public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #2229 from tuunit/bugfix/default-scopes-for-oidc-based-providers 

bugfix: default scopes for OIDCProvider based providers
This commit is contained in:
Joel Speed 2023-09-11 10:11:26 +01:00 committed by GitHub
parent 3c2d67d367 7683902a42
commit 854401ec00
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 37 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -11,6 +11,7 @@
- [#2221](https://github.com/oauth2-proxy/oauth2-proxy/pull/2221) Backwards compatible fix for wrong environment variable name (OAUTH2_PROXY_GOOGLE_GROUPS) (@kvanzuijlen) - [#2221](https://github.com/oauth2-proxy/oauth2-proxy/pull/2221) Backwards compatible fix for wrong environment variable name (OAUTH2_PROXY_GOOGLE_GROUPS) (@kvanzuijlen)
- [#1989](https://github.com/oauth2-proxy/oauth2-proxy/pull/1989) Fix default scope for keycloak-oidc provider - [#1989](https://github.com/oauth2-proxy/oauth2-proxy/pull/1989) Fix default scope for keycloak-oidc provider
- [#2217](https://github.com/oauth2-proxy/oauth2-proxy/pull/2217) Upgrade alpine to version 3.18 (@polarctos) - [#2217](https://github.com/oauth2-proxy/oauth2-proxy/pull/2217) Upgrade alpine to version 3.18 (@polarctos)
- [#2229](https://github.com/oauth2-proxy/oauth2-proxy/pull/2229) bugfix: default scopes for OIDCProvider based providers
# V7.5.0 # V7.5.0

5
providers/adfs.go
View File

@ -46,10 +46,7 @@ func NewADFSProvider(p *ProviderData, opts options.ADFSOptions) *ADFSProvider {
} }
} }
oidcProvider := &OIDCProvider{ oidcProvider := NewOIDCProvider(p, options.OIDCOptions{InsecureSkipNonce: false})
ProviderData: p,
SkipNonce: false,
}
return &ADFSProvider{ return &ADFSProvider{
OIDCProvider: oidcProvider, OIDCProvider: oidcProvider,

8
providers/adfs_test.go
View File

@ -136,7 +136,13 @@ var _ = Describe("ADFS Provider Tests", func() {
It("uses defaults", func() { It("uses defaults", func() {
providerData := NewADFSProvider(&ProviderData{}, options.ADFSOptions{}).Data() providerData := NewADFSProvider(&ProviderData{}, options.ADFSOptions{}).Data()
Expect(providerData.ProviderName).To(Equal("ADFS")) Expect(providerData.ProviderName).To(Equal("ADFS"))
Expect(providerData.Scope).To(Equal("openid email profile")) Expect(providerData.Scope).To(Equal(oidcDefaultScope))
})
It("uses custom scope", func() {
providerData := NewADFSProvider(&ProviderData{Scope: "openid email"}, options.ADFSOptions{}).Data()
Expect(providerData.ProviderName).To(Equal("ADFS"))
Expect(providerData.Scope).To(Equal("openid email"))
Expect(providerData.Scope).NotTo(Equal(oidcDefaultScope))
}) })
}) })

5
providers/gitlab.go
View File

@ -40,10 +40,7 @@ func NewGitLabProvider(p *ProviderData, opts options.GitLabOptions) (*GitLabProv
p.Scope = gitlabDefaultScope p.Scope = gitlabDefaultScope
} }
oidcProvider := &OIDCProvider{ oidcProvider := NewOIDCProvider(p, options.OIDCOptions{InsecureSkipNonce: false})
ProviderData: p,
SkipNonce: false,
}
provider := &GitLabProvider{ provider := &GitLabProvider{
OIDCProvider: oidcProvider, OIDCProvider: oidcProvider,

9
providers/gitlab_test.go
View File

@ -170,6 +170,15 @@ var _ = Describe("Gitlab Provider Tests", func() {
b.Close() b.Close()
}) })
Context("New Provider Init", func() {
It("creates new keycloak oidc provider with expected defaults", func() {
providerData := p.Data()
Expect(providerData.ProviderName).To(Equal(gitlabProviderName))
Expect(providerData.Scope).To(Equal(gitlabDefaultScope))
Expect(providerData.ProviderName).NotTo(Equal(oidcDefaultScope))
})
})
Context("with bad token", func() { Context("with bad token", func() {
It("should trigger an error", func() { It("should trigger an error", func() {
p.AllowUnverifiedEmail = false p.AllowUnverifiedEmail = false

4
providers/keycloak_oidc.go
View File

@ -22,9 +22,7 @@ func NewKeycloakOIDCProvider(p *ProviderData, opts options.KeycloakOptions) *Key
}) })
provider := &KeycloakOIDCProvider{ provider := &KeycloakOIDCProvider{
OIDCProvider: &OIDCProvider{ OIDCProvider: NewOIDCProvider(p, options.OIDCOptions{InsecureSkipNonce: false}),
ProviderData: p,
},
} }
provider.addAllowedRoles(opts.Roles) provider.addAllowedRoles(opts.Roles)

12
providers/keycloak_oidc_test.go
View File

@ -67,7 +67,7 @@ func newKeycloakOIDCProvider(serverURL *url.URL, opts options.KeycloakOptions) *
Scheme: "https", Scheme: "https",
Host: "keycloak-oidc.com", Host: "keycloak-oidc.com",
Path: "/api/v3/user"}, Path: "/api/v3/user"},
Scope: "openid email profile"}, },
opts) opts)
if serverURL != nil { if serverURL != nil {
@ -97,7 +97,15 @@ var _ = Describe("Keycloak OIDC Provider Tests", func() {
Expect(providerData.RedeemURL.String()).To(Equal("https://keycloak-oidc.com/oauth/token")) Expect(providerData.RedeemURL.String()).To(Equal("https://keycloak-oidc.com/oauth/token"))
Expect(providerData.ProfileURL.String()).To(Equal("https://keycloak-oidc.com/api/v3/user")) Expect(providerData.ProfileURL.String()).To(Equal("https://keycloak-oidc.com/api/v3/user"))
Expect(providerData.ValidateURL.String()).To(Equal("https://keycloak-oidc.com/api/v3/user")) Expect(providerData.ValidateURL.String()).To(Equal("https://keycloak-oidc.com/api/v3/user"))
Expect(providerData.Scope).To(Equal("openid email profile")) Expect(providerData.Scope).To(Equal(oidcDefaultScope))
})
It("creates new keycloak oidc provider with custom scope", func() {
p := NewKeycloakOIDCProvider(&ProviderData{Scope: "openid email"}, options.KeycloakOptions{})
providerData := p.Data()
Expect(providerData.ProviderName).To(Equal(keycloakOIDCProviderName))
Expect(providerData.Scope).To(Equal("openid email"))
Expect(providerData.Scope).NotTo(Equal(oidcDefaultScope))
}) })
}) })

8
providers/oidc.go
View File

@ -24,8 +24,14 @@ const oidcDefaultScope = "openid email profile"
// NewOIDCProvider initiates a new OIDCProvider // NewOIDCProvider initiates a new OIDCProvider
func NewOIDCProvider(p *ProviderData, opts options.OIDCOptions) *OIDCProvider { func NewOIDCProvider(p *ProviderData, opts options.OIDCOptions) *OIDCProvider {
name := "OpenID Connect"
if p.ProviderName != "" {
name = p.ProviderName
}
oidcProviderDefaults := providerDefaults{ oidcProviderDefaults := providerDefaults{
name: "OpenID Connect", name: name,
loginURL: nil, loginURL: nil,
redeemURL: nil, redeemURL: nil,
profileURL: nil, profileURL: nil,