cb48577ede
See the README for usage with Dex or any other OIDC provider.
To test run a backend:
python3 -m http.server
Run dex and modify the example config with the proxy callback:
go get github.com/coreos/dex/cmd/dex
cd $GOPATH/src/github.com/coreos/dex
sed -i.bak \
's|http://127.0.0.1:5555/callback|http://127.0.0.1:5555/oauth2/callback|g' \
examples/config-dev.yaml
make
./bin/dex serve examples/config-dev.yaml
Then run the oauth2_proxy
oauth2_proxy \
--oidc-issuer-url http://127.0.0.1:5556/dex \
--upstream http://localhost:8000 \
--client-id example-app \
--client-secret ZXhhbXBsZS1hcHAtc2VjcmV0 \
--cookie-secret foo \
--email-domain '*' \
--http-address http://127.0.0.1:5555 \
--redirect-url http://127.0.0.1:5555/oauth2/callback \
--cookie-secure=false
Login with the username/password "admin@example.com:password"
85 lines
2.0 KiB
Go
85 lines
2.0 KiB
Go
package providers
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"time"
|
|
|
|
"golang.org/x/oauth2"
|
|
|
|
oidc "github.com/coreos/go-oidc"
|
|
)
|
|
|
|
type OIDCProvider struct {
|
|
*ProviderData
|
|
|
|
Verifier *oidc.IDTokenVerifier
|
|
}
|
|
|
|
func NewOIDCProvider(p *ProviderData) *OIDCProvider {
|
|
return &OIDCProvider{ProviderData: p}
|
|
}
|
|
|
|
func (p *OIDCProvider) Redeem(redirectURL, code string) (s *SessionState, err error) {
|
|
ctx := context.Background()
|
|
c := oauth2.Config{
|
|
ClientID: p.ClientID,
|
|
ClientSecret: p.ClientSecret,
|
|
Endpoint: oauth2.Endpoint{
|
|
TokenURL: p.RedeemURL.String(),
|
|
},
|
|
RedirectURL: redirectURL,
|
|
}
|
|
token, err := c.Exchange(ctx, code)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("token exchange: %v", err)
|
|
}
|
|
|
|
rawIDToken, ok := token.Extra("id_token").(string)
|
|
if !ok {
|
|
return nil, fmt.Errorf("token response did not contain an id_token")
|
|
}
|
|
|
|
// Parse and verify ID Token payload.
|
|
idToken, err := p.Verifier.Verify(ctx, rawIDToken)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("could not verify id_token: %v", err)
|
|
}
|
|
|
|
// Extract custom claims.
|
|
var claims struct {
|
|
Email string `json:"email"`
|
|
Verified *bool `json:"email_verified"`
|
|
}
|
|
if err := idToken.Claims(&claims); err != nil {
|
|
return nil, fmt.Errorf("failed to parse id_token claims: %v", err)
|
|
}
|
|
|
|
if claims.Email == "" {
|
|
return nil, fmt.Errorf("id_token did not contain an email")
|
|
}
|
|
if claims.Verified != nil && !*claims.Verified {
|
|
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
|
|
}
|
|
|
|
s = &SessionState{
|
|
AccessToken: token.AccessToken,
|
|
RefreshToken: token.RefreshToken,
|
|
ExpiresOn: token.Expiry,
|
|
Email: claims.Email,
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
func (p *OIDCProvider) RefreshSessionIfNeeded(s *SessionState) (bool, error) {
|
|
if s == nil || s.ExpiresOn.After(time.Now()) || s.RefreshToken == "" {
|
|
return false, nil
|
|
}
|
|
|
|
origExpiration := s.ExpiresOn
|
|
s.ExpiresOn = time.Now().Add(time.Second).Truncate(time.Second)
|
|
fmt.Printf("refreshed access token %s (expired on %s)\n", s, origExpiration)
|
|
return false, nil
|
|
}
|