group := range groups {
			if group != "" {
				s.Groups = append(s.Groups, group)
			}
		}
	}

	email, err := json.Get("email").String()
	if err != nil {
		return fmt.Errorf("unable to extract email from userinfo endpoint: %v", err)
	}
	s.Email = email

	return nil
}
Add keycloak provider 2019-07-28 15:54:39 +02:00			`package providers`

			`import (`
Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-05 17:53:33 +02:00			`"context"`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 22:57:32 +02:00			`"fmt"`
Add keycloak provider 2019-07-28 15:54:39 +02:00			`"net/url"`

Fix import path for v7 (#800) * fix import path for v7 find ./ -name ".go" \| xargs sed -i -e 's\|"github.com/oauth2-proxy/oauth2-proxy\|"github.com/oauth2-proxy/oauth2-proxy/v7\|' fix module path * go mod tidy * fix installation docs * update CHANGELOG * Update CHANGELOG.md Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-09-29 18:44:42 +02:00			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"`
			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"`
			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"`
Add keycloak provider 2019-07-28 15:54:39 +02:00			`)`

			`type KeycloakProvider struct {`
			`*ProviderData`
			`}`

Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-05 17:53:33 +02:00			`var _ Provider = (*KeycloakProvider)(nil)`

Move provider URLs to package level vars 2020-05-25 14:08:04 +02:00			`const (`
			`keycloakProviderName = "Keycloak"`
			`keycloakDefaultScope = "api"`
			`)`

			`var (`
			`// Default Login URL for Keycloak.`
			`// Pre-parsed URL of https://keycloak.org/oauth/authorize.`
			`keycloakDefaultLoginURL = &url.URL{`
			`Scheme: "https",`
			`Host: "keycloak.org",`
			`Path: "/oauth/authorize",`
Add keycloak provider 2019-07-28 15:54:39 +02:00			`}`
Move provider URLs to package level vars 2020-05-25 14:08:04 +02:00
			`// Default Redeem URL for Keycloak.`
			`// Pre-parsed URL of ttps://keycloak.org/oauth/token.`
			`keycloakDefaultRedeemURL = &url.URL{`
			`Scheme: "https",`
			`Host: "keycloak.org",`
			`Path: "/oauth/token",`
Add keycloak provider 2019-07-28 15:54:39 +02:00			`}`
Move provider URLs to package level vars 2020-05-25 14:08:04 +02:00
			`// Default Validation URL for Keycloak.`
			`// Pre-parsed URL of https://keycloak.org/api/v3/user.`
			`keycloakDefaultValidateURL = &url.URL{`
			`Scheme: "https",`
			`Host: "keycloak.org",`
			`Path: "/api/v3/user",`
Add keycloak provider 2019-07-28 15:54:39 +02:00			`}`
Move provider URLs to package level vars 2020-05-25 14:08:04 +02:00			`)`

Use ProfileURL for userinfo EnrichSession calls in Keycloak 2020-12-12 23:22:15 +02:00			`// NewKeycloakProvider creates a KeyCloakProvider using the passed ProviderData`
Move provider URLs to package level vars 2020-05-25 14:08:04 +02:00			`func NewKeycloakProvider(p ProviderData) KeycloakProvider {`
			`p.setProviderDefaults(providerDefaults{`
			`name: keycloakProviderName,`
			`loginURL: keycloakDefaultLoginURL,`
			`redeemURL: keycloakDefaultRedeemURL,`
			`profileURL: nil,`
			`validateURL: keycloakDefaultValidateURL,`
			`scope: keycloakDefaultScope,`
			`})`
Add keycloak provider 2019-07-28 15:54:39 +02:00			`return &KeycloakProvider{ProviderData: p}`
			`}`

Use ProfileURL for userinfo EnrichSession calls in Keycloak 2020-12-12 23:22:15 +02:00			`// EnrichSession uses the Keycloak userinfo endpoint to populate the session's`
			`// email and groups.`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 22:57:32 +02:00			`func (p KeycloakProvider) EnrichSession(ctx context.Context, s sessions.SessionState) error {`
Use ProfileURL for userinfo EnrichSession calls in Keycloak 2020-12-12 23:22:15 +02:00			`// Fallback to ValidateURL if ProfileURL not set for legacy compatibility`
			`userinfoURL := p.ValidateURL.String()`
			`if p.ProfileURL != nil {`
			`userinfoURL = p.ProfileURL.String()`
			`}`

			`json, err := requests.New(userinfoURL).`
Migrate all requests to new builder pattern 2020-07-03 20:27:25 +02:00			`WithContext(ctx).`
			`SetHeader("Authorization", "Bearer "+s.AccessToken).`
Migrate all requests to result pattern 2020-07-06 18:42:26 +02:00			`Do().`
Migrate all requests to new builder pattern 2020-07-03 20:27:25 +02:00			`UnmarshalJSON()`
Add keycloak provider 2019-07-28 15:54:39 +02:00			`if err != nil {`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 22:57:32 +02:00			`logger.Errorf("failed making request %v", err)`
			`return err`
Add keycloak provider 2019-07-28 15:54:39 +02:00			`}`

Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 22:57:32 +02:00			`groups, err := json.Get("groups").StringArray()`
Update Keycloak documentation 2020-12-12 23:50:34 +02:00			`if err == nil {`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 22:57:32 +02:00			`for _, group := range groups {`
			`if group != "" {`
			`s.Groups = append(s.Groups, group)`
Add keycloak provider 2019-07-28 15:54:39 +02:00			`}`
			`}`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 22:57:32 +02:00			`}`
Add keycloak provider 2019-07-28 15:54:39 +02:00
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 22:57:32 +02:00			`email, err := json.Get("email").String()`
			`if err != nil {`
			`return fmt.Errorf("unable to extract email from userinfo endpoint: %v", err)`
Add keycloak provider 2019-07-28 15:54:39 +02:00			`}`
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 22:57:32 +02:00			`s.Email = email`
Add keycloak provider 2019-07-28 15:54:39 +02:00
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-12 22:57:32 +02:00			`return nil`
Add keycloak provider 2019-07-28 15:54:39 +02:00			`}`