Generalize and extend default CreateSessionFromToken

2025-08-08 22:46:33 +02:00 · 2020-11-15 18:57:48 -08:00
parent 44fa8316a1
commit 22f60e9b63
10 changed files with 148 additions and 209 deletions
--- a/pkg/apis/middleware/session.go
+++ b/pkg/apis/middleware/session.go
@ -2,25 +2,57 @@ package middleware

 import (
 	"context"
+	"fmt"

+	"github.com/coreos/go-oidc"
 	sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
 )

-// TokenToSessionFunc takes a rawIDToken and an idToken and converts it into a
-// SessionState.
-type TokenToSessionFunc func(ctx context.Context, token string, verify VerifyFunc) (*sessionsapi.SessionState, error)
+// TokenToSessionFunc takes a raw ID Token and converts it into a SessionState.
+type TokenToSessionFunc func(ctx context.Context, token string) (*sessionsapi.SessionState, error)

-// VerifyFunc takes a raw bearer token and verifies it
-type VerifyFunc func(ctx context.Context, token string) (interface{}, error)
+// VerifyFunc takes a raw bearer token and verifies it returning the converted
+// oidc.IDToken representation of the token.
+type VerifyFunc func(ctx context.Context, token string) (*oidc.IDToken, error)

-// TokenToSessionLoader pairs a token verifier with the correct converter function
-// to convert the ID Token to a SessionState.
-type TokenToSessionLoader struct {
-	// Verifier is used to verify that the ID Token was signed by the claimed issuer
-	// and that the token has not been tampered with.
-	Verifier VerifyFunc
+// CreateTokenToSessionFunc provides a handler that is a default implementation
+// for converting a JWT into a session.
+func CreateTokenToSessionFunc(verify VerifyFunc) TokenToSessionFunc {
+	return func(ctx context.Context, token string) (*sessionsapi.SessionState, error) {
+		var claims struct {
+			Subject           string `json:"sub"`
+			Email             string `json:"email"`
+			Verified          *bool  `json:"email_verified"`
+			PreferredUsername string `json:"preferred_username"`
+		}

-	// TokenToSession converts a raw bearer token to a SessionState.
-	// (Optional) If not set a default basic implementation is used.
-	TokenToSession TokenToSessionFunc
+		idToken, err := verify(ctx, token)
+		if err != nil {
+			return nil, err
+		}
+
+		if err := idToken.Claims(&claims); err != nil {
+			return nil, fmt.Errorf("failed to parse bearer token claims: %v", err)
+		}
+
+		if claims.Email == "" {
+			claims.Email = claims.Subject
+		}
+
+		if claims.Verified != nil && !*claims.Verified {
+			return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
+		}
+
+		newSession := &sessionsapi.SessionState{
+			Email:             claims.Email,
+			User:              claims.Subject,
+			PreferredUsername: claims.PreferredUsername,
+			AccessToken:       token,
+			IDToken:           token,
+			RefreshToken:      "",
+			ExpiresOn:         &idToken.Expiry,
+		}
+
+		return newSession, nil
+	}
 }