Create option to skip verified email check in OIDC provider

This commit is contained in:
Daryl Finlay 2019-05-20 12:32:10 +01:00
parent ecd0f89c84
commit 018a25be04
4 changed files with 41 additions and 35 deletions

View File

@ -63,6 +63,7 @@ Usage of oauth2_proxy:
-jwt-key string: private key in PEM format used to sign JWT, so that you can say something like -jwt-key="${OAUTH2_PROXY_JWT_KEY}": required by login.gov -jwt-key string: private key in PEM format used to sign JWT, so that you can say something like -jwt-key="${OAUTH2_PROXY_JWT_KEY}": required by login.gov
-jwt-key-file string: path to the private key file in PEM format used to sign the JWT so that you can say something like -jwt-key-file=/etc/ssl/private/jwt_signing_key.pem: required by login.gov -jwt-key-file string: path to the private key file in PEM format used to sign the JWT so that you can say something like -jwt-key-file=/etc/ssl/private/jwt_signing_key.pem: required by login.gov
-login-url string: Authentication endpoint -login-url string: Authentication endpoint
-oidc-allow-unverified-email: don't fail if an email address in an id_token is not verified
-oidc-issuer-url: the OpenID Connect issuer URL. ie: "https://accounts.google.com" -oidc-issuer-url: the OpenID Connect issuer URL. ie: "https://accounts.google.com"
-oidc-jwks-url string: OIDC JWKS URI for token verification; required if OIDC discovery is disabled -oidc-jwks-url string: OIDC JWKS URI for token verification; required if OIDC discovery is disabled
-pass-access-token: pass OAuth access_token to upstream via X-Forwarded-Access-Token header -pass-access-token: pass OAuth access_token to upstream via X-Forwarded-Access-Token header

View File

@ -104,6 +104,7 @@ func main() {
flagSet.String("provider", "google", "OAuth provider") flagSet.String("provider", "google", "OAuth provider")
flagSet.String("oidc-issuer-url", "", "OpenID Connect issuer URL (ie: https://accounts.google.com)") flagSet.String("oidc-issuer-url", "", "OpenID Connect issuer URL (ie: https://accounts.google.com)")
flagSet.Bool("oidc-allow-unverified-email", false, "Don't fail if an email address in an id_token is not verified")
flagSet.Bool("skip-oidc-discovery", false, "Skip OIDC discovery and use manually supplied Endpoints") flagSet.Bool("skip-oidc-discovery", false, "Skip OIDC discovery and use manually supplied Endpoints")
flagSet.String("oidc-jwks-url", "", "OpenID Connect JWKS URL (ie: https://www.googleapis.com/oauth2/v3/certs)") flagSet.String("oidc-jwks-url", "", "OpenID Connect JWKS URL (ie: https://www.googleapis.com/oauth2/v3/certs)")
flagSet.String("login-url", "", "Authentication endpoint") flagSet.String("login-url", "", "Authentication endpoint")

View File

@ -79,17 +79,18 @@ type Options struct {
// These options allow for other providers besides Google, with // These options allow for other providers besides Google, with
// potential overrides. // potential overrides.
Provider string `flag:"provider" cfg:"provider" env:"OAUTH2_PROXY_PROVIDER"` Provider string `flag:"provider" cfg:"provider" env:"OAUTH2_PROXY_PROVIDER"`
OIDCIssuerURL string `flag:"oidc-issuer-url" cfg:"oidc_issuer_url" env:"OAUTH2_PROXY_OIDC_ISSUER_URL"` OIDCIssuerURL string `flag:"oidc-issuer-url" cfg:"oidc_issuer_url" env:"OAUTH2_PROXY_OIDC_ISSUER_URL"`
SkipOIDCDiscovery bool `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery" env:"OAUTH2_SKIP_OIDC_DISCOVERY"` OIDCAllowUnverifiedEmail bool `flag:"oidc-allow-unverified-email" cfg:"oidc_allow_unverified_email" env:"OAUTH2_PROXY_OIDC_ALLOW_UNVERIFIED_EMAIL"`
OIDCJwksURL string `flag:"oidc-jwks-url" cfg:"oidc_jwks_url" env:"OAUTH2_OIDC_JWKS_URL"` SkipOIDCDiscovery bool `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery" env:"OAUTH2_SKIP_OIDC_DISCOVERY"`
LoginURL string `flag:"login-url" cfg:"login_url" env:"OAUTH2_PROXY_LOGIN_URL"` OIDCJwksURL string `flag:"oidc-jwks-url" cfg:"oidc_jwks_url" env:"OAUTH2_OIDC_JWKS_URL"`
RedeemURL string `flag:"redeem-url" cfg:"redeem_url" env:"OAUTH2_PROXY_REDEEM_URL"` LoginURL string `flag:"login-url" cfg:"login_url" env:"OAUTH2_PROXY_LOGIN_URL"`
ProfileURL string `flag:"profile-url" cfg:"profile_url" env:"OAUTH2_PROXY_PROFILE_URL"` RedeemURL string `flag:"redeem-url" cfg:"redeem_url" env:"OAUTH2_PROXY_REDEEM_URL"`
ProtectedResource string `flag:"resource" cfg:"resource" env:"OAUTH2_PROXY_RESOURCE"` ProfileURL string `flag:"profile-url" cfg:"profile_url" env:"OAUTH2_PROXY_PROFILE_URL"`
ValidateURL string `flag:"validate-url" cfg:"validate_url" env:"OAUTH2_PROXY_VALIDATE_URL"` ProtectedResource string `flag:"resource" cfg:"resource" env:"OAUTH2_PROXY_RESOURCE"`
Scope string `flag:"scope" cfg:"scope" env:"OAUTH2_PROXY_SCOPE"` ValidateURL string `flag:"validate-url" cfg:"validate_url" env:"OAUTH2_PROXY_VALIDATE_URL"`
ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt" env:"OAUTH2_PROXY_APPROVAL_PROMPT"` Scope string `flag:"scope" cfg:"scope" env:"OAUTH2_PROXY_SCOPE"`
ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt" env:"OAUTH2_PROXY_APPROVAL_PROMPT"`
// Configuration values for logging // Configuration values for logging
LoggingFilename string `flag:"logging-filename" cfg:"logging_filename" env:"OAUTH2_LOGGING_FILENAME"` LoggingFilename string `flag:"logging-filename" cfg:"logging_filename" env:"OAUTH2_LOGGING_FILENAME"`
@ -147,28 +148,29 @@ func NewOptions() *Options {
SessionOptions: options.SessionOptions{ SessionOptions: options.SessionOptions{
Type: "cookie", Type: "cookie",
}, },
SetXAuthRequest: false, SetXAuthRequest: false,
SkipAuthPreflight: false, SkipAuthPreflight: false,
PassBasicAuth: true, PassBasicAuth: true,
PassUserHeaders: true, PassUserHeaders: true,
PassAccessToken: false, PassAccessToken: false,
PassHostHeader: true, PassHostHeader: true,
SetAuthorization: false, SetAuthorization: false,
PassAuthorization: false, PassAuthorization: false,
ApprovalPrompt: "force", ApprovalPrompt: "force",
SkipOIDCDiscovery: false, OIDCAllowUnverifiedEmail: false,
LoggingFilename: "", SkipOIDCDiscovery: false,
LoggingMaxSize: 100, LoggingFilename: "",
LoggingMaxAge: 7, LoggingMaxSize: 100,
LoggingMaxBackups: 0, LoggingMaxAge: 7,
LoggingLocalTime: true, LoggingMaxBackups: 0,
LoggingCompress: false, LoggingLocalTime: true,
StandardLogging: true, LoggingCompress: false,
StandardLoggingFormat: logger.DefaultStandardLoggingFormat, StandardLogging: true,
RequestLogging: true, StandardLoggingFormat: logger.DefaultStandardLoggingFormat,
RequestLoggingFormat: logger.DefaultRequestLoggingFormat, RequestLogging: true,
AuthLogging: true, RequestLoggingFormat: logger.DefaultRequestLoggingFormat,
AuthLoggingFormat: logger.DefaultAuthLoggingFormat, AuthLogging: true,
AuthLoggingFormat: logger.DefaultAuthLoggingFormat,
} }
} }
@ -397,6 +399,7 @@ func parseProviderInfo(o *Options, msgs []string) []string {
} }
} }
case *providers.OIDCProvider: case *providers.OIDCProvider:
p.AllowUnverifiedEmail = o.OIDCAllowUnverifiedEmail
if o.oidcVerifier == nil { if o.oidcVerifier == nil {
msgs = append(msgs, "oidc provider requires an oidc issuer URL") msgs = append(msgs, "oidc provider requires an oidc issuer URL")
} else { } else {

View File

@ -14,7 +14,8 @@ import (
type OIDCProvider struct { type OIDCProvider struct {
*ProviderData *ProviderData
Verifier *oidc.IDTokenVerifier Verifier *oidc.IDTokenVerifier
AllowUnverifiedEmail bool
} }
// NewOIDCProvider initiates a new OIDCProvider // NewOIDCProvider initiates a new OIDCProvider
@ -119,7 +120,7 @@ func (p *OIDCProvider) createSessionState(ctx context.Context, token *oauth2.Tok
// TODO: Try getting email from /userinfo before falling back to Subject // TODO: Try getting email from /userinfo before falling back to Subject
claims.Email = claims.Subject claims.Email = claims.Subject
} }
if claims.Verified != nil && !*claims.Verified { if !p.AllowUnverifiedEmail && claims.Verified != nil && !*claims.Verified {
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email) return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
} }