go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-02-03 13:21:51 +02:00
Code Issues Releases Activity
oauth2-proxy/providers/azure_test.go

400 lines
14 KiB
Go
Raw Normal View History

Add Azure Provider
2015-11-09 09:28:34 +01:00
package providers
import (
Support context in providers (#519) Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-06 00:53:33 +09:00
"context"
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
"encoding/base64"
"encoding/json"
"errors"
"fmt"
Add Azure Provider
2015-11-09 09:28:34 +01:00
"net/http"
"net/http/httptest"
"net/url"
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
"strings"
Add Azure Provider
2015-11-09 09:28:34 +01:00
"testing"
Adding additional asserts to the TestAzureProviderREdeemReturnsIdToken to ensure that the refresh token and expires on date are both being set
2019-08-29 15:01:15 +01:00
"time"
Swap out bmizerany/assert package that is deprecated in favor of stretchr/testify/assert
2017-10-23 12:23:46 -04:00
Integrate claim extractor into providers
2021-06-26 11:49:08 +01:00
"github.com/coreos/go-oidc/v3/oidc"
improved audience handling to support client credentials access tokens without aud claims (#1204) * implementation draft * add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options * refactor configs, added logging and add additional claim verification * simplify logic by just having one configuration similar to oidc-email-claim * added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers * refactored verification to reduce complexity * refactored verification to reduce complexity * added docs * adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options * extend unit tests and ensure that audience is set with the value of aud claim configuration * revert filemodes and update docs * update docs * remove unneccesary logging, refactor audience existence check and added additional unit tests * fix linting issues after rebase on origin/main * cleanup: use new imports for migrated libraries after rebase on origin/main * adapt mock in keycloak_oidc_test.go * allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation * fixed formatting issue * do not pass the whole options struct to minimize complexity and dependency to the configuration structure * added changelog entry * update docs Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com> Co-authored-by: Christian Zenker <christian.zenker@aoe.com>
2022-02-15 17:12:22 +01:00
"github.com/golang-jwt/jwt"
Move provider initialisation into providers package
2022-02-15 11:18:32 +00:00
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
Azure token refresh (#754) * Implement azure token refresh Based on original PR https://github.com/oauth2-proxy/oauth2-proxy/pull/278 * Update CHANGELOG.md * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Set CreatedAt to Now() on token refresh Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-11-04 20:25:59 +01:00
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
Move internal OIDC package to providers package
2022-02-15 17:24:48 +00:00
internaloidc "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/providers/oidc"
Azure token refresh (#754) * Implement azure token refresh Based on original PR https://github.com/oauth2-proxy/oauth2-proxy/pull/278 * Update CHANGELOG.md * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Set CreatedAt to Now() on token refresh Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-11-04 20:25:59 +01:00
Move provider URLs to package level vars
2020-05-25 13:08:04 +01:00
. "github.com/onsi/gomega"
Swap out bmizerany/assert package that is deprecated in favor of stretchr/testify/assert
2017-10-23 12:23:46 -04:00
"github.com/stretchr/testify/assert"
Add Azure Provider
2015-11-09 09:28:34 +01:00
)
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
type fakeAzureKeySetStub struct{}
func (fakeAzureKeySetStub) VerifySignature(_ context.Context, jwt string) (payload []byte, err error) {
decodeString, err := base64.RawURLEncoding.DecodeString(strings.Split(jwt, ".")[1])
if err != nil {
return nil, err
}
return decodeString, nil
}
type azureOAuthPayload struct {
AccessToken string `json:"access_token,omitempty"`
RefreshToken string `json:"refresh_token,omitempty"`
ExpiresOn int64 `json:"expires_on,omitempty,string"`
IDToken string `json:"id_token,omitempty"`
}
Move provider initialisation into providers package
2022-02-15 11:18:32 +00:00
func testAzureProvider(hostname string, opts options.AzureOptions) *AzureProvider {
Move OIDC IDToken verifier behind interface
2022-02-16 14:06:25 +00:00
verificationOptions := internaloidc.IDTokenVerificationOptions{
improved audience handling to support client credentials access tokens without aud claims (#1204) * implementation draft * add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options * refactor configs, added logging and add additional claim verification * simplify logic by just having one configuration similar to oidc-email-claim * added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers * refactored verification to reduce complexity * refactored verification to reduce complexity * added docs * adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options * extend unit tests and ensure that audience is set with the value of aud claim configuration * revert filemodes and update docs * update docs * remove unneccesary logging, refactor audience existence check and added additional unit tests * fix linting issues after rebase on origin/main * cleanup: use new imports for migrated libraries after rebase on origin/main * adapt mock in keycloak_oidc_test.go * allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation * fixed formatting issue * do not pass the whole options struct to minimize complexity and dependency to the configuration structure * added changelog entry * update docs Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com> Co-authored-by: Christian Zenker <christian.zenker@aoe.com>
2022-02-15 17:12:22 +01:00
AudienceClaims: []string{"aud"},
ClientID: "cd6d4fae-f6a6-4a34-8454-2c6b598e9532",
}
Add Azure Provider
2015-11-09 09:28:34 +01:00
p := NewAzureProvider(
&ProviderData{
ProviderName: "",
LoginURL: &url.URL{},
RedeemURL: &url.URL{},
ProfileURL: &url.URL{},
ValidateURL: &url.URL{},
ProtectedResource: &url.URL{},
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
Scope: "",
EmailClaim: "email",
improved audience handling to support client credentials access tokens without aud claims (#1204) * implementation draft * add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options * refactor configs, added logging and add additional claim verification * simplify logic by just having one configuration similar to oidc-email-claim * added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers * refactored verification to reduce complexity * refactored verification to reduce complexity * added docs * adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options * extend unit tests and ensure that audience is set with the value of aud claim configuration * revert filemodes and update docs * update docs * remove unneccesary logging, refactor audience existence check and added additional unit tests * fix linting issues after rebase on origin/main * cleanup: use new imports for migrated libraries after rebase on origin/main * adapt mock in keycloak_oidc_test.go * allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation * fixed formatting issue * do not pass the whole options struct to minimize complexity and dependency to the configuration structure * added changelog entry * update docs Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com> Co-authored-by: Christian Zenker <christian.zenker@aoe.com>
2022-02-15 17:12:22 +01:00
Verifier: internaloidc.NewVerifier(oidc.NewVerifier(
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
"https://issuer.example.com",
fakeAzureKeySetStub{},
&oidc.Config{
ClientID: "cd6d4fae-f6a6-4a34-8454-2c6b598e9532",
SkipClientIDCheck: true,
SkipIssuerCheck: true,
SkipExpiryCheck: true,
},
improved audience handling to support client credentials access tokens without aud claims (#1204) * implementation draft * add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options * refactor configs, added logging and add additional claim verification * simplify logic by just having one configuration similar to oidc-email-claim * added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers * refactored verification to reduce complexity * refactored verification to reduce complexity * added docs * adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options * extend unit tests and ensure that audience is set with the value of aud claim configuration * revert filemodes and update docs * update docs * remove unneccesary logging, refactor audience existence check and added additional unit tests * fix linting issues after rebase on origin/main * cleanup: use new imports for migrated libraries after rebase on origin/main * adapt mock in keycloak_oidc_test.go * allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation * fixed formatting issue * do not pass the whole options struct to minimize complexity and dependency to the configuration structure * added changelog entry * update docs Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com> Co-authored-by: Christian Zenker <christian.zenker@aoe.com>
2022-02-15 17:12:22 +01:00
), verificationOptions),
Move provider initialisation into providers package
2022-02-15 11:18:32 +00:00
}, opts)
Adding the IDToken to the session for the Azure Provider.
2019-08-29 14:32:01 +01:00
Add Azure Provider
2015-11-09 09:28:34 +01:00
if hostname != "" {
updateURL(p.Data().LoginURL, hostname)
updateURL(p.Data().RedeemURL, hostname)
updateURL(p.Data().ProfileURL, hostname)
updateURL(p.Data().ValidateURL, hostname)
updateURL(p.Data().ProtectedResource, hostname)
}
return p
}
Move provider URLs to package level vars
2020-05-25 13:08:04 +01:00
func TestNewAzureProvider(t *testing.T) {
g := NewWithT(t)
// Test that defaults are set when calling for a new provider with nothing set
Move provider initialisation into providers package
2022-02-15 11:18:32 +00:00
providerData := NewAzureProvider(&ProviderData{}, options.AzureOptions{}).Data()
Move provider URLs to package level vars
2020-05-25 13:08:04 +01:00
g.Expect(providerData.ProviderName).To(Equal("Azure"))
g.Expect(providerData.LoginURL.String()).To(Equal("https://login.microsoftonline.com/common/oauth2/authorize"))
g.Expect(providerData.RedeemURL.String()).To(Equal("https://login.microsoftonline.com/common/oauth2/token"))
g.Expect(providerData.ProfileURL.String()).To(Equal("https://graph.microsoft.com/v1.0/me"))
Azure token refresh (#754) * Implement azure token refresh Based on original PR https://github.com/oauth2-proxy/oauth2-proxy/pull/278 * Update CHANGELOG.md * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Set CreatedAt to Now() on token refresh Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-11-04 20:25:59 +01:00
g.Expect(providerData.ValidateURL.String()).To(Equal("https://graph.microsoft.com/v1.0/me"))
Move provider URLs to package level vars
2020-05-25 13:08:04 +01:00
g.Expect(providerData.Scope).To(Equal("openid"))
Add Azure Provider
2015-11-09 09:28:34 +01:00
}
func TestAzureProviderOverrides(t *testing.T) {
p := NewAzureProvider(
&ProviderData{
LoginURL: &url.URL{
Scheme: "https",
Host: "example.com",
Path: "/oauth/auth"},
RedeemURL: &url.URL{
Scheme: "https",
Host: "example.com",
Path: "/oauth/token"},
ProfileURL: &url.URL{
Scheme: "https",
Host: "example.com",
Path: "/oauth/profile"},
ValidateURL: &url.URL{
Scheme: "https",
Host: "example.com",
Path: "/oauth/tokeninfo"},
ProtectedResource: &url.URL{
Scheme: "https",
Host: "example.com"},
Move provider initialisation into providers package
2022-02-15 11:18:32 +00:00
Scope: "profile"},
options.AzureOptions{})
Add Azure Provider
2015-11-09 09:28:34 +01:00
assert.NotEqual(t, nil, p)
assert.Equal(t, "Azure", p.Data().ProviderName)
assert.Equal(t, "https://example.com/oauth/auth",
p.Data().LoginURL.String())
assert.Equal(t, "https://example.com/oauth/token",
p.Data().RedeemURL.String())
assert.Equal(t, "https://example.com/oauth/profile",
p.Data().ProfileURL.String())
assert.Equal(t, "https://example.com/oauth/tokeninfo",
p.Data().ValidateURL.String())
assert.Equal(t, "https://example.com",
p.Data().ProtectedResource.String())
assert.Equal(t, "profile", p.Data().Scope)
}
func TestAzureSetTenant(t *testing.T) {
Move provider initialisation into providers package
2022-02-15 11:18:32 +00:00
p := testAzureProvider("", options.AzureOptions{Tenant: "example"})
Add Azure Provider
2015-11-09 09:28:34 +01:00
assert.Equal(t, "Azure", p.Data().ProviderName)
assert.Equal(t, "example", p.Tenant)
assert.Equal(t, "https://login.microsoftonline.com/example/oauth2/authorize",
p.Data().LoginURL.String())
assert.Equal(t, "https://login.microsoftonline.com/example/oauth2/token",
p.Data().RedeemURL.String())
feature: switch Azure AD graph API to Microsoft Graph API (#440) * feature: switch Azure AD graph API to Microsoft Graph API * Update CHANGELOG * Expand Breaking Changes notice * Update CHANGELOG.md Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * fix: use constant http method Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 19:53:30 +09:00
assert.Equal(t, "https://graph.microsoft.com/v1.0/me",
Add Azure Provider
2015-11-09 09:28:34 +01:00
p.Data().ProfileURL.String())
feature: switch Azure AD graph API to Microsoft Graph API (#440) * feature: switch Azure AD graph API to Microsoft Graph API * Update CHANGELOG * Expand Breaking Changes notice * Update CHANGELOG.md Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * fix: use constant http method Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 19:53:30 +09:00
assert.Equal(t, "https://graph.microsoft.com",
Add Azure Provider
2015-11-09 09:28:34 +01:00
p.Data().ProtectedResource.String())
Azure token refresh (#754) * Implement azure token refresh Based on original PR https://github.com/oauth2-proxy/oauth2-proxy/pull/278 * Update CHANGELOG.md * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Set CreatedAt to Now() on token refresh Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-11-04 20:25:59 +01:00
assert.Equal(t, "https://graph.microsoft.com/v1.0/me", p.Data().ValidateURL.String())
Add Azure Provider
2015-11-09 09:28:34 +01:00
assert.Equal(t, "openid", p.Data().Scope)
}
Integrate claim extractor into providers
2021-06-26 11:49:08 +01:00
func testAzureBackend(payload string, accessToken, refreshToken string) *httptest.Server {
return testAzureBackendWithError(payload, accessToken, refreshToken, false)
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
}
Integrate claim extractor into providers
2021-06-26 11:49:08 +01:00
func testAzureBackendWithError(payload string, accessToken, refreshToken string, injectError bool) *httptest.Server {
feature: switch Azure AD graph API to Microsoft Graph API (#440) * feature: switch Azure AD graph API to Microsoft Graph API * Update CHANGELOG * Expand Breaking Changes notice * Update CHANGELOG.md Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * fix: use constant http method Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 19:53:30 +09:00
path := "/v1.0/me"
Add Azure Provider
2015-11-09 09:28:34 +01:00
return httptest.NewServer(http.HandlerFunc(
func(w http.ResponseWriter, r *http.Request) {
feature: switch Azure AD graph API to Microsoft Graph API (#440) * feature: switch Azure AD graph API to Microsoft Graph API * Update CHANGELOG * Expand Breaking Changes notice * Update CHANGELOG.md Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * fix: use constant http method Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 19:53:30 +09:00
if (r.URL.Path != path) && r.Method != http.MethodPost {
Add Azure Provider
2015-11-09 09:28:34 +01:00
w.WriteHeader(404)
Cleaned up source to make golangci-lint pass (#418) * cleaned up source to make golangci-lint pass * providers/azure_test.go: use build in POST constant * options_test.go: do not export unnecessary variables Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-03-14 05:58:29 -04:00
} else if r.Method == http.MethodPost && r.Body != nil {
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
if injectError {
w.WriteHeader(400)
} else {
w.WriteHeader(200)
}
Adding the IDToken to the session for the Azure Provider.
2019-08-29 14:32:01 +01:00
w.Write([]byte(payload))
Integrate claim extractor into providers
2021-06-26 11:49:08 +01:00
} else if !IsAuthorizedInHeaderWithToken(r.Header, accessToken) &&
!isAuthorizedRefreshInURLWithToken(r.URL, refreshToken) {
Add Azure Provider
2015-11-09 09:28:34 +01:00
w.WriteHeader(403)
} else {
w.WriteHeader(200)
w.Write([]byte(payload))
}
}))
}
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
func TestAzureProviderEnrichSession(t *testing.T) {
testCases := []struct {
Description string
Email string
PayloadFromAzureBackend string
ExpectedEmail string
ExpectedError error
}{
{
Description: "should return email using mail property from Azure backend",
PayloadFromAzureBackend: `{ "mail": "user@windows.net" }`,
ExpectedEmail: "user@windows.net",
},
{
Description: "should return email using otherMails property returned from Azure backend",
PayloadFromAzureBackend: `{ "mail": null, "otherMails": ["user@windows.net", "altuser@windows.net"] }`,
ExpectedEmail: "user@windows.net",
},
{
Description: "should return email using userPrincipalName from Azure backend",
PayloadFromAzureBackend: `{ "mail": null, "otherMails": [], "userPrincipalName": "user@windows.net" }`,
ExpectedEmail: "user@windows.net",
},
{
Description: "should return error when Azure backend doesn't return email information",
PayloadFromAzureBackend: `{ "mail": null, "otherMails": [], "userPrincipalName": null }`,
ExpectedError: fmt.Errorf("unable to get email address: %v", errors.New("type assertion to string failed")),
},
{
Description: "should return specific error when unable to get email",
PayloadFromAzureBackend: `{ "mail": null, "otherMails": [], "userPrincipalName": "" }`,
ExpectedError: errors.New("unable to get email address"),
},
{
Description: "should return error when otherMails from Azure backend is not a valid type",
PayloadFromAzureBackend: `{ "mail": null, "otherMails": "", "userPrincipalName": null }`,
ExpectedError: fmt.Errorf("unable to get email address: %v", errors.New("type assertion to string failed")),
},
{
Description: "should not query profile api when email is already set in session",
Email: "user@windows.net",
ExpectedEmail: "user@windows.net",
},
}
Getting mail for Azure provider fix + tests
2016-06-29 09:00:08 +02:00
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
for _, testCase := range testCases {
t.Run(testCase.Description, func(t *testing.T) {
var (
b *httptest.Server
host string
)
if testCase.PayloadFromAzureBackend != "" {
Integrate claim extractor into providers
2021-06-26 11:49:08 +01:00
b = testAzureBackend(testCase.PayloadFromAzureBackend, authorizedAccessToken, "")
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
defer b.Close()
bURL, _ := url.Parse(b.URL)
host = bURL.Host
}
Move provider initialisation into providers package
2022-02-15 11:18:32 +00:00
p := testAzureProvider(host, options.AzureOptions{})
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
session := CreateAuthorizedSession()
session.Email = testCase.Email
err := p.EnrichSession(context.Background(), session)
assert.Equal(t, testCase.ExpectedError, err)
assert.Equal(t, testCase.ExpectedEmail, session.Email)
})
}
Getting mail for Azure provider fix + tests
2016-06-29 09:00:08 +02:00
}
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
func TestAzureProviderRedeem(t *testing.T) {
testCases := []struct {
Name string
RefreshToken string
ExpiresOn time.Time
EmailFromIDToken string
EmailFromAccessToken string
IsIDTokenMalformed bool
InjectRedeemURLError bool
}{
{
Name: "with id_token returned",
EmailFromIDToken: "foo1@example.com",
RefreshToken: "some_refresh_token",
ExpiresOn: time.Now().Add(time.Hour),
},
{
Name: "without id_token returned, fallback to access token",
EmailFromAccessToken: "foo2@example.com",
RefreshToken: "some_refresh_token",
ExpiresOn: time.Now().Add(time.Hour),
},
{
Name: "id_token malformed, fallback to access token",
EmailFromAccessToken: "foo3@example.com",
RefreshToken: "some_refresh_token",
ExpiresOn: time.Now().Add(time.Hour),
IsIDTokenMalformed: true,
},
{
Name: "both id_token and access tokens are valid, return email from id_token",
EmailFromIDToken: "foo1@example.com",
EmailFromAccessToken: "foo3@example.com",
RefreshToken: "some_refresh_token",
ExpiresOn: time.Now().Add(time.Hour),
},
{
Name: "redeem URL failed, should return error",
EmailFromIDToken: "foo1@example.com",
EmailFromAccessToken: "foo3@example.com",
RefreshToken: "some_refresh_token",
ExpiresOn: time.Now().Add(time.Hour),
InjectRedeemURLError: true,
},
}
Getting mail for Azure provider fix + tests
2016-06-29 09:00:08 +02:00
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
for _, testCase := range testCases {
t.Run(testCase.Name, func(t *testing.T) {
idTokenString := ""
accessTokenString := ""
if testCase.EmailFromIDToken != "" {
var err error
improved audience handling to support client credentials access tokens without aud claims (#1204) * implementation draft * add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options * refactor configs, added logging and add additional claim verification * simplify logic by just having one configuration similar to oidc-email-claim * added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers * refactored verification to reduce complexity * refactored verification to reduce complexity * added docs * adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options * extend unit tests and ensure that audience is set with the value of aud claim configuration * revert filemodes and update docs * update docs * remove unneccesary logging, refactor audience existence check and added additional unit tests * fix linting issues after rebase on origin/main * cleanup: use new imports for migrated libraries after rebase on origin/main * adapt mock in keycloak_oidc_test.go * allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation * fixed formatting issue * do not pass the whole options struct to minimize complexity and dependency to the configuration structure * added changelog entry * update docs Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com> Co-authored-by: Christian Zenker <christian.zenker@aoe.com>
2022-02-15 17:12:22 +01:00
token := idTokenClaims{
StandardClaims: jwt.StandardClaims{Audience: "cd6d4fae-f6a6-4a34-8454-2c6b598e9532"},
Email: testCase.EmailFromIDToken}
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
idTokenString, err = newSignedTestIDToken(token)
assert.NoError(t, err)
}
if testCase.EmailFromAccessToken != "" {
var err error
improved audience handling to support client credentials access tokens without aud claims (#1204) * implementation draft * add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options * refactor configs, added logging and add additional claim verification * simplify logic by just having one configuration similar to oidc-email-claim * added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers * refactored verification to reduce complexity * refactored verification to reduce complexity * added docs * adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options * extend unit tests and ensure that audience is set with the value of aud claim configuration * revert filemodes and update docs * update docs * remove unneccesary logging, refactor audience existence check and added additional unit tests * fix linting issues after rebase on origin/main * cleanup: use new imports for migrated libraries after rebase on origin/main * adapt mock in keycloak_oidc_test.go * allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation * fixed formatting issue * do not pass the whole options struct to minimize complexity and dependency to the configuration structure * added changelog entry * update docs Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com> Co-authored-by: Christian Zenker <christian.zenker@aoe.com>
2022-02-15 17:12:22 +01:00
token := idTokenClaims{
StandardClaims: jwt.StandardClaims{Audience: "cd6d4fae-f6a6-4a34-8454-2c6b598e9532"},
Email: testCase.EmailFromAccessToken}
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
accessTokenString, err = newSignedTestIDToken(token)
assert.NoError(t, err)
}
if testCase.IsIDTokenMalformed {
idTokenString = "this is a malformed id_token"
}
payload := azureOAuthPayload{
IDToken: idTokenString,
RefreshToken: testCase.RefreshToken,
AccessToken: accessTokenString,
ExpiresOn: testCase.ExpiresOn.Unix(),
}
Getting mail for Azure provider fix + tests
2016-06-29 09:00:08 +02:00
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
payloadBytes, err := json.Marshal(payload)
assert.NoError(t, err)
Adding the IDToken to the session for the Azure Provider.
2019-08-29 14:32:01 +01:00
Integrate claim extractor into providers
2021-06-26 11:49:08 +01:00
b := testAzureBackendWithError(string(payloadBytes), accessTokenString, testCase.RefreshToken, testCase.InjectRedeemURLError)
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
defer b.Close()
Adding the IDToken to the session for the Azure Provider.
2019-08-29 14:32:01 +01:00
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
bURL, _ := url.Parse(b.URL)
Move provider initialisation into providers package
2022-02-15 11:18:32 +00:00
p := testAzureProvider(bURL.Host, options.AzureOptions{})
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
p.Data().RedeemURL.Path = "/common/oauth2/token"
s, err := p.Redeem(context.Background(), "https://localhost", "1234")
if testCase.InjectRedeemURLError {
assert.NotNil(t, err)
} else {
assert.NoError(t, err)
assert.Equal(t, idTokenString, s.IDToken)
assert.Equal(t, accessTokenString, s.AccessToken)
assert.Equal(t, testCase.ExpiresOn.Unix(), s.ExpiresOn.Unix())
assert.Equal(t, testCase.RefreshToken, s.RefreshToken)
if testCase.EmailFromIDToken != "" {
assert.Equal(t, testCase.EmailFromIDToken, s.Email)
} else {
assert.Equal(t, testCase.EmailFromAccessToken, s.Email)
}
}
})
}
Adding additional asserts to the TestAzureProviderREdeemReturnsIdToken to ensure that the refresh token and expires on date are both being set
2019-08-29 15:01:15 +01:00
}
Move azure specific resource parameter handling into azure provider
2020-09-14 13:48:17 +02:00
func TestAzureProviderProtectedResourceConfigured(t *testing.T) {
Move provider initialisation into providers package
2022-02-15 11:18:32 +00:00
p := testAzureProvider("", options.AzureOptions{})
Move azure specific resource parameter handling into azure provider
2020-09-14 13:48:17 +02:00
p.ProtectedResource, _ = url.Parse("http://my.resource.test")
Support nonce checks in OIDC Provider (#967) * Set and verify a nonce with OIDC * Create a CSRF object to manage nonces & cookies * Add missing generic cookie unit tests * Add config flag to control OIDC SkipNonce * Send hashed nonces in authentication requests * Encrypt the CSRF cookie * Add clarity to naming & add more helper methods * Make CSRF an interface and keep underlying nonces private * Add ReverseProxy scope to cookie tests * Align to new 1.16 SameSite cookie default * Perform SecretBytes conversion on CSRF cookie crypto * Make state encoding signatures consistent * Mock time in CSRF struct via Clock * Improve InsecureSkipNonce docstring
2021-04-21 02:33:27 -07:00
result := p.GetLoginURL("https://my.test.app/oauth", "", "")
Move azure specific resource parameter handling into azure provider
2020-09-14 13:48:17 +02:00
assert.Contains(t, result, "resource="+url.QueryEscape("http://my.resource.test"))
}
Azure token refresh (#754) * Implement azure token refresh Based on original PR https://github.com/oauth2-proxy/oauth2-proxy/pull/278 * Update CHANGELOG.md * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Set CreatedAt to Now() on token refresh Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-11-04 20:25:59 +01:00
Standarize provider refresh implemention & logging
2021-03-06 15:48:31 -08:00
func TestAzureProviderRefresh(t *testing.T) {
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
email := "foo@example.com"
Integrate claim extractor into providers
2021-06-26 11:49:08 +01:00
subject := "foo"
improved audience handling to support client credentials access tokens without aud claims (#1204) * implementation draft * add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options * refactor configs, added logging and add additional claim verification * simplify logic by just having one configuration similar to oidc-email-claim * added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers * refactored verification to reduce complexity * refactored verification to reduce complexity * added docs * adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options * extend unit tests and ensure that audience is set with the value of aud claim configuration * revert filemodes and update docs * update docs * remove unneccesary logging, refactor audience existence check and added additional unit tests * fix linting issues after rebase on origin/main * cleanup: use new imports for migrated libraries after rebase on origin/main * adapt mock in keycloak_oidc_test.go * allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation * fixed formatting issue * do not pass the whole options struct to minimize complexity and dependency to the configuration structure * added changelog entry * update docs Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com> Co-authored-by: Christian Zenker <christian.zenker@aoe.com>
2022-02-15 17:12:22 +01:00
idToken := idTokenClaims{
Integrate claim extractor into providers
2021-06-26 11:49:08 +01:00
Email: email,
StandardClaims: jwt.StandardClaims{
Audience: "cd6d4fae-f6a6-4a34-8454-2c6b598e9532",
Subject: subject,
},
}
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
idTokenString, err := newSignedTestIDToken(idToken)
assert.NoError(t, err)
Integrate claim extractor into providers
2021-06-26 11:49:08 +01:00
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
timestamp, err := time.Parse(time.RFC3339, "3006-01-02T22:04:05Z")
assert.NoError(t, err)
Integrate claim extractor into providers
2021-06-26 11:49:08 +01:00
newAccessToken := "new_some_access_token"
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
payload := azureOAuthPayload{
IDToken: idTokenString,
RefreshToken: "new_some_refresh_token",
Integrate claim extractor into providers
2021-06-26 11:49:08 +01:00
AccessToken: newAccessToken,
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
ExpiresOn: timestamp.Unix(),
}
payloadBytes, err := json.Marshal(payload)
assert.NoError(t, err)
Integrate claim extractor into providers
2021-06-26 11:49:08 +01:00
refreshToken := "some_refresh_token"
b := testAzureBackend(string(payloadBytes), newAccessToken, refreshToken)
Azure token refresh (#754) * Implement azure token refresh Based on original PR https://github.com/oauth2-proxy/oauth2-proxy/pull/278 * Update CHANGELOG.md * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Set CreatedAt to Now() on token refresh Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-11-04 20:25:59 +01:00
defer b.Close()
bURL, _ := url.Parse(b.URL)
Move provider initialisation into providers package
2022-02-15 11:18:32 +00:00
p := testAzureProvider(bURL.Host, options.AzureOptions{})
Azure token refresh (#754) * Implement azure token refresh Based on original PR https://github.com/oauth2-proxy/oauth2-proxy/pull/278 * Update CHANGELOG.md * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Set CreatedAt to Now() on token refresh Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-11-04 20:25:59 +01:00
expires := time.Now().Add(time.Duration(-1) * time.Hour)
Integrate claim extractor into providers
2021-06-26 11:49:08 +01:00
session := &sessions.SessionState{AccessToken: "some_access_token", RefreshToken: refreshToken, IDToken: "some_id_token", ExpiresOn: &expires}
RefreshSessions immediately when called
2021-03-06 15:33:13 -08:00
refreshed, err := p.RefreshSession(context.Background(), session)
Azure token refresh (#754) * Implement azure token refresh Based on original PR https://github.com/oauth2-proxy/oauth2-proxy/pull/278 * Update CHANGELOG.md * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Set CreatedAt to Now() on token refresh Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-11-04 20:25:59 +01:00
assert.Equal(t, nil, err)
RefreshSessions immediately when called
2021-03-06 15:33:13 -08:00
assert.True(t, refreshed)
Azure token refresh (#754) * Implement azure token refresh Based on original PR https://github.com/oauth2-proxy/oauth2-proxy/pull/278 * Update CHANGELOG.md * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Set CreatedAt to Now() on token refresh Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-11-04 20:25:59 +01:00
assert.NotEqual(t, session, nil)
Integrate claim extractor into providers
2021-06-26 11:49:08 +01:00
assert.Equal(t, newAccessToken, session.AccessToken)
Azure token refresh (#754) * Implement azure token refresh Based on original PR https://github.com/oauth2-proxy/oauth2-proxy/pull/278 * Update CHANGELOG.md * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Set CreatedAt to Now() on token refresh Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-11-04 20:25:59 +01:00
assert.Equal(t, "new_some_refresh_token", session.RefreshToken)
extract email from id_token for azure provider (#914) * extract email from id_token for azure provider this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api * fixed typo * refactor GetEmailAddress to EnrichSessionState * make getting email from idtoken best effort and fall back to previous behavior when it's absent * refactor to use jwt package to extract claims * fix lint * refactor unit tests to use test table refactor the get email logic from profile api * addressing feedback * added oidc verifier to azure provider and extract email from id_token if present * fix lint and codeclimate * refactor to use oidc verifier to verify id_token if oidc is configured * fixed UT * addressed comments * minor refactor * addressed feedback * extract email from id_token first and fallback to access token * fallback to access token as well when id_token doesn't have email claim * address feedbacks * updated change log!
2021-03-09 20:53:15 -08:00
assert.Equal(t, idTokenString, session.IDToken)
assert.Equal(t, email, session.Email)
Azure token refresh (#754) * Implement azure token refresh Based on original PR https://github.com/oauth2-proxy/oauth2-proxy/pull/278 * Update CHANGELOG.md * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Set CreatedAt to Now() on token refresh Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-11-04 20:25:59 +01:00
assert.Equal(t, timestamp, session.ExpiresOn.UTC())
}
Reference in New Issue Copy Permalink