From c8a89eca0800ca64da09ab09f758d78b98bc974f Mon Sep 17 00:00:00 2001 From: leyshon Date: Thu, 29 Aug 2019 14:32:01 +0100 Subject: [PATCH 1/7] Adding the IDToken to the session for the Azure Provider. --- providers/azure.go | 65 +++++++++++++++++++++++++++++++++++++++++ providers/azure_test.go | 18 +++++++++++- 2 files changed, 82 insertions(+), 1 deletion(-) diff --git a/providers/azure.go b/providers/azure.go index 653090b0..6729e4f0 100644 --- a/providers/azure.go +++ b/providers/azure.go @@ -5,6 +5,10 @@ import ( "fmt" "net/http" "net/url" + "encoding/json" + "io/ioutil" + "bytes" + "time" "github.com/bitly/go-simplejson" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" @@ -65,6 +69,67 @@ func (p *AzureProvider) Configure(tenant string) { } } +func (p *AzureProvider) Redeem(redirectURL, code string) (s *sessions.SessionState, err error) { + if code == "" { + err = errors.New("missing code") + return + } + + params := url.Values{} + params.Add("redirect_uri", redirectURL) + params.Add("client_id", p.ClientID) + params.Add("client_secret", p.ClientSecret) + params.Add("code", code) + params.Add("grant_type", "authorization_code") + if p.ProtectedResource != nil && p.ProtectedResource.String() != "" { + params.Add("resource", p.ProtectedResource.String()) + } + + var req *http.Request + req, err = http.NewRequest("POST", p.RedeemURL.String(), bytes.NewBufferString(params.Encode())) + if err != nil { + return + } + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + + var resp *http.Response + resp, err = http.DefaultClient.Do(req) + if err != nil { + return nil, err + } + var body []byte + body, err = ioutil.ReadAll(resp.Body) + resp.Body.Close() + if err != nil { + return + } + + if resp.StatusCode != 200 { + err = fmt.Errorf("got %d from %q %s", resp.StatusCode, p.RedeemURL.String(), body) + return + } + + var jsonResponse struct { + AccessToken string `json:"access_token"` + RefreshToken string `json:"refresh_token"` + ExpiresOn int64 `json:"expires_on,string"` + IDToken string `json:"id_token"` + } + err = json.Unmarshal(body, &jsonResponse) + if err != nil { + return + } + + s = &sessions.SessionState{ + AccessToken: jsonResponse.AccessToken, + IDToken: jsonResponse.IDToken, + CreatedAt: time.Now(), + ExpiresOn: time.Unix(jsonResponse.ExpiresOn, 0), + RefreshToken: jsonResponse.RefreshToken, + } + return +} + func getAzureHeader(accessToken string) http.Header { header := make(http.Header) header.Set("Authorization", fmt.Sprintf("Bearer %s", accessToken)) diff --git a/providers/azure_test.go b/providers/azure_test.go index 8d34bdc8..8ec59785 100644 --- a/providers/azure_test.go +++ b/providers/azure_test.go @@ -20,6 +20,7 @@ func testAzureProvider(hostname string) *AzureProvider { ValidateURL: &url.URL{}, ProtectedResource: &url.URL{}, Scope: ""}) + if hostname != "" { updateURL(p.Data().LoginURL, hostname) updateURL(p.Data().RedeemURL, hostname) @@ -111,8 +112,11 @@ func testAzureBackend(payload string) *httptest.Server { return httptest.NewServer(http.HandlerFunc( func(w http.ResponseWriter, r *http.Request) { - if r.URL.Path != path || r.URL.RawQuery != query { + if (r.URL.Path != path || r.URL.RawQuery != query) && r.Method != "POST" { w.WriteHeader(404) + } else if r.Method == "POST" && r.Body != nil { + w.WriteHeader(200) + w.Write([]byte(payload)) } else if r.Header.Get("Authorization") != "Bearer imaginary_access_token" { w.WriteHeader(403) } else { @@ -199,3 +203,15 @@ func TestAzureProviderGetEmailAddressIncorrectOtherMails(t *testing.T) { assert.Equal(t, "type assertion to string failed", err.Error()) assert.Equal(t, "", email) } + +func TestAzureProviderRedeemReturnsIdToken(t *testing.T) { + b := testAzureBackend(`{ "id_token": "testtoken1234" }`) + defer b.Close() + + bURL, _ := url.Parse(b.URL) + p := testAzureProvider(bURL.Host) + p.Data().RedeemURL.Path = "/common/oauth2/token" + s, err := p.Redeem("https://localhost", "1234") + assert.Equal(t, nil, err) + assert.Equal(t, "testtoken1234", s.IDToken) +} \ No newline at end of file From 0c541f6f5e339021a75b5477e49dce18e20500a8 Mon Sep 17 00:00:00 2001 From: leyshon Date: Thu, 29 Aug 2019 15:01:15 +0100 Subject: [PATCH 2/7] Adding additional asserts to the TestAzureProviderREdeemReturnsIdToken to ensure that the refresh token and expires on date are both being set --- providers/azure_test.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/providers/azure_test.go b/providers/azure_test.go index 8ec59785..3f2b00dd 100644 --- a/providers/azure_test.go +++ b/providers/azure_test.go @@ -5,6 +5,7 @@ import ( "net/http/httptest" "net/url" "testing" + "time" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" "github.com/stretchr/testify/assert" @@ -205,7 +206,8 @@ func TestAzureProviderGetEmailAddressIncorrectOtherMails(t *testing.T) { } func TestAzureProviderRedeemReturnsIdToken(t *testing.T) { - b := testAzureBackend(`{ "id_token": "testtoken1234" }`) + b := testAzureBackend(`{ "id_token": "testtoken1234", "expires_on": "1136239445", "refresh_token": "refresh1234" }`) + timestamp, err := time.Parse(time.RFC3339, "2006-01-02T22:04:05Z") defer b.Close() bURL, _ := url.Parse(b.URL) @@ -214,4 +216,6 @@ func TestAzureProviderRedeemReturnsIdToken(t *testing.T) { s, err := p.Redeem("https://localhost", "1234") assert.Equal(t, nil, err) assert.Equal(t, "testtoken1234", s.IDToken) -} \ No newline at end of file + assert.Equal(t, timestamp, s.ExpiresOn.UTC()) + assert.Equal(t, "refresh1234", s.RefreshToken) +} From 311f14c7ebac531c3c8aac7a0e56fe9874e45bfc Mon Sep 17 00:00:00 2001 From: leyshon Date: Thu, 29 Aug 2019 15:37:25 +0100 Subject: [PATCH 3/7] Fixing linting errors: Making sure err is checked in azure_test and gofmt has been run --- providers/azure.go | 8 ++++---- providers/azure_test.go | 3 ++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/providers/azure.go b/providers/azure.go index 6729e4f0..48cea846 100644 --- a/providers/azure.go +++ b/providers/azure.go @@ -1,13 +1,13 @@ package providers import ( + "bytes" + "encoding/json" "errors" "fmt" + "io/ioutil" "net/http" "net/url" - "encoding/json" - "io/ioutil" - "bytes" "time" "github.com/bitly/go-simplejson" @@ -119,7 +119,7 @@ func (p *AzureProvider) Redeem(redirectURL, code string) (s *sessions.SessionSta if err != nil { return } - + s = &sessions.SessionState{ AccessToken: jsonResponse.AccessToken, IDToken: jsonResponse.IDToken, diff --git a/providers/azure_test.go b/providers/azure_test.go index 3f2b00dd..24745f3a 100644 --- a/providers/azure_test.go +++ b/providers/azure_test.go @@ -207,8 +207,9 @@ func TestAzureProviderGetEmailAddressIncorrectOtherMails(t *testing.T) { func TestAzureProviderRedeemReturnsIdToken(t *testing.T) { b := testAzureBackend(`{ "id_token": "testtoken1234", "expires_on": "1136239445", "refresh_token": "refresh1234" }`) - timestamp, err := time.Parse(time.RFC3339, "2006-01-02T22:04:05Z") defer b.Close() + timestamp, err := time.Parse(time.RFC3339, "2006-01-02T22:04:05Z") + assert.Equal(t, nil, err) bURL, _ := url.Parse(b.URL) p := testAzureProvider(bURL.Host) From 41ed9f742910ad66502f3d83fbf90adf4eca8717 Mon Sep 17 00:00:00 2001 From: leyshon Date: Mon, 2 Sep 2019 14:56:20 +0100 Subject: [PATCH 4/7] Updating the changelog to include details of the change --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 44cd0cf6..3b515580 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## Changes since v4.0.0 +[#258](https://github.com/pusher/oauth2_proxy/pull/258) Add IDToken for Azure provider + - This PR adds the IDToken into the session for the Azure provider allowing requests to a backend to be identified as a specific user. As a consequence, if you are using a cookie to store the session the cookie will now exceed the 4kb size limit and be split into multiple cookies. This can cause problems when using nginx as a proxy, resulting in no cookie being passed at all. Either increase the proxy_buffer_size in nginx or implement the redis session storage (see https://pusher.github.io/oauth2_proxy/configuration#redis-storage) + # v4.0.0 ## Release Highlights From 21aba50ea5262cd29656778721f9da336c5c3ce5 Mon Sep 17 00:00:00 2001 From: leyshon Date: Mon, 2 Sep 2019 16:00:28 +0100 Subject: [PATCH 5/7] Adding a note to the Azure provider documentation to mention issues with the size of the cookie session storage --- docs/2_auth.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/2_auth.md b/docs/2_auth.md index e6c5cc6f..cbccae7c 100644 --- a/docs/2_auth.md +++ b/docs/2_auth.md @@ -80,6 +80,8 @@ Note: The user is checked against the group members list on initial authenticati --client-secret= ``` +Note: When using the Azure Auth provider with nginx and the cookie session store you may find the cookie is too large and doesn't get passed through correctly.. Increasing the proxy_buffer_size in nginx or implementing the redis session storage (see https://pusher.github.io/oauth2_proxy/configuration#redis-storage) should resolve this. + ### Facebook Auth Provider 1. Create a new FB App from From 1aad87d7ca4c166babca2098d07b3a22bf872bc5 Mon Sep 17 00:00:00 2001 From: leyshon Date: Mon, 2 Sep 2019 16:03:48 +0100 Subject: [PATCH 6/7] Fixing a small typo in the docs --- docs/2_auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/2_auth.md b/docs/2_auth.md index cbccae7c..884ab1d7 100644 --- a/docs/2_auth.md +++ b/docs/2_auth.md @@ -80,7 +80,7 @@ Note: The user is checked against the group members list on initial authenticati --client-secret= ``` -Note: When using the Azure Auth provider with nginx and the cookie session store you may find the cookie is too large and doesn't get passed through correctly.. Increasing the proxy_buffer_size in nginx or implementing the redis session storage (see https://pusher.github.io/oauth2_proxy/configuration#redis-storage) should resolve this. +Note: When using the Azure Auth provider with nginx and the cookie session store you may find the cookie is too large and doesn't get passed through correctly. Increasing the proxy_buffer_size in nginx or implementing the redis session storage (see https://pusher.github.io/oauth2_proxy/configuration#redis-storage) should resolve this. ### Facebook Auth Provider From 0b2eb91fa43cc04a4ac324f9bd9b1eeb6f2c5d70 Mon Sep 17 00:00:00 2001 From: leyshon Date: Thu, 3 Oct 2019 11:46:04 +0100 Subject: [PATCH 7/7] Update docs/2_auth.md Co-Authored-By: Joel Speed --- docs/2_auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/2_auth.md b/docs/2_auth.md index acef43b0..991bbae2 100644 --- a/docs/2_auth.md +++ b/docs/2_auth.md @@ -81,7 +81,7 @@ Note: The user is checked against the group members list on initial authenticati --client-secret= ``` -Note: When using the Azure Auth provider with nginx and the cookie session store you may find the cookie is too large and doesn't get passed through correctly. Increasing the proxy_buffer_size in nginx or implementing the redis session storage (see https://pusher.github.io/oauth2_proxy/configuration#redis-storage) should resolve this. +Note: When using the Azure Auth provider with nginx and the cookie session store you may find the cookie is too large and doesn't get passed through correctly. Increasing the proxy_buffer_size in nginx or implementing the [redis session storage](configuration#redis-storage) should resolve this. ### Facebook Auth Provider