public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add keycloak-oidc provider based on OIDCProvider

This commit is contained in:
Nick Meves 2021-03-14 10:20:59 -07:00
parent 4d9de06b1d
commit 07eb0efa6e
No known key found for this signature in database
GPG Key ID: 93BA8A3CEDCDD1CF
4 changed files with 102 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
pkg/validation/options.go
View File

@ -268,6 +268,19 @@ func parseProviderInfo(o *options.Options, msgs []string) []string {
if len(o.KeycloakGroups) > 0 { if len(o.KeycloakGroups) > 0 {
p.SetAllowedGroups(o.KeycloakGroups) p.SetAllowedGroups(o.KeycloakGroups)
} }
case *providers.KeycloakOIDCProvider:
if p.Verifier == nil {
msgs = append(msgs, "keycloak-oidc provider requires an oidc issuer URL")
}
// Backwards compatibility with `--keycloak-group` option
if len(o.KeycloakGroups) > 0 {
// Maybe already added with proper `--allowed-group` flag
if !strings.Contains(o.Scope, " groups") {
o.Scope += " groups"
}
p.SetAllowedGroups(o.KeycloakGroups)
}
case *providers.GoogleProvider: case *providers.GoogleProvider:
if o.GoogleServiceAccountJSON != "" { if o.GoogleServiceAccountJSON != "" {
file, err := os.Open(o.GoogleServiceAccountJSON) file, err := os.Open(o.GoogleServiceAccountJSON)
@ -286,10 +299,6 @@ func parseProviderInfo(o *options.Options, msgs []string) []string {
case *providers.BitbucketProvider: case *providers.BitbucketProvider:
p.SetTeam(o.BitbucketTeam) p.SetTeam(o.BitbucketTeam)
p.SetRepository(o.BitbucketRepository) p.SetRepository(o.BitbucketRepository)
case *providers.OIDCProvider:
if p.Verifier == nil {
msgs = append(msgs, "oidc provider requires an oidc issuer URL")
}
case *providers.GitLabProvider: case *providers.GitLabProvider:
p.Groups = o.GitLabGroup p.Groups = o.GitLabGroup
err := p.AddProjects(o.GitlabProjects) err := p.AddProjects(o.GitlabProjects)
@ -345,6 +354,10 @@ func parseProviderInfo(o *options.Options, msgs []string) []string {
p.JWTKey = signKey p.JWTKey = signKey
} }
} }
case *providers.OIDCProvider:
if p.Verifier == nil {
msgs = append(msgs, "oidc provider requires an oidc issuer URL")
}
} }
return msgs return msgs
} }

41
providers/keycloak_oidc.go Normal file
View File

@ -0,0 +1,41 @@
package providers
import (
"context"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
)
const keycloakOIDCProviderName = "Keycloak OIDC"
// KeycloakOIDCProvider creates a Keycloak provider based on OIDCProvider
type KeycloakOIDCProvider struct {
*OIDCProvider
}
// NewKeycloakOIDCProvider makes a KeycloakOIDCProvider using the ProviderData
func NewKeycloakOIDCProvider(p *ProviderData) *KeycloakOIDCProvider {
p.ProviderName = keycloakOIDCProviderName
return &KeycloakOIDCProvider{
OIDCProvider: &OIDCProvider{
ProviderData: p,
},
}
}
var _ Provider = (*KeycloakOIDCProvider)(nil)
// EnrichSession is called after Redeem to allow providers to enrich session fields
// such as User, Email, Groups with provider specific API calls.
func (p *KeycloakOIDCProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error {
err := p.OIDCProvider.EnrichSession(ctx, s)
if err != nil {
return err
}
return p.extractRoles(ctx, s)
}
func (p *KeycloakOIDCProvider) extractRoles(ctx context.Context, s *sessions.SessionState) error {
// TODO: Implement me with Access Token Role claim extraction logic
return ErrNotImplemented
}

42
providers/keycloak_oidc_test.go Normal file
View File

@ -0,0 +1,42 @@
package providers
import (
"net/url"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
var _ = Describe("Keycloak OIDC Provider Tests", func() {
Context("New Provider Init", func() {
It("uses the passed ProviderData", func() {
p := NewKeycloakOIDCProvider(
&ProviderData{
LoginURL: &url.URL{
Scheme: "https",
Host: "keycloak-oidc.com",
Path: "/oauth/auth"},
RedeemURL: &url.URL{
Scheme: "https",
Host: "keycloak-oidc.com",
Path: "/oauth/token"},
ProfileURL: &url.URL{
Scheme: "https",
Host: "keycloak-oidc.com",
Path: "/api/v3/user"},
ValidateURL: &url.URL{
Scheme: "https",
Host: "keycloak-oidc.com",
Path: "/api/v3/user"},
Scope: "openid email profile"})
providerData := p.Data()
Expect(providerData.ProviderName).To(Equal(keycloakOIDCProviderName))
Expect(providerData.LoginURL.String()).To(Equal("https://keycloak-oidc.com/oauth/auth"))
Expect(providerData.RedeemURL.String()).To(Equal("https://keycloak-oidc.com/oauth/token"))
Expect(providerData.ProfileURL.String()).To(Equal("https://keycloak-oidc.com/api/v3/user"))
Expect(providerData.ValidateURL.String()).To(Equal("https://keycloak-oidc.com/api/v3/user"))
Expect(providerData.Scope).To(Equal("openid email profile"))
})
})
})

2
providers/providers.go
View File

@ -31,6 +31,8 @@ func New(provider string, p *ProviderData) Provider {
return NewGitHubProvider(p) return NewGitHubProvider(p)
case "keycloak": case "keycloak":
return NewKeycloakProvider(p) return NewKeycloakProvider(p)
case "keycloak-oidc":
return NewKeycloakOIDCProvider(p)
case "azure": case "azure":
return NewAzureProvider(p) return NewAzureProvider(p)
case "gitlab": case "gitlab":