public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix #381, expose acr_values to all providers (#445)

This commit is contained in:
Jakub Holy 2020-03-17 18:57:33 +01:00 committed by GitHub
parent 4eef21cf3d
commit 3108f765a5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 19 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -9,6 +9,7 @@
## Changes since v5.0.0 ## Changes since v5.0.0
- [#445](https://github.com/pusher/oauth2_proxy/pull/445) Expose `acr_values` to all providers (@holyjak)
- [#419](https://github.com/pusher/oauth2_proxy/pull/419) Support Go 1.14, upgrade dependencies, upgrade golangci-lint to 1.23.6 (@johejo) - [#419](https://github.com/pusher/oauth2_proxy/pull/419) Support Go 1.14, upgrade dependencies, upgrade golangci-lint to 1.23.6 (@johejo)
- [#444](https://github.com/pusher/oauth2_proxy/pull/444) Support prompt in addition to approval-prompt (@holyjak) - [#444](https://github.com/pusher/oauth2_proxy/pull/444) Support prompt in addition to approval-prompt (@holyjak)
- [#435](https://github.com/pusher/oauth2_proxy/pull/435) Fix issue with group validation calling google directory API on every HTTP request (@ericofusco) - [#435](https://github.com/pusher/oauth2_proxy/pull/435) Fix issue with group validation calling google directory API on every HTTP request (@ericofusco)

2
docs/configuration/configuration.md
View File

@ -22,7 +22,7 @@ An example [oauth2_proxy.cfg]({{ site.gitweb }}/contrib/oauth2_proxy.cfg.example
| Option | Type | Description | Default | | Option | Type | Description | Default |
| ------ | ---- | ----------- | ------- | | ------ | ---- | ----------- | ------- |
| `-acr-values` | string | optional, used by login.gov | `"http://idmanagement.gov/ns/assurance/loa/1"` | | `-acr-values` | string | optional, see [docs](https://openid.net/specs/openid-connect-eap-acr-values-1_0.html#acrValues) | `""` |
| `-approval-prompt` | string | OAuth approval_prompt | `"force"` | | `-approval-prompt` | string | OAuth approval_prompt | `"force"` |
| `-auth-logging` | bool | Log authentication attempts | true | | `-auth-logging` | bool | Log authentication attempts | true |
| `-auth-logging-format` | string | Template for authentication log lines | see [Logging Configuration](#logging-configuration) | | `-auth-logging-format` | string | Template for authentication log lines | see [Logging Configuration](#logging-configuration) |

2
main.go
View File

@ -136,7 +136,7 @@ func main() {
flagSet.String("approval-prompt", "force", "OAuth approval_prompt") flagSet.String("approval-prompt", "force", "OAuth approval_prompt")
flagSet.String("signature-key", "", "GAP-Signature request signature key (algorithm:secretkey)") flagSet.String("signature-key", "", "GAP-Signature request signature key (algorithm:secretkey)")
flagSet.String("acr-values", "http://idmanagement.gov/ns/assurance/loa/1", "acr values string: optional, used by login.gov") flagSet.String("acr-values", "", "acr values string: optional")
flagSet.String("jwt-key", "", "private key in PEM format used to sign JWT, so that you can say something like -jwt-key=\"${OAUTH2_PROXY_JWT_KEY}\": required by login.gov") flagSet.String("jwt-key", "", "private key in PEM format used to sign JWT, so that you can say something like -jwt-key=\"${OAUTH2_PROXY_JWT_KEY}\": required by login.gov")
flagSet.String("jwt-key-file", "", "path to the private key file in PEM format used to sign the JWT so that you can say something like -jwt-key-file=/etc/ssl/private/jwt_signing_key.pem: required by login.gov") flagSet.String("jwt-key-file", "", "path to the private key file in PEM format used to sign the JWT so that you can say something like -jwt-key-file=/etc/ssl/private/jwt_signing_key.pem: required by login.gov")
flagSet.String("pubjwk-url", "", "JWK pubkey access endpoint: required by login.gov") flagSet.String("pubjwk-url", "", "JWK pubkey access endpoint: required by login.gov")

2
options.go
View File

@ -415,6 +415,7 @@ func parseProviderInfo(o *Options, msgs []string) []string {
ClientSecretFile: o.ClientSecretFile, ClientSecretFile: o.ClientSecretFile,
Prompt: o.Prompt, Prompt: o.Prompt,
ApprovalPrompt: o.ApprovalPrompt, ApprovalPrompt: o.ApprovalPrompt,
AcrValues: o.AcrValues,
} }
p.LoginURL, msgs = parseURL(o.LoginURL, "login", msgs) p.LoginURL, msgs = parseURL(o.LoginURL, "login", msgs)
p.RedeemURL, msgs = parseURL(o.RedeemURL, "redeem", msgs) p.RedeemURL, msgs = parseURL(o.RedeemURL, "redeem", msgs)
@ -473,7 +474,6 @@ func parseProviderInfo(o *Options, msgs []string) []string {
} }
} }
case *providers.LoginGovProvider: case *providers.LoginGovProvider:
p.AcrValues = o.AcrValues
p.PubJWKURL, msgs = parseURL(o.PubJWKURL, "pubjwk", msgs) p.PubJWKURL, msgs = parseURL(o.PubJWKURL, "pubjwk", msgs)
// JWT key can be supplied via env variable or file in the filesystem, but not both. // JWT key can be supplied via env variable or file in the filesystem, but not both.

7
providers/logingov.go
View File

@ -24,7 +24,6 @@ type LoginGovProvider struct {
// TODO (@timothy-spencer): Ideally, the nonce would be in the session state, but the session state // TODO (@timothy-spencer): Ideally, the nonce would be in the session state, but the session state
// is created only upon code redemption, not during the auth, when this must be supplied. // is created only upon code redemption, not during the auth, when this must be supplied.
Nonce string Nonce string
AcrValues string
JWTKey *rsa.PrivateKey JWTKey *rsa.PrivateKey
PubJWKURL *url.URL PubJWKURL *url.URL
} }
@ -270,7 +269,11 @@ func (p *LoginGovProvider) GetLoginURL(redirectURI, state string) string {
params.Set("client_id", p.ClientID) params.Set("client_id", p.ClientID)
params.Set("response_type", "code") params.Set("response_type", "code")
params.Add("state", state) params.Add("state", state)
params.Add("acr_values", p.AcrValues) acr := p.AcrValues
if acr == "" {
acr = "http://idmanagement.gov/ns/assurance/loa/1"
}
params.Add("acr_values", acr)
params.Add("nonce", p.Nonce) params.Add("nonce", p.Nonce)
a.RawQuery = params.Encode() a.RawQuery = params.Encode()
return a.String() return a.String()

15
providers/provider_data.go
View File

@ -12,17 +12,20 @@ import (
// of OAuth2 providers // of OAuth2 providers
type ProviderData struct { type ProviderData struct {
ProviderName string ProviderName string
ClientID string
ClientSecret string
ClientSecretFile string
LoginURL *url.URL LoginURL *url.URL
RedeemURL *url.URL RedeemURL *url.URL
ProfileURL *url.URL ProfileURL *url.URL
ProtectedResource *url.URL ProtectedResource *url.URL
ValidateURL *url.URL ValidateURL *url.URL
Scope string // Auth request params & related, see
Prompt string //https://openid.net/specs/openid-connect-basic-1_0.html#rfc.section.2.1.1.1
ApprovalPrompt string AcrValues string
ApprovalPrompt string // NOTE: Renamed to "prompt" in OAuth2
ClientID string
ClientSecret string
ClientSecretFile string
Scope string
Prompt string
} }
// Data returns the ProviderData // Data returns the ProviderData

1
providers/provider_default.go
View File

@ -90,6 +90,7 @@ func (p *ProviderData) GetLoginURL(redirectURI, state string) string {
a = *p.LoginURL a = *p.LoginURL
params, _ := url.ParseQuery(a.RawQuery) params, _ := url.ParseQuery(a.RawQuery)
params.Set("redirect_uri", redirectURI) params.Set("redirect_uri", redirectURI)
params.Add("acr_values", p.AcrValues)
if p.Prompt != "" { if p.Prompt != "" {
params.Set("prompt", p.Prompt) params.Set("prompt", p.Prompt)
} else { // Legacy variant of the prompt param: } else { // Legacy variant of the prompt param: