2017-05-09 18:20:35 +00:00
|
|
|
package providers
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
oidc "github.com/coreos/go-oidc"
|
2019-05-05 12:33:13 +00:00
|
|
|
"github.com/pusher/oauth2_proxy/pkg/apis/sessions"
|
|
|
|
"golang.org/x/oauth2"
|
2017-05-09 18:20:35 +00:00
|
|
|
)
|
|
|
|
|
2018-12-20 10:37:59 +00:00
|
|
|
// OIDCProvider represents an OIDC based Identity Provider
|
2017-05-09 18:20:35 +00:00
|
|
|
type OIDCProvider struct {
|
|
|
|
*ProviderData
|
|
|
|
|
2019-05-20 11:32:10 +00:00
|
|
|
Verifier *oidc.IDTokenVerifier
|
|
|
|
AllowUnverifiedEmail bool
|
2017-05-09 18:20:35 +00:00
|
|
|
}
|
|
|
|
|
2018-12-20 10:37:59 +00:00
|
|
|
// NewOIDCProvider initiates a new OIDCProvider
|
2017-05-09 18:20:35 +00:00
|
|
|
func NewOIDCProvider(p *ProviderData) *OIDCProvider {
|
2017-10-08 04:40:36 +00:00
|
|
|
p.ProviderName = "OpenID Connect"
|
2017-05-09 18:20:35 +00:00
|
|
|
return &OIDCProvider{ProviderData: p}
|
|
|
|
}
|
|
|
|
|
2018-12-20 10:37:59 +00:00
|
|
|
// Redeem exchanges the OAuth2 authentication token for an ID token
|
2019-05-05 12:33:13 +00:00
|
|
|
func (p *OIDCProvider) Redeem(redirectURL, code string) (s *sessions.SessionState, err error) {
|
2017-05-09 18:20:35 +00:00
|
|
|
ctx := context.Background()
|
|
|
|
c := oauth2.Config{
|
|
|
|
ClientID: p.ClientID,
|
|
|
|
ClientSecret: p.ClientSecret,
|
|
|
|
Endpoint: oauth2.Endpoint{
|
|
|
|
TokenURL: p.RedeemURL.String(),
|
|
|
|
},
|
|
|
|
RedirectURL: redirectURL,
|
|
|
|
}
|
|
|
|
token, err := c.Exchange(ctx, code)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("token exchange: %v", err)
|
|
|
|
}
|
2018-06-20 10:42:06 +00:00
|
|
|
s, err = p.createSessionState(ctx, token)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("unable to update session: %v", err)
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// RefreshSessionIfNeeded checks if the session has expired and uses the
|
|
|
|
// RefreshToken to fetch a new ID token if required
|
2019-05-05 12:33:13 +00:00
|
|
|
func (p *OIDCProvider) RefreshSessionIfNeeded(s *sessions.SessionState) (bool, error) {
|
2018-06-20 10:42:06 +00:00
|
|
|
if s == nil || s.ExpiresOn.After(time.Now()) || s.RefreshToken == "" {
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
origExpiration := s.ExpiresOn
|
|
|
|
|
|
|
|
err := p.redeemRefreshToken(s)
|
|
|
|
if err != nil {
|
|
|
|
return false, fmt.Errorf("unable to redeem refresh token: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
fmt.Printf("refreshed id token %s (expired on %s)\n", s, origExpiration)
|
|
|
|
return true, nil
|
|
|
|
}
|
2017-05-09 18:20:35 +00:00
|
|
|
|
2019-05-05 12:33:13 +00:00
|
|
|
func (p *OIDCProvider) redeemRefreshToken(s *sessions.SessionState) (err error) {
|
2018-06-20 10:42:06 +00:00
|
|
|
c := oauth2.Config{
|
|
|
|
ClientID: p.ClientID,
|
|
|
|
ClientSecret: p.ClientSecret,
|
|
|
|
Endpoint: oauth2.Endpoint{
|
|
|
|
TokenURL: p.RedeemURL.String(),
|
|
|
|
},
|
|
|
|
}
|
|
|
|
ctx := context.Background()
|
|
|
|
t := &oauth2.Token{
|
|
|
|
RefreshToken: s.RefreshToken,
|
|
|
|
Expiry: time.Now().Add(-time.Hour),
|
|
|
|
}
|
|
|
|
token, err := c.TokenSource(ctx, t).Token()
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("failed to get token: %v", err)
|
|
|
|
}
|
|
|
|
newSession, err := p.createSessionState(ctx, token)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("unable to update session: %v", err)
|
|
|
|
}
|
|
|
|
s.AccessToken = newSession.AccessToken
|
|
|
|
s.IDToken = newSession.IDToken
|
|
|
|
s.RefreshToken = newSession.RefreshToken
|
2019-05-07 14:32:46 +00:00
|
|
|
s.CreatedAt = newSession.CreatedAt
|
2018-06-20 10:42:06 +00:00
|
|
|
s.ExpiresOn = newSession.ExpiresOn
|
|
|
|
s.Email = newSession.Email
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2019-05-05 12:33:13 +00:00
|
|
|
func (p *OIDCProvider) createSessionState(ctx context.Context, token *oauth2.Token) (*sessions.SessionState, error) {
|
2017-05-09 18:20:35 +00:00
|
|
|
rawIDToken, ok := token.Extra("id_token").(string)
|
|
|
|
if !ok {
|
|
|
|
return nil, fmt.Errorf("token response did not contain an id_token")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Parse and verify ID Token payload.
|
|
|
|
idToken, err := p.Verifier.Verify(ctx, rawIDToken)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("could not verify id_token: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Extract custom claims.
|
|
|
|
var claims struct {
|
2019-02-13 15:26:53 +00:00
|
|
|
Subject string `json:"sub"`
|
2017-05-09 18:20:35 +00:00
|
|
|
Email string `json:"email"`
|
|
|
|
Verified *bool `json:"email_verified"`
|
|
|
|
}
|
|
|
|
if err := idToken.Claims(&claims); err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to parse id_token claims: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if claims.Email == "" {
|
2019-02-13 15:26:53 +00:00
|
|
|
// TODO: Try getting email from /userinfo before falling back to Subject
|
|
|
|
claims.Email = claims.Subject
|
2017-05-09 18:20:35 +00:00
|
|
|
}
|
2019-05-20 11:32:10 +00:00
|
|
|
if !p.AllowUnverifiedEmail && claims.Verified != nil && !*claims.Verified {
|
2017-05-09 18:20:35 +00:00
|
|
|
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
|
|
|
|
}
|
|
|
|
|
2019-05-05 12:33:13 +00:00
|
|
|
return &sessions.SessionState{
|
2017-05-09 18:20:35 +00:00
|
|
|
AccessToken: token.AccessToken,
|
2018-01-27 10:14:19 +00:00
|
|
|
IDToken: rawIDToken,
|
2017-05-09 18:20:35 +00:00
|
|
|
RefreshToken: token.RefreshToken,
|
2019-05-07 14:32:46 +00:00
|
|
|
CreatedAt: time.Now(),
|
2019-02-12 18:32:26 +00:00
|
|
|
ExpiresOn: idToken.Expiry,
|
2017-05-09 18:20:35 +00:00
|
|
|
Email: claims.Email,
|
2019-05-07 10:44:19 +00:00
|
|
|
User: claims.Subject,
|
2018-06-20 10:42:06 +00:00
|
|
|
}, nil
|
2017-05-09 18:20:35 +00:00
|
|
|
}
|
2018-06-21 10:31:21 +00:00
|
|
|
|
|
|
|
// ValidateSessionState checks that the session's IDToken is still valid
|
2019-05-05 12:33:13 +00:00
|
|
|
func (p *OIDCProvider) ValidateSessionState(s *sessions.SessionState) bool {
|
2018-06-21 10:31:21 +00:00
|
|
|
ctx := context.Background()
|
|
|
|
_, err := p.Verifier.Verify(ctx, s.IDToken)
|
|
|
|
if err != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
return true
|
|
|
|
}
|