oauth2_proxy/providers/oidc.go

package providers

import (
	"context"
	"fmt"
	"time"

	"golang.org/x/oauth2"

	oidc "github.com/coreos/go-oidc"
)

type OIDCProvider struct {
	*ProviderData

	Verifier *oidc.IDTokenVerifier
}

func NewOIDCProvider(p *ProviderData) *OIDCProvider {
	return &OIDCProvider{ProviderData: p}
}

func (p *OIDCProvider) Redeem(redirectURL, code string) (s *SessionState, err error) {
	ctx := context.Background()
	c := oauth2.Config{
		ClientID:     p.ClientID,
		ClientSecret: p.ClientSecret,
		Endpoint: oauth2.Endpoint{
			TokenURL: p.RedeemURL.String(),
		},
		RedirectURL: redirectURL,
	}
	token, err := c.Exchange(ctx, code)
	if err != nil {
		return nil, fmt.Errorf("token exchange: %v", err)
	}

	rawIDToken, ok := token.Extra("id_token").(string)
	if !ok {
		return nil, fmt.Errorf("token response did not contain an id_token")
	}

	// Parse and verify ID Token payload.
	idToken, err := p.Verifier.Verify(ctx, rawIDToken)
	if err != nil {
		return nil, fmt.Errorf("could not verify id_token: %v", err)
	}

	// Extract custom claims.
	var claims struct {
		Email    string `json:"email"`
		Verified *bool  `json:"email_verified"`
	}
	if err := idToken.Claims(&claims); err != nil {
		return nil, fmt.Errorf("failed to parse id_token claims: %v", err)
	}

	if claims.Email == "" {
		return nil, fmt.Errorf("id_token did not contain an email")
	}
	if claims.Verified != nil && !*claims.Verified {
		return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
	}

	s = &SessionState{
		AccessToken:  token.AccessToken,
		RefreshToken: token.RefreshToken,
		ExpiresOn:    token.Expiry,
		Email:        claims.Email,
	}

	return
}

func (p *OIDCProvider) RefreshSessionIfNeeded(s *SessionState) (bool, error) {
	if s == nil || s.ExpiresOn.After(time.Now()) || s.RefreshToken == "" {
		return false, nil
	}

	origExpiration := s.ExpiresOn
	s.ExpiresOn = time.Now().Add(time.Second).Truncate(time.Second)
	fmt.Printf("refreshed access token %s (expired on %s)\n", s, origExpiration)
	return false, nil
}
: add an OpenID Connect provider See the README for usage with Dex or any other OIDC provider. To test run a backend: python3 -m http.server Run dex and modify the example config with the proxy callback: go get github.com/coreos/dex/cmd/dex cd $GOPATH/src/github.com/coreos/dex sed -i.bak \ 's\|http://127.0.0.1:5555/callback\|http://127.0.0.1:5555/oauth2/callback\|g' \ examples/config-dev.yaml make ./bin/dex serve examples/config-dev.yaml Then run the oauth2_proxy oauth2_proxy \ --oidc-issuer-url http://127.0.0.1:5556/dex \ --upstream http://localhost:8000 \ --client-id example-app \ --client-secret ZXhhbXBsZS1hcHAtc2VjcmV0 \ --cookie-secret foo \ --email-domain '' \ --http-address http://127.0.0.1:5555 \ --redirect-url http://127.0.0.1:5555/oauth2/callback \ --cookie-secure=false Login with the username/password "admin@example.com:password" 2017-05-09 18:20:35 +00:00			`package providers`

			`import (`
			`"context"`
			`"fmt"`
			`"time"`

			`"golang.org/x/oauth2"`

			`oidc "github.com/coreos/go-oidc"`
			`)`

			`type OIDCProvider struct {`
			`*ProviderData`

			`Verifier *oidc.IDTokenVerifier`
			`}`

			`func NewOIDCProvider(p ProviderData) OIDCProvider {`
			`return &OIDCProvider{ProviderData: p}`
			`}`

			`func (p OIDCProvider) Redeem(redirectURL, code string) (s SessionState, err error) {`
			`ctx := context.Background()`
			`c := oauth2.Config{`
			`ClientID: p.ClientID,`
			`ClientSecret: p.ClientSecret,`
			`Endpoint: oauth2.Endpoint{`
			`TokenURL: p.RedeemURL.String(),`
			`},`
			`RedirectURL: redirectURL,`
			`}`
			`token, err := c.Exchange(ctx, code)`
			`if err != nil {`
			`return nil, fmt.Errorf("token exchange: %v", err)`
			`}`

			`rawIDToken, ok := token.Extra("id_token").(string)`
			`if !ok {`
			`return nil, fmt.Errorf("token response did not contain an id_token")`
			`}`

			`// Parse and verify ID Token payload.`
			`idToken, err := p.Verifier.Verify(ctx, rawIDToken)`
			`if err != nil {`
			`return nil, fmt.Errorf("could not verify id_token: %v", err)`
			`}`

			`// Extract custom claims.`
			`var claims struct {`
			Email string `json:"email"`
			Verified *bool `json:"email_verified"`
			`}`
			`if err := idToken.Claims(&claims); err != nil {`
			`return nil, fmt.Errorf("failed to parse id_token claims: %v", err)`
			`}`

			`if claims.Email == "" {`
			`return nil, fmt.Errorf("id_token did not contain an email")`
			`}`
			`if claims.Verified != nil && !*claims.Verified {`
			`return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)`
			`}`

			`s = &SessionState{`
			`AccessToken: token.AccessToken,`
			`RefreshToken: token.RefreshToken,`
			`ExpiresOn: token.Expiry,`
			`Email: claims.Email,`
			`}`

			`return`
			`}`

			`func (p OIDCProvider) RefreshSessionIfNeeded(s SessionState) (bool, error) {`
			`if s == nil \|\| s.ExpiresOn.After(time.Now()) \|\| s.RefreshToken == "" {`
			`return false, nil`
			`}`

			`origExpiration := s.ExpiresOn`
			`s.ExpiresOn = time.Now().Add(time.Second).Truncate(time.Second)`
			`fmt.Printf("refreshed access token %s (expired on %s)\n", s, origExpiration)`
			`return false, nil`
			`}`