mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2025-01-10 04:18:14 +02:00
ce750e9b30
* Add the allowed_email_domains and the allowed_groups on the auth_request endpoint + support standard wildcard char for validation with sub-domain and email-domain. Signed-off-by: Valentin Pichard <github@w3st.fr> * Fix provider data initialisation * PKCE Support Adds Code Challenge PKCE support (RFC-7636) and partial Authorization Server Metadata (RFC-8414) for detecting PKCE support. - Introduces new option `--force-code-challenge-method` to force a specific code challenge method (either `S256` or `plain`) for instances when the server has not implemented RFC-8414 in order to detect PKCE support on the discovery document. - In all other cases, if the PKCE support can be determined during discovery then the `code_challenge_methods_supported` is used and S256 is always preferred. - The force command line argument is helpful with some providers like Azure who supports PKCE but does not list it in their discovery document yet. - Initial thought was given to just always attempt PKCE since according to spec additional URL parameters should be dropped by servers which implemented OAuth 2, however other projects found cases in the wild where this causes 500 errors by buggy implementations. See: https://github.com/spring-projects/spring-security/pull/7804#issuecomment-578323810 - Due to the fact that the `code_verifier` must be saved between the redirect and callback, sessions are now created when the redirect takes place with `Authenticated: false`. The session will be recreated and marked as `Authenticated` on callback. - Individual provider implementations can choose to include or ignore code_challenge and code_verifier function parameters passed to them Note: Technically speaking `plain` is not required to be implemented since oauth2-proxy will always be able to handle S256 and servers MUST implement S256 support. > If the client is capable of using "S256", it MUST use "S256", as "S256" > is Mandatory To Implement (MTI) on the server. Clients are permitted > to use "plain" only if they cannot support "S256" for some technical > reason and know via out-of-band configuration that the server supports > "plain". Ref: RFC-7636 Sec 4.2 oauth2-proxy will always use S256 unless the user explicitly forces `plain`. Fixes #1361 * Address PR comments by moving pkce generation * Make PKCE opt-in, move to using the Nonce generater for code verifier * Make PKCE opt-in, move to using the Nonce generater for code verifier * Encrypt CodeVerifier in CSRF Token instead of Session - Update Dex for PKCE support - Expose HTTPBin for further use cases * Correct the tests * Move code challenges into extra params * Correct typo in code challenge method Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Correct the extra space in docs Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Address changelog and new line nits * Add generated docs Co-authored-by: Valentin Pichard <github@w3st.fr> Co-authored-by: Joel Speed <joel.speed@hotmail.co.uk>
223 lines
5.8 KiB
Go
223 lines
5.8 KiB
Go
package providers
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"net/url"
|
|
"time"
|
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
|
|
"golang.org/x/oauth2"
|
|
)
|
|
|
|
// OIDCProvider represents an OIDC based Identity Provider
|
|
type OIDCProvider struct {
|
|
*ProviderData
|
|
|
|
SkipNonce bool
|
|
}
|
|
|
|
// NewOIDCProvider initiates a new OIDCProvider
|
|
func NewOIDCProvider(p *ProviderData, opts options.OIDCOptions) *OIDCProvider {
|
|
p.ProviderName = "OpenID Connect"
|
|
p.getAuthorizationHeaderFunc = makeOIDCHeader
|
|
|
|
return &OIDCProvider{
|
|
ProviderData: p,
|
|
SkipNonce: opts.InsecureSkipNonce,
|
|
}
|
|
}
|
|
|
|
var _ Provider = (*OIDCProvider)(nil)
|
|
|
|
// GetLoginURL makes the LoginURL with optional nonce support
|
|
func (p *OIDCProvider) GetLoginURL(redirectURI, state, nonce string, extraParams url.Values) string {
|
|
if !p.SkipNonce {
|
|
extraParams.Add("nonce", nonce)
|
|
}
|
|
loginURL := makeLoginURL(p.Data(), redirectURI, state, extraParams)
|
|
return loginURL.String()
|
|
}
|
|
|
|
// Redeem exchanges the OAuth2 authentication token for an ID token
|
|
func (p *OIDCProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error) {
|
|
clientSecret, err := p.GetClientSecret()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var opts []oauth2.AuthCodeOption
|
|
if codeVerifier != "" {
|
|
opts = append(opts, oauth2.SetAuthURLParam("code_verifier", codeVerifier))
|
|
}
|
|
|
|
c := oauth2.Config{
|
|
ClientID: p.ClientID,
|
|
ClientSecret: clientSecret,
|
|
Endpoint: oauth2.Endpoint{
|
|
TokenURL: p.RedeemURL.String(),
|
|
},
|
|
RedirectURL: redirectURL,
|
|
}
|
|
token, err := c.Exchange(ctx, code, opts...)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("token exchange failed: %v", err)
|
|
}
|
|
|
|
return p.createSession(ctx, token, false)
|
|
}
|
|
|
|
// EnrichSession is called after Redeem to allow providers to enrich session fields
|
|
// such as User, Email, Groups with provider specific API calls.
|
|
func (p *OIDCProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error {
|
|
// If a mandatory email wasn't set, error at this point.
|
|
if s.Email == "" {
|
|
return errors.New("neither the id_token nor the profileURL set an email")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ValidateSession checks that the session's IDToken is still valid
|
|
func (p *OIDCProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool {
|
|
_, err := p.Verifier.Verify(ctx, s.IDToken)
|
|
if err != nil {
|
|
logger.Errorf("id_token verification failed: %v", err)
|
|
return false
|
|
}
|
|
|
|
if p.SkipNonce {
|
|
return true
|
|
}
|
|
err = p.checkNonce(s)
|
|
if err != nil {
|
|
logger.Errorf("nonce verification failed: %v", err)
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
// RefreshSession uses the RefreshToken to fetch new Access and ID Tokens
|
|
func (p *OIDCProvider) RefreshSession(ctx context.Context, s *sessions.SessionState) (bool, error) {
|
|
if s == nil || s.RefreshToken == "" {
|
|
return false, nil
|
|
}
|
|
|
|
err := p.redeemRefreshToken(ctx, s)
|
|
if err != nil {
|
|
return false, fmt.Errorf("unable to redeem refresh token: %v", err)
|
|
}
|
|
|
|
return true, nil
|
|
}
|
|
|
|
// redeemRefreshToken uses a RefreshToken with the RedeemURL to refresh the
|
|
// Access Token and (probably) the ID Token.
|
|
func (p *OIDCProvider) redeemRefreshToken(ctx context.Context, s *sessions.SessionState) error {
|
|
clientSecret, err := p.GetClientSecret()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
c := oauth2.Config{
|
|
ClientID: p.ClientID,
|
|
ClientSecret: clientSecret,
|
|
Endpoint: oauth2.Endpoint{
|
|
TokenURL: p.RedeemURL.String(),
|
|
},
|
|
}
|
|
t := &oauth2.Token{
|
|
RefreshToken: s.RefreshToken,
|
|
Expiry: time.Now().Add(-time.Hour),
|
|
}
|
|
token, err := c.TokenSource(ctx, t).Token()
|
|
if err != nil {
|
|
return fmt.Errorf("failed to get token: %v", err)
|
|
}
|
|
|
|
newSession, err := p.createSession(ctx, token, true)
|
|
if err != nil {
|
|
return fmt.Errorf("unable create new session state from response: %v", err)
|
|
}
|
|
|
|
// It's possible that if the refresh token isn't in the token response the
|
|
// session will not contain an id token.
|
|
// If it doesn't it's probably better to retain the old one
|
|
if newSession.IDToken != "" {
|
|
s.IDToken = newSession.IDToken
|
|
s.Email = newSession.Email
|
|
s.User = newSession.User
|
|
s.Groups = newSession.Groups
|
|
s.PreferredUsername = newSession.PreferredUsername
|
|
}
|
|
|
|
s.AccessToken = newSession.AccessToken
|
|
s.RefreshToken = newSession.RefreshToken
|
|
s.CreatedAt = newSession.CreatedAt
|
|
s.ExpiresOn = newSession.ExpiresOn
|
|
|
|
return nil
|
|
}
|
|
|
|
// CreateSessionFromToken converts Bearer IDTokens into sessions
|
|
func (p *OIDCProvider) CreateSessionFromToken(ctx context.Context, token string) (*sessions.SessionState, error) {
|
|
idToken, err := p.Verifier.Verify(ctx, token)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
ss, err := p.buildSessionFromClaims(token, "")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Allow empty Email in Bearer case since we can't hit the ProfileURL
|
|
if ss.Email == "" {
|
|
ss.Email = ss.User
|
|
}
|
|
|
|
ss.AccessToken = token
|
|
ss.IDToken = token
|
|
ss.RefreshToken = ""
|
|
|
|
ss.CreatedAtNow()
|
|
ss.SetExpiresOn(idToken.Expiry)
|
|
|
|
return ss, nil
|
|
}
|
|
|
|
// createSession takes an oauth2.Token and creates a SessionState from it.
|
|
// It alters behavior if called from Redeem vs Refresh
|
|
func (p *OIDCProvider) createSession(ctx context.Context, token *oauth2.Token, refresh bool) (*sessions.SessionState, error) {
|
|
_, err := p.verifyIDToken(ctx, token)
|
|
if err != nil {
|
|
switch err {
|
|
case ErrMissingIDToken:
|
|
// IDToken is mandatory in Redeem but optional in Refresh
|
|
if !refresh {
|
|
return nil, errors.New("token response did not contain an id_token")
|
|
}
|
|
default:
|
|
return nil, fmt.Errorf("could not verify id_token: %v", err)
|
|
}
|
|
}
|
|
|
|
rawIDToken := getIDToken(token)
|
|
ss, err := p.buildSessionFromClaims(rawIDToken, token.AccessToken)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
ss.AccessToken = token.AccessToken
|
|
ss.RefreshToken = token.RefreshToken
|
|
ss.IDToken = rawIDToken
|
|
|
|
ss.CreatedAtNow()
|
|
ss.SetExpiresOn(token.Expiry)
|
|
|
|
return ss, nil
|
|
}
|