Set User = Subject in ExtraJWTBearer sessions

2025-02-09 13:46:51 +02:00 · 2020-06-01 08:56:50 -07:00 · 2020-06-01 08:56:50 -07:00 · c2c1caa404
commit c2c1caa404
parent 788d8ecc1b
4 changed files with 13 additions and 12 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -55,6 +55,7 @@

 ## Changes since v5.1.1

+- [#596](https://github.com/oauth2-proxy/oauth2-proxy/pull/596) Validate Bearer IDTokens in headers with correct provider/extra JWT Verifier (@NickMeves)
 - [#620](https://github.com/oauth2-proxy/oauth2-proxy/pull/620) Add HealthCheck middleware (@JoelSpeed)
 - [#597](https://github.com/oauth2-proxy/oauth2-proxy/pull/597) Don't log invalid redirect if redirect is empty (@JoelSpeed)
 - [#604](https://github.com/oauth2-proxy/oauth2-proxy/pull/604) Add Keycloak local testing environment (@EvgeniGordeev)
--- a/oauthproxy_test.go
+++ b/oauthproxy_test.go
@ -1578,7 +1578,7 @@ func TestGetJwtSession(t *testing.T) {
 	// Bearer
 	expires := time.Unix(1912151821, 0)
 	session, _ := test.proxy.GetJwtSession(test.req)
-	assert.Equal(t, session.User, "john@example.com")
+	assert.Equal(t, session.User, "1234567890")
 	assert.Equal(t, session.Email, "john@example.com")
 	assert.Equal(t, session.ExpiresOn, &expires)
 	assert.Equal(t, session.IDToken, goodJwt)
@ -1590,12 +1590,12 @@ func TestGetJwtSession(t *testing.T) {

 	// Check PassAuthorization, should overwrite Basic header
 	assert.Equal(t, test.req.Header.Get("Authorization"), authHeader)
-	assert.Equal(t, test.req.Header.Get("X-Forwarded-User"), "john@example.com")
+	assert.Equal(t, test.req.Header.Get("X-Forwarded-User"), "1234567890")
 	assert.Equal(t, test.req.Header.Get("X-Forwarded-Email"), "john@example.com")

 	// SetAuthorization and SetXAuthRequest
 	assert.Equal(t, test.rw.Header().Get("Authorization"), authHeader)
-	assert.Equal(t, test.rw.Header().Get("X-Auth-Request-User"), "john@example.com")
+	assert.Equal(t, test.rw.Header().Get("X-Auth-Request-User"), "1234567890")
 	assert.Equal(t, test.rw.Header().Get("X-Auth-Request-Email"), "john@example.com")
 }

--- a/providers/provider_default.go
+++ b/providers/provider_default.go
@ -164,14 +164,13 @@ func (p *ProviderData) CreateSessionStateFromBearerToken(ctx context.Context, ra

 	newSession := &sessions.SessionState{
 		Email:             claims.Email,
-		User:              claims.Email,
+		User:              claims.Subject,
 		PreferredUsername: claims.PreferredUsername,
+		AccessToken:       rawIDToken,
+		IDToken:           rawIDToken,
+		RefreshToken:      "",
+		ExpiresOn:         &idToken.Expiry,
 	}

-	newSession.AccessToken = rawIDToken
-	newSession.IDToken = rawIDToken
-	newSession.RefreshToken = ""
-	newSession.ExpiresOn = &idToken.Expiry
-
 	return newSession, nil
 }
--- a/providers/provider_default_test.go
+++ b/providers/provider_default_test.go
@ -4,12 +4,13 @@ import (
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
-	"github.com/coreos/go-oidc"
-	"github.com/dgrijalva/jwt-go"
 	"net/url"
 	"testing"
 	"time"

+	"github.com/coreos/go-oidc"
+	"github.com/dgrijalva/jwt-go"
+
 	"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions"
 	"github.com/stretchr/testify/assert"
 )
@ -71,7 +72,7 @@ func TestCreateSessionStateFromBearerToken(t *testing.T) {

 	key, _ := rsa.GenerateKey(rand.Reader, 2048)
 	rawIDToken, _ := jwt.NewWithClaims(jwt.SigningMethodRS256, minimalIDToken).SignedString(key)
-	idToken, err := verifier.Verify(context.Background(), rawIDToken)
+	idToken, _ := verifier.Verify(context.Background(), rawIDToken)

 	session, err := (*ProviderData)(nil).CreateSessionStateFromBearerToken(context.Background(), rawIDToken, idToken)