From c2c1caa4042aedb66980a62f44101d5181b8e3b4 Mon Sep 17 00:00:00 2001 From: Nick Meves Date: Mon, 1 Jun 2020 08:56:50 -0700 Subject: [PATCH] Set User = Subject in ExtraJWTBearer sessions --- CHANGELOG.md | 1 + oauthproxy_test.go | 6 +++--- providers/provider_default.go | 11 +++++------ providers/provider_default_test.go | 7 ++++--- 4 files changed, 13 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5ea4fc00..d1568de2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -55,6 +55,7 @@ ## Changes since v5.1.1 +- [#596](https://github.com/oauth2-proxy/oauth2-proxy/pull/596) Validate Bearer IDTokens in headers with correct provider/extra JWT Verifier (@NickMeves) - [#620](https://github.com/oauth2-proxy/oauth2-proxy/pull/620) Add HealthCheck middleware (@JoelSpeed) - [#597](https://github.com/oauth2-proxy/oauth2-proxy/pull/597) Don't log invalid redirect if redirect is empty (@JoelSpeed) - [#604](https://github.com/oauth2-proxy/oauth2-proxy/pull/604) Add Keycloak local testing environment (@EvgeniGordeev) diff --git a/oauthproxy_test.go b/oauthproxy_test.go index 32385323..0c244bae 100644 --- a/oauthproxy_test.go +++ b/oauthproxy_test.go @@ -1578,7 +1578,7 @@ func TestGetJwtSession(t *testing.T) { // Bearer expires := time.Unix(1912151821, 0) session, _ := test.proxy.GetJwtSession(test.req) - assert.Equal(t, session.User, "john@example.com") + assert.Equal(t, session.User, "1234567890") assert.Equal(t, session.Email, "john@example.com") assert.Equal(t, session.ExpiresOn, &expires) assert.Equal(t, session.IDToken, goodJwt) @@ -1590,12 +1590,12 @@ func TestGetJwtSession(t *testing.T) { // Check PassAuthorization, should overwrite Basic header assert.Equal(t, test.req.Header.Get("Authorization"), authHeader) - assert.Equal(t, test.req.Header.Get("X-Forwarded-User"), "john@example.com") + assert.Equal(t, test.req.Header.Get("X-Forwarded-User"), "1234567890") assert.Equal(t, test.req.Header.Get("X-Forwarded-Email"), "john@example.com") // SetAuthorization and SetXAuthRequest assert.Equal(t, test.rw.Header().Get("Authorization"), authHeader) - assert.Equal(t, test.rw.Header().Get("X-Auth-Request-User"), "john@example.com") + assert.Equal(t, test.rw.Header().Get("X-Auth-Request-User"), "1234567890") assert.Equal(t, test.rw.Header().Get("X-Auth-Request-Email"), "john@example.com") } diff --git a/providers/provider_default.go b/providers/provider_default.go index 9f7ba3c5..14cec9fe 100644 --- a/providers/provider_default.go +++ b/providers/provider_default.go @@ -164,14 +164,13 @@ func (p *ProviderData) CreateSessionStateFromBearerToken(ctx context.Context, ra newSession := &sessions.SessionState{ Email: claims.Email, - User: claims.Email, + User: claims.Subject, PreferredUsername: claims.PreferredUsername, + AccessToken: rawIDToken, + IDToken: rawIDToken, + RefreshToken: "", + ExpiresOn: &idToken.Expiry, } - newSession.AccessToken = rawIDToken - newSession.IDToken = rawIDToken - newSession.RefreshToken = "" - newSession.ExpiresOn = &idToken.Expiry - return newSession, nil } diff --git a/providers/provider_default_test.go b/providers/provider_default_test.go index f65b8ac7..b5618750 100644 --- a/providers/provider_default_test.go +++ b/providers/provider_default_test.go @@ -4,12 +4,13 @@ import ( "context" "crypto/rand" "crypto/rsa" - "github.com/coreos/go-oidc" - "github.com/dgrijalva/jwt-go" "net/url" "testing" "time" + "github.com/coreos/go-oidc" + "github.com/dgrijalva/jwt-go" + "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions" "github.com/stretchr/testify/assert" ) @@ -71,7 +72,7 @@ func TestCreateSessionStateFromBearerToken(t *testing.T) { key, _ := rsa.GenerateKey(rand.Reader, 2048) rawIDToken, _ := jwt.NewWithClaims(jwt.SigningMethodRS256, minimalIDToken).SignedString(key) - idToken, err := verifier.Verify(context.Background(), rawIDToken) + idToken, _ := verifier.Verify(context.Background(), rawIDToken) session, err := (*ProviderData)(nil).CreateSessionStateFromBearerToken(context.Background(), rawIDToken, idToken)