Merge pull request #159 from djfinlay/wip/allow-unverified-email
Create option to skip verified email check in OIDC provider
This commit is contained in:
commit
a83c5eabb6
@ -64,6 +64,7 @@
|
|||||||
- Google Group membership is additionally checked via email address, allowing users outside a GSuite domain to be authorized.
|
- Google Group membership is additionally checked via email address, allowing users outside a GSuite domain to be authorized.
|
||||||
- [#195](https://github.com/pusher/outh2_proxy/pull/195) Add `-banner` flag for overriding the banner line that is displayed (@steakunderscore)
|
- [#195](https://github.com/pusher/outh2_proxy/pull/195) Add `-banner` flag for overriding the banner line that is displayed (@steakunderscore)
|
||||||
- [#198](https://github.com/pusher/outh2_proxy/pull/198) Switch from gometalinter to golangci-lint (@steakunderscore)
|
- [#198](https://github.com/pusher/outh2_proxy/pull/198) Switch from gometalinter to golangci-lint (@steakunderscore)
|
||||||
|
- [#159](https://github.com/pusher/oauth2_proxy/pull/159) Add option to skip the OIDC provider verified email check: `--insecure-oidc-allow-unverified-email`
|
||||||
|
|
||||||
# v3.2.0
|
# v3.2.0
|
||||||
|
|
||||||
|
@ -63,6 +63,7 @@ Usage of oauth2_proxy:
|
|||||||
-jwt-key string: private key in PEM format used to sign JWT, so that you can say something like -jwt-key="${OAUTH2_PROXY_JWT_KEY}": required by login.gov
|
-jwt-key string: private key in PEM format used to sign JWT, so that you can say something like -jwt-key="${OAUTH2_PROXY_JWT_KEY}": required by login.gov
|
||||||
-jwt-key-file string: path to the private key file in PEM format used to sign the JWT so that you can say something like -jwt-key-file=/etc/ssl/private/jwt_signing_key.pem: required by login.gov
|
-jwt-key-file string: path to the private key file in PEM format used to sign the JWT so that you can say something like -jwt-key-file=/etc/ssl/private/jwt_signing_key.pem: required by login.gov
|
||||||
-login-url string: Authentication endpoint
|
-login-url string: Authentication endpoint
|
||||||
|
-insecure-oidc-allow-unverified-email: don't fail if an email address in an id_token is not verified
|
||||||
-oidc-issuer-url: the OpenID Connect issuer URL. ie: "https://accounts.google.com"
|
-oidc-issuer-url: the OpenID Connect issuer URL. ie: "https://accounts.google.com"
|
||||||
-oidc-jwks-url string: OIDC JWKS URI for token verification; required if OIDC discovery is disabled
|
-oidc-jwks-url string: OIDC JWKS URI for token verification; required if OIDC discovery is disabled
|
||||||
-pass-access-token: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
|
-pass-access-token: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
|
||||||
|
1
main.go
1
main.go
@ -104,6 +104,7 @@ func main() {
|
|||||||
|
|
||||||
flagSet.String("provider", "google", "OAuth provider")
|
flagSet.String("provider", "google", "OAuth provider")
|
||||||
flagSet.String("oidc-issuer-url", "", "OpenID Connect issuer URL (ie: https://accounts.google.com)")
|
flagSet.String("oidc-issuer-url", "", "OpenID Connect issuer URL (ie: https://accounts.google.com)")
|
||||||
|
flagSet.Bool("insecure-oidc-allow-unverified-email", false, "Don't fail if an email address in an id_token is not verified")
|
||||||
flagSet.Bool("skip-oidc-discovery", false, "Skip OIDC discovery and use manually supplied Endpoints")
|
flagSet.Bool("skip-oidc-discovery", false, "Skip OIDC discovery and use manually supplied Endpoints")
|
||||||
flagSet.String("oidc-jwks-url", "", "OpenID Connect JWKS URL (ie: https://www.googleapis.com/oauth2/v3/certs)")
|
flagSet.String("oidc-jwks-url", "", "OpenID Connect JWKS URL (ie: https://www.googleapis.com/oauth2/v3/certs)")
|
||||||
flagSet.String("login-url", "", "Authentication endpoint")
|
flagSet.String("login-url", "", "Authentication endpoint")
|
||||||
|
69
options.go
69
options.go
@ -79,17 +79,18 @@ type Options struct {
|
|||||||
|
|
||||||
// These options allow for other providers besides Google, with
|
// These options allow for other providers besides Google, with
|
||||||
// potential overrides.
|
// potential overrides.
|
||||||
Provider string `flag:"provider" cfg:"provider" env:"OAUTH2_PROXY_PROVIDER"`
|
Provider string `flag:"provider" cfg:"provider" env:"OAUTH2_PROXY_PROVIDER"`
|
||||||
OIDCIssuerURL string `flag:"oidc-issuer-url" cfg:"oidc_issuer_url" env:"OAUTH2_PROXY_OIDC_ISSUER_URL"`
|
OIDCIssuerURL string `flag:"oidc-issuer-url" cfg:"oidc_issuer_url" env:"OAUTH2_PROXY_OIDC_ISSUER_URL"`
|
||||||
SkipOIDCDiscovery bool `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery" env:"OAUTH2_SKIP_OIDC_DISCOVERY"`
|
InsecureOIDCAllowUnverifiedEmail bool `flag:"insecure-oidc-allow-unverified-email" cfg:"insecure_oidc_allow_unverified_email" env:"OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL"`
|
||||||
OIDCJwksURL string `flag:"oidc-jwks-url" cfg:"oidc_jwks_url" env:"OAUTH2_OIDC_JWKS_URL"`
|
SkipOIDCDiscovery bool `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery" env:"OAUTH2_SKIP_OIDC_DISCOVERY"`
|
||||||
LoginURL string `flag:"login-url" cfg:"login_url" env:"OAUTH2_PROXY_LOGIN_URL"`
|
OIDCJwksURL string `flag:"oidc-jwks-url" cfg:"oidc_jwks_url" env:"OAUTH2_OIDC_JWKS_URL"`
|
||||||
RedeemURL string `flag:"redeem-url" cfg:"redeem_url" env:"OAUTH2_PROXY_REDEEM_URL"`
|
LoginURL string `flag:"login-url" cfg:"login_url" env:"OAUTH2_PROXY_LOGIN_URL"`
|
||||||
ProfileURL string `flag:"profile-url" cfg:"profile_url" env:"OAUTH2_PROXY_PROFILE_URL"`
|
RedeemURL string `flag:"redeem-url" cfg:"redeem_url" env:"OAUTH2_PROXY_REDEEM_URL"`
|
||||||
ProtectedResource string `flag:"resource" cfg:"resource" env:"OAUTH2_PROXY_RESOURCE"`
|
ProfileURL string `flag:"profile-url" cfg:"profile_url" env:"OAUTH2_PROXY_PROFILE_URL"`
|
||||||
ValidateURL string `flag:"validate-url" cfg:"validate_url" env:"OAUTH2_PROXY_VALIDATE_URL"`
|
ProtectedResource string `flag:"resource" cfg:"resource" env:"OAUTH2_PROXY_RESOURCE"`
|
||||||
Scope string `flag:"scope" cfg:"scope" env:"OAUTH2_PROXY_SCOPE"`
|
ValidateURL string `flag:"validate-url" cfg:"validate_url" env:"OAUTH2_PROXY_VALIDATE_URL"`
|
||||||
ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt" env:"OAUTH2_PROXY_APPROVAL_PROMPT"`
|
Scope string `flag:"scope" cfg:"scope" env:"OAUTH2_PROXY_SCOPE"`
|
||||||
|
ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt" env:"OAUTH2_PROXY_APPROVAL_PROMPT"`
|
||||||
|
|
||||||
// Configuration values for logging
|
// Configuration values for logging
|
||||||
LoggingFilename string `flag:"logging-filename" cfg:"logging_filename" env:"OAUTH2_LOGGING_FILENAME"`
|
LoggingFilename string `flag:"logging-filename" cfg:"logging_filename" env:"OAUTH2_LOGGING_FILENAME"`
|
||||||
@ -147,28 +148,29 @@ func NewOptions() *Options {
|
|||||||
SessionOptions: options.SessionOptions{
|
SessionOptions: options.SessionOptions{
|
||||||
Type: "cookie",
|
Type: "cookie",
|
||||||
},
|
},
|
||||||
SetXAuthRequest: false,
|
SetXAuthRequest: false,
|
||||||
SkipAuthPreflight: false,
|
SkipAuthPreflight: false,
|
||||||
PassBasicAuth: true,
|
PassBasicAuth: true,
|
||||||
PassUserHeaders: true,
|
PassUserHeaders: true,
|
||||||
PassAccessToken: false,
|
PassAccessToken: false,
|
||||||
PassHostHeader: true,
|
PassHostHeader: true,
|
||||||
SetAuthorization: false,
|
SetAuthorization: false,
|
||||||
PassAuthorization: false,
|
PassAuthorization: false,
|
||||||
ApprovalPrompt: "force",
|
ApprovalPrompt: "force",
|
||||||
SkipOIDCDiscovery: false,
|
InsecureOIDCAllowUnverifiedEmail: false,
|
||||||
LoggingFilename: "",
|
SkipOIDCDiscovery: false,
|
||||||
LoggingMaxSize: 100,
|
LoggingFilename: "",
|
||||||
LoggingMaxAge: 7,
|
LoggingMaxSize: 100,
|
||||||
LoggingMaxBackups: 0,
|
LoggingMaxAge: 7,
|
||||||
LoggingLocalTime: true,
|
LoggingMaxBackups: 0,
|
||||||
LoggingCompress: false,
|
LoggingLocalTime: true,
|
||||||
StandardLogging: true,
|
LoggingCompress: false,
|
||||||
StandardLoggingFormat: logger.DefaultStandardLoggingFormat,
|
StandardLogging: true,
|
||||||
RequestLogging: true,
|
StandardLoggingFormat: logger.DefaultStandardLoggingFormat,
|
||||||
RequestLoggingFormat: logger.DefaultRequestLoggingFormat,
|
RequestLogging: true,
|
||||||
AuthLogging: true,
|
RequestLoggingFormat: logger.DefaultRequestLoggingFormat,
|
||||||
AuthLoggingFormat: logger.DefaultAuthLoggingFormat,
|
AuthLogging: true,
|
||||||
|
AuthLoggingFormat: logger.DefaultAuthLoggingFormat,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -397,6 +399,7 @@ func parseProviderInfo(o *Options, msgs []string) []string {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
case *providers.OIDCProvider:
|
case *providers.OIDCProvider:
|
||||||
|
p.AllowUnverifiedEmail = o.InsecureOIDCAllowUnverifiedEmail
|
||||||
if o.oidcVerifier == nil {
|
if o.oidcVerifier == nil {
|
||||||
msgs = append(msgs, "oidc provider requires an oidc issuer URL")
|
msgs = append(msgs, "oidc provider requires an oidc issuer URL")
|
||||||
} else {
|
} else {
|
||||||
|
@ -14,7 +14,8 @@ import (
|
|||||||
type OIDCProvider struct {
|
type OIDCProvider struct {
|
||||||
*ProviderData
|
*ProviderData
|
||||||
|
|
||||||
Verifier *oidc.IDTokenVerifier
|
Verifier *oidc.IDTokenVerifier
|
||||||
|
AllowUnverifiedEmail bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewOIDCProvider initiates a new OIDCProvider
|
// NewOIDCProvider initiates a new OIDCProvider
|
||||||
@ -119,7 +120,7 @@ func (p *OIDCProvider) createSessionState(ctx context.Context, token *oauth2.Tok
|
|||||||
// TODO: Try getting email from /userinfo before falling back to Subject
|
// TODO: Try getting email from /userinfo before falling back to Subject
|
||||||
claims.Email = claims.Subject
|
claims.Email = claims.Subject
|
||||||
}
|
}
|
||||||
if claims.Verified != nil && !*claims.Verified {
|
if !p.AllowUnverifiedEmail && claims.Verified != nil && !*claims.Verified {
|
||||||
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
|
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user