bugfix: OIDCConfig based providers are not respecting flags and configs (#2299)
* add full support for all oidc config based providers to use and respect all configs set via OIDCConfig * add changelog entry --------- Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
This commit is contained in:
Jan Larwig
GitHub
parent
0ddb5e7b61
commit
fc6e7fdbd1
|
|
@ -18,6 +18,7 @@
|
||||||
- [#1866](https://github.com/oauth2-proxy/oauth2-proxy/pull/1866) Add support for unix socker as upstream (@babs)
|
- [#1866](https://github.com/oauth2-proxy/oauth2-proxy/pull/1866) Add support for unix socker as upstream (@babs)
|
||||||
- [#1949](https://github.com/oauth2-proxy/oauth2-proxy/pull/1949) Allow cookie names with dots in redis sessions (@miguelborges99)
|
- [#1949](https://github.com/oauth2-proxy/oauth2-proxy/pull/1949) Allow cookie names with dots in redis sessions (@miguelborges99)
|
||||||
- [#2297](https://github.com/oauth2-proxy/oauth2-proxy/pull/2297) Add nightly build and push (@tuunit)
|
- [#2297](https://github.com/oauth2-proxy/oauth2-proxy/pull/2297) Add nightly build and push (@tuunit)
|
||||||
|
- [#2299](https://github.com/oauth2-proxy/oauth2-proxy/pull/2299) bugfix: OIDCConfig based providers are not respecting flags and configs (@tuunit)
|
||||||
- [#2248](https://github.com/oauth2-proxy/oauth2-proxy/pull/2248) Added support for semicolons in query strings.
|
- [#2248](https://github.com/oauth2-proxy/oauth2-proxy/pull/2248) Added support for semicolons in query strings.
|
||||||
|
|
||||||
# V7.5.1
|
# V7.5.1
|
||||||
|
|
|
||||||
|
|
@ -29,7 +29,7 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
// NewADFSProvider initiates a new ADFSProvider
|
// NewADFSProvider initiates a new ADFSProvider
|
||||||
func NewADFSProvider(p *ProviderData, opts options.ADFSOptions) *ADFSProvider {
|
func NewADFSProvider(p *ProviderData, opts options.Provider) *ADFSProvider {
|
||||||
p.setProviderDefaults(providerDefaults{
|
p.setProviderDefaults(providerDefaults{
|
||||||
name: adfsProviderName,
|
name: adfsProviderName,
|
||||||
scope: adfsDefaultScope,
|
scope: adfsDefaultScope,
|
||||||
|
|
@ -46,11 +46,11 @@ func NewADFSProvider(p *ProviderData, opts options.ADFSOptions) *ADFSProvider {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
oidcProvider := NewOIDCProvider(p, options.OIDCOptions{InsecureSkipNonce: false})
|
oidcProvider := NewOIDCProvider(p, opts.OIDCConfig)
|
||||||
|
|
||||||
return &ADFSProvider{
|
return &ADFSProvider{
|
||||||
OIDCProvider: oidcProvider,
|
OIDCProvider: oidcProvider,
|
||||||
skipScope: opts.SkipScope,
|
skipScope: opts.ADFSConfig.SkipScope,
|
||||||
oidcEnrichFunc: oidcProvider.EnrichSession,
|
oidcEnrichFunc: oidcProvider.EnrichSession,
|
||||||
oidcRefreshFunc: oidcProvider.RefreshSession,
|
oidcRefreshFunc: oidcProvider.RefreshSession,
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -63,7 +63,7 @@ func testADFSProvider(hostname string) *ADFSProvider {
|
||||||
Scope: "",
|
Scope: "",
|
||||||
Verifier: o,
|
Verifier: o,
|
||||||
EmailClaim: options.OIDCEmailClaim,
|
EmailClaim: options.OIDCEmailClaim,
|
||||||
}, options.ADFSOptions{})
|
}, options.Provider{})
|
||||||
|
|
||||||
if hostname != "" {
|
if hostname != "" {
|
||||||
updateURL(p.Data().LoginURL, hostname)
|
updateURL(p.Data().LoginURL, hostname)
|
||||||
|
|
@ -134,12 +134,12 @@ var _ = Describe("ADFS Provider Tests", func() {
|
||||||
|
|
||||||
Context("New Provider Init", func() {
|
Context("New Provider Init", func() {
|
||||||
It("uses defaults", func() {
|
It("uses defaults", func() {
|
||||||
providerData := NewADFSProvider(&ProviderData{}, options.ADFSOptions{}).Data()
|
providerData := NewADFSProvider(&ProviderData{}, options.Provider{}).Data()
|
||||||
Expect(providerData.ProviderName).To(Equal("ADFS"))
|
Expect(providerData.ProviderName).To(Equal("ADFS"))
|
||||||
Expect(providerData.Scope).To(Equal(oidcDefaultScope))
|
Expect(providerData.Scope).To(Equal(oidcDefaultScope))
|
||||||
})
|
})
|
||||||
It("uses custom scope", func() {
|
It("uses custom scope", func() {
|
||||||
providerData := NewADFSProvider(&ProviderData{Scope: "openid email"}, options.ADFSOptions{}).Data()
|
providerData := NewADFSProvider(&ProviderData{Scope: "openid email"}, options.Provider{}).Data()
|
||||||
Expect(providerData.ProviderName).To(Equal("ADFS"))
|
Expect(providerData.ProviderName).To(Equal("ADFS"))
|
||||||
Expect(providerData.Scope).To(Equal("openid email"))
|
Expect(providerData.Scope).To(Equal("openid email"))
|
||||||
Expect(providerData.Scope).NotTo(Equal(oidcDefaultScope))
|
Expect(providerData.Scope).NotTo(Equal(oidcDefaultScope))
|
||||||
|
|
@ -172,7 +172,9 @@ var _ = Describe("ADFS Provider Tests", func() {
|
||||||
p := NewADFSProvider(&ProviderData{
|
p := NewADFSProvider(&ProviderData{
|
||||||
ProtectedResource: resource,
|
ProtectedResource: resource,
|
||||||
Scope: "",
|
Scope: "",
|
||||||
}, options.ADFSOptions{SkipScope: true})
|
}, options.Provider{
|
||||||
|
ADFSConfig: options.ADFSOptions{SkipScope: true},
|
||||||
|
})
|
||||||
|
|
||||||
result := p.GetLoginURL("https://example.com/adfs/oauth2/", "", "", url.Values{})
|
result := p.GetLoginURL("https://example.com/adfs/oauth2/", "", "", url.Values{})
|
||||||
Expect(result).NotTo(ContainSubstring("scope="))
|
Expect(result).NotTo(ContainSubstring("scope="))
|
||||||
|
|
@ -192,7 +194,7 @@ var _ = Describe("ADFS Provider Tests", func() {
|
||||||
p := NewADFSProvider(&ProviderData{
|
p := NewADFSProvider(&ProviderData{
|
||||||
ProtectedResource: resource,
|
ProtectedResource: resource,
|
||||||
Scope: in.scope,
|
Scope: in.scope,
|
||||||
}, options.ADFSOptions{})
|
}, options.Provider{})
|
||||||
|
|
||||||
Expect(p.Data().Scope).To(Equal(in.expectedScope))
|
Expect(p.Data().Scope).To(Equal(in.expectedScope))
|
||||||
result := p.GetLoginURL("https://example.com/adfs/oauth2/", "", "", url.Values{})
|
result := p.GetLoginURL("https://example.com/adfs/oauth2/", "", "", url.Values{})
|
||||||
|
|
|
||||||
|
|
@ -31,7 +31,7 @@ type GitLabProvider struct {
|
||||||
var _ Provider = (*GitLabProvider)(nil)
|
var _ Provider = (*GitLabProvider)(nil)
|
||||||
|
|
||||||
// NewGitLabProvider initiates a new GitLabProvider
|
// NewGitLabProvider initiates a new GitLabProvider
|
||||||
func NewGitLabProvider(p *ProviderData, opts options.GitLabOptions) (*GitLabProvider, error) {
|
func NewGitLabProvider(p *ProviderData, opts options.Provider) (*GitLabProvider, error) {
|
||||||
p.setProviderDefaults(providerDefaults{
|
p.setProviderDefaults(providerDefaults{
|
||||||
name: gitlabProviderName,
|
name: gitlabProviderName,
|
||||||
})
|
})
|
||||||
|
|
@ -40,15 +40,15 @@ func NewGitLabProvider(p *ProviderData, opts options.GitLabOptions) (*GitLabProv
|
||||||
p.Scope = gitlabDefaultScope
|
p.Scope = gitlabDefaultScope
|
||||||
}
|
}
|
||||||
|
|
||||||
oidcProvider := NewOIDCProvider(p, options.OIDCOptions{InsecureSkipNonce: false})
|
oidcProvider := NewOIDCProvider(p, opts.OIDCConfig)
|
||||||
|
|
||||||
provider := &GitLabProvider{
|
provider := &GitLabProvider{
|
||||||
OIDCProvider: oidcProvider,
|
OIDCProvider: oidcProvider,
|
||||||
oidcRefreshFunc: oidcProvider.RefreshSession,
|
oidcRefreshFunc: oidcProvider.RefreshSession,
|
||||||
}
|
}
|
||||||
provider.setAllowedGroups(opts.Group)
|
provider.setAllowedGroups(opts.GitLabConfig.Group)
|
||||||
|
|
||||||
if err := provider.setAllowedProjects(opts.Projects); err != nil {
|
if err := provider.setAllowedProjects(opts.GitLabConfig.Projects); err != nil {
|
||||||
return nil, fmt.Errorf("could not configure allowed projects: %v", err)
|
return nil, fmt.Errorf("could not configure allowed projects: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,7 @@ import (
|
||||||
. "github.com/onsi/gomega"
|
. "github.com/onsi/gomega"
|
||||||
)
|
)
|
||||||
|
|
||||||
func testGitLabProvider(hostname, scope string, opts options.GitLabOptions) (*GitLabProvider, error) {
|
func testGitLabProvider(hostname, scope string, opts options.Provider) (*GitLabProvider, error) {
|
||||||
p, err := NewGitLabProvider(
|
p, err := NewGitLabProvider(
|
||||||
&ProviderData{
|
&ProviderData{
|
||||||
ProviderName: "",
|
ProviderName: "",
|
||||||
|
|
@ -162,7 +162,7 @@ var _ = Describe("Gitlab Provider Tests", func() {
|
||||||
bURL, err := url.Parse(b.URL)
|
bURL, err := url.Parse(b.URL)
|
||||||
Expect(err).To(BeNil())
|
Expect(err).To(BeNil())
|
||||||
|
|
||||||
p, err = testGitLabProvider(bURL.Host, "", options.GitLabOptions{})
|
p, err = testGitLabProvider(bURL.Host, "", options.Provider{})
|
||||||
Expect(err).ToNot(HaveOccurred())
|
Expect(err).ToNot(HaveOccurred())
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|
@ -237,9 +237,11 @@ var _ = Describe("Gitlab Provider Tests", func() {
|
||||||
bURL, err := url.Parse(b.URL)
|
bURL, err := url.Parse(b.URL)
|
||||||
Expect(err).To(BeNil())
|
Expect(err).To(BeNil())
|
||||||
|
|
||||||
p, err := testGitLabProvider(bURL.Host, in.scope, options.GitLabOptions{
|
p, err := testGitLabProvider(bURL.Host, in.scope, options.Provider{
|
||||||
Group: in.allowedGroups,
|
GitLabConfig: options.GitLabOptions{
|
||||||
Projects: in.allowedProjects,
|
Group: in.allowedGroups,
|
||||||
|
Projects: in.allowedProjects,
|
||||||
|
},
|
||||||
})
|
})
|
||||||
if in.expectedError == nil {
|
if in.expectedError == nil {
|
||||||
Expect(err).To(BeNil())
|
Expect(err).To(BeNil())
|
||||||
|
|
|
||||||
|
|
@ -16,16 +16,16 @@ type KeycloakOIDCProvider struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewKeycloakOIDCProvider makes a KeycloakOIDCProvider using the ProviderData
|
// NewKeycloakOIDCProvider makes a KeycloakOIDCProvider using the ProviderData
|
||||||
func NewKeycloakOIDCProvider(p *ProviderData, opts options.KeycloakOptions) *KeycloakOIDCProvider {
|
func NewKeycloakOIDCProvider(p *ProviderData, opts options.Provider) *KeycloakOIDCProvider {
|
||||||
p.setProviderDefaults(providerDefaults{
|
p.setProviderDefaults(providerDefaults{
|
||||||
name: keycloakOIDCProviderName,
|
name: keycloakOIDCProviderName,
|
||||||
})
|
})
|
||||||
|
|
||||||
provider := &KeycloakOIDCProvider{
|
provider := &KeycloakOIDCProvider{
|
||||||
OIDCProvider: NewOIDCProvider(p, options.OIDCOptions{InsecureSkipNonce: false}),
|
OIDCProvider: NewOIDCProvider(p, opts.OIDCConfig),
|
||||||
}
|
}
|
||||||
|
|
||||||
provider.addAllowedRoles(opts.Roles)
|
provider.addAllowedRoles(opts.KeycloakConfig.Roles)
|
||||||
return provider
|
return provider
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -40,11 +40,11 @@ func getAccessToken() string {
|
||||||
|
|
||||||
func newTestKeycloakOIDCSetup() (*httptest.Server, *KeycloakOIDCProvider) {
|
func newTestKeycloakOIDCSetup() (*httptest.Server, *KeycloakOIDCProvider) {
|
||||||
redeemURL, server := newOIDCServer([]byte(fmt.Sprintf(`{"email": "new@thing.com", "expires_in": 300, "access_token": "%v"}`, getAccessToken())))
|
redeemURL, server := newOIDCServer([]byte(fmt.Sprintf(`{"email": "new@thing.com", "expires_in": 300, "access_token": "%v"}`, getAccessToken())))
|
||||||
provider := newKeycloakOIDCProvider(redeemURL, options.KeycloakOptions{})
|
provider := newKeycloakOIDCProvider(redeemURL, options.Provider{})
|
||||||
return server, provider
|
return server, provider
|
||||||
}
|
}
|
||||||
|
|
||||||
func newKeycloakOIDCProvider(serverURL *url.URL, opts options.KeycloakOptions) *KeycloakOIDCProvider {
|
func newKeycloakOIDCProvider(serverURL *url.URL, opts options.Provider) *KeycloakOIDCProvider {
|
||||||
verificationOptions := internaloidc.IDTokenVerificationOptions{
|
verificationOptions := internaloidc.IDTokenVerificationOptions{
|
||||||
AudienceClaims: []string{defaultAudienceClaim},
|
AudienceClaims: []string{defaultAudienceClaim},
|
||||||
ClientID: mockClientID,
|
ClientID: mockClientID,
|
||||||
|
|
@ -90,7 +90,7 @@ func newKeycloakOIDCProvider(serverURL *url.URL, opts options.KeycloakOptions) *
|
||||||
var _ = Describe("Keycloak OIDC Provider Tests", func() {
|
var _ = Describe("Keycloak OIDC Provider Tests", func() {
|
||||||
Context("New Provider Init", func() {
|
Context("New Provider Init", func() {
|
||||||
It("creates new keycloak oidc provider with expected defaults", func() {
|
It("creates new keycloak oidc provider with expected defaults", func() {
|
||||||
p := newKeycloakOIDCProvider(nil, options.KeycloakOptions{})
|
p := newKeycloakOIDCProvider(nil, options.Provider{})
|
||||||
providerData := p.Data()
|
providerData := p.Data()
|
||||||
Expect(providerData.ProviderName).To(Equal(keycloakOIDCProviderName))
|
Expect(providerData.ProviderName).To(Equal(keycloakOIDCProviderName))
|
||||||
Expect(providerData.LoginURL.String()).To(Equal("https://keycloak-oidc.com/oauth/auth"))
|
Expect(providerData.LoginURL.String()).To(Equal("https://keycloak-oidc.com/oauth/auth"))
|
||||||
|
|
@ -100,7 +100,7 @@ var _ = Describe("Keycloak OIDC Provider Tests", func() {
|
||||||
Expect(providerData.Scope).To(Equal(oidcDefaultScope))
|
Expect(providerData.Scope).To(Equal(oidcDefaultScope))
|
||||||
})
|
})
|
||||||
It("creates new keycloak oidc provider with custom scope", func() {
|
It("creates new keycloak oidc provider with custom scope", func() {
|
||||||
p := NewKeycloakOIDCProvider(&ProviderData{Scope: "openid email"}, options.KeycloakOptions{})
|
p := NewKeycloakOIDCProvider(&ProviderData{Scope: "openid email"}, options.Provider{})
|
||||||
providerData := p.Data()
|
providerData := p.Data()
|
||||||
|
|
||||||
Expect(providerData.ProviderName).To(Equal(keycloakOIDCProviderName))
|
Expect(providerData.ProviderName).To(Equal(keycloakOIDCProviderName))
|
||||||
|
|
@ -111,8 +111,10 @@ var _ = Describe("Keycloak OIDC Provider Tests", func() {
|
||||||
|
|
||||||
Context("Allowed Roles", func() {
|
Context("Allowed Roles", func() {
|
||||||
It("should prefix allowed roles and add them to groups", func() {
|
It("should prefix allowed roles and add them to groups", func() {
|
||||||
p := newKeycloakOIDCProvider(nil, options.KeycloakOptions{
|
p := newKeycloakOIDCProvider(nil, options.Provider{
|
||||||
Roles: []string{"admin", "editor"},
|
KeycloakConfig: options.KeycloakOptions{
|
||||||
|
Roles: []string{"admin", "editor"},
|
||||||
|
},
|
||||||
})
|
})
|
||||||
Expect(p.AllowedGroups).To(HaveKey("role:admin"))
|
Expect(p.AllowedGroups).To(HaveKey("role:admin"))
|
||||||
Expect(p.AllowedGroups).To(HaveKey("role:editor"))
|
Expect(p.AllowedGroups).To(HaveKey("role:editor"))
|
||||||
|
|
|
||||||
|
|
@ -38,7 +38,7 @@ func NewProvider(providerConfig options.Provider) (Provider, error) {
|
||||||
}
|
}
|
||||||
switch providerConfig.Type {
|
switch providerConfig.Type {
|
||||||
case options.ADFSProvider:
|
case options.ADFSProvider:
|
||||||
return NewADFSProvider(providerData, providerConfig.ADFSConfig), nil
|
return NewADFSProvider(providerData, providerConfig), nil
|
||||||
case options.AzureProvider:
|
case options.AzureProvider:
|
||||||
return NewAzureProvider(providerData, providerConfig.AzureConfig), nil
|
return NewAzureProvider(providerData, providerConfig.AzureConfig), nil
|
||||||
case options.BitbucketProvider:
|
case options.BitbucketProvider:
|
||||||
|
|
@ -50,13 +50,13 @@ func NewProvider(providerConfig options.Provider) (Provider, error) {
|
||||||
case options.GitHubProvider:
|
case options.GitHubProvider:
|
||||||
return NewGitHubProvider(providerData, providerConfig.GitHubConfig), nil
|
return NewGitHubProvider(providerData, providerConfig.GitHubConfig), nil
|
||||||
case options.GitLabProvider:
|
case options.GitLabProvider:
|
||||||
return NewGitLabProvider(providerData, providerConfig.GitLabConfig)
|
return NewGitLabProvider(providerData, providerConfig)
|
||||||
case options.GoogleProvider:
|
case options.GoogleProvider:
|
||||||
return NewGoogleProvider(providerData, providerConfig.GoogleConfig)
|
return NewGoogleProvider(providerData, providerConfig.GoogleConfig)
|
||||||
case options.KeycloakProvider:
|
case options.KeycloakProvider:
|
||||||
return NewKeycloakProvider(providerData, providerConfig.KeycloakConfig), nil
|
return NewKeycloakProvider(providerData, providerConfig.KeycloakConfig), nil
|
||||||
case options.KeycloakOIDCProvider:
|
case options.KeycloakOIDCProvider:
|
||||||
return NewKeycloakOIDCProvider(providerData, providerConfig.KeycloakConfig), nil
|
return NewKeycloakOIDCProvider(providerData, providerConfig), nil
|
||||||
case options.LinkedInProvider:
|
case options.LinkedInProvider:
|
||||||
return NewLinkedInProvider(providerData), nil
|
return NewLinkedInProvider(providerData), nil
|
||||||
case options.LoginGovProvider:
|
case options.LoginGovProvider:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue