feature: static public keys file support for oidc provider

Co-authored-by: Jan Larwig <[email protected]>
Co-authored-by: JJ Łakis <[email protected]>

CHANGELOG.md

@@ -15,6 +15,7 @@
 - [#2821](https://github.com/oauth2-proxy/oauth2-proxy/pull/2821) feat: add CF-Connecting-IP as supported real ip header (@ondrejsika)
 - [#2620](https://github.com/oauth2-proxy/oauth2-proxy/pull/2620) fix: update code_verifier to use recommended method (@vishvananda)
 - [#2392](https://github.com/oauth2-proxy/oauth2-proxy/pull/2392) chore: extend test cases for oidc provider and documentation regarding implicit setting of the groups scope when no scope was specified in the config (@jjlakis / @tuunit)
+- [#2376](https://github.com/oauth2-proxy/oauth2-proxy/pull/2376) feat: static public keys file support for oidc provider (@axel7083 / @jjlakis)
 
 # V7.7.1
 

docs/docs/configuration/alpha_config.md

@@ -409,6 +409,7 @@ character.
 | `insecureSkipNonce` | _bool_ | InsecureSkipNonce skips verifying the ID Token's nonce claim that must match<br/>the random nonce sent in the initial OAuth flow. Otherwise, the nonce is checked<br/>after the initial OAuth redeem & subsequent token refreshes.<br/>default set to 'true'<br/>Warning: In a future release, this will change to 'false' by default for enhanced security. |
 | `skipDiscovery` | _bool_ | SkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints<br/>default set to 'false' |
 | `jwksURL` | _string_ | JwksURL is the OpenID Connect JWKS URL<br/>eg: https://www.googleapis.com/oauth2/v3/certs |
+| `publicKeyFiles` | _[]string_ | PublicKeyFiles is a list of paths pointing to public key files in PEM format to use<br/>for verifying JWT tokens |
 | `emailClaim` | _string_ | EmailClaim indicates which claim contains the user email,<br/>default set to 'email' |
 | `groupsClaim` | _string_ | GroupsClaim indicates which claim contains the user groups<br/>default set to 'groups' |
 | `userIDClaim` | _string_ | UserIDClaim indicates which claim contains the user ID<br/>default set to 'email' |

docs/docs/configuration/overview.md

@@ -96,7 +96,8 @@ Provider specific options can be found on their respective subpages.
 | flag: `--oidc-extra-audience`<br/>toml: `oidc_extra_audiences`                                      | string \| list | additional audiences which are allowed to pass verification                                                                                                                                              | `"[]"`                |
 | flag: `--oidc-groups-claim`<br/>toml: `oidc_groups_claim`                                           | string         | which OIDC claim contains the user groups                                                                                                                                                                | `"groups"`            |
 | flag: `--oidc-issuer-url`<br/>toml: `oidc_issuer_url`                                               | string         | the OpenID Connect issuer URL, e.g. `"https://accounts.google.com"`                                                                                                                                      |                       |
-| flag: `--oidc-jwks-url`<br/>toml: `oidc_jwks_url`                                                   | string         | OIDC JWKS URI for token verification; required if OIDC discovery is disabled                                                                                                                             |                       |
+| flag: `--oidc-jwks-url`<br/>toml: `oidc_jwks_url`                                                   | string         | OIDC JWKS URI for token verification; required if OIDC discovery is disabled and public key files are not provided                                                                                       |                       |
+| flag: `--oidc-public-key-file`<br/>toml: `oidc_public_key_files`                                    | string         | Path to public key file in PEM format to use for verifying JWT tokens (may be given multiple times). Required if OIDC discovery is disabled na JWKS URL isn't provided                                   | string \| list        |
 | flag: `--profile-url`<br/>toml: `profile_url`                                                       | string         | Profile access endpoint                                                                                                                                                                                  |                       |
 | flag: `--prompt`<br/>toml: `prompt`                                                                 | string         | [OIDC prompt](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest); if present, `approval-prompt` is ignored                                                                               | `""`                  |
 | flag: `--provider-ca-file`<br/>toml: `provider_ca_files`                                            | string \| list | Paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead.                                                           |

pkg/apis/options/legacy_options.go

@@ -521,6 +521,7 @@ type LegacyProvider struct {
 	OIDCGroupsClaim                    string   `flag:"oidc-groups-claim" cfg:"oidc_groups_claim"`
 	OIDCAudienceClaims                 []string `flag:"oidc-audience-claim" cfg:"oidc_audience_claims"`
 	OIDCExtraAudiences                 []string `flag:"oidc-extra-audience" cfg:"oidc_extra_audiences"`
+	OIDCPublicKeyFiles                 []string `flag:"oidc-public-key-file" cfg:"oidc_public_key_files"`
 	LoginURL                           string   `flag:"login-url" cfg:"login_url"`
 	RedeemURL                          string   `flag:"redeem-url" cfg:"redeem_url"`
 	ProfileURL                         string   `flag:"profile-url" cfg:"profile_url"`
@@ -579,6 +580,7 @@ func legacyProviderFlagSet() *pflag.FlagSet {
 	flagSet.String("oidc-email-claim", OIDCEmailClaim, "which OIDC claim contains the user's email")
 	flagSet.StringSlice("oidc-audience-claim", OIDCAudienceClaims, "which OIDC claims are used as audience to verify against client id")
 	flagSet.StringSlice("oidc-extra-audience", []string{}, "additional audiences allowed to pass audience verification")
+	flagSet.StringSlice("oidc-public-key-file", []string{}, "path to public key file in PEM format to use for verifying JWT tokens (may be given multiple times)")
 	flagSet.String("login-url", "", "Authentication endpoint")
 	flagSet.String("redeem-url", "", "Token redemption endpoint")
 	flagSet.String("profile-url", "", "Profile access endpoint")
@@ -695,6 +697,7 @@ func (l *LegacyProvider) convert() (Providers, error) {
 		GroupsClaim:                    l.OIDCGroupsClaim,
 		AudienceClaims:                 l.OIDCAudienceClaims,
 		ExtraAudiences:                 l.OIDCExtraAudiences,
+		PublicKeyFiles:                 l.OIDCPublicKeyFiles,
 	}
 
 	// Support for legacy configuration option

pkg/apis/options/providers.go

@@ -238,6 +238,9 @@ type OIDCOptions struct {
 	// JwksURL is the OpenID Connect JWKS URL
 	// eg: https://www.googleapis.com/oauth2/v3/certs
 	JwksURL string `json:"jwksURL,omitempty"`
+	// PublicKeyFiles is a list of paths pointing to public key files in PEM format to use
+	// for verifying JWT tokens
+	PublicKeyFiles []string `json:"publicKeyFiles,omitempty"`
 	// EmailClaim indicates which claim contains the user email,
 	// default set to 'email'
 	EmailClaim string `json:"emailClaim,omitempty"`

pkg/providers/oidc/provider_verifier.go

@@ -2,11 +2,14 @@ package oidc
 
 import (
 	"context"
+	"crypto"
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
+	"os"
 
 	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
 	k8serrors "k8s.io/apimachinery/pkg/util/errors"
 )
 
@@ -38,6 +41,10 @@ type ProviderVerifierOptions struct {
 	// eg: https://www.googleapis.com/oauth2/v3/certs
 	JWKsURL string
 
+	// PublicKeyFiles is a list of paths pointing to public key files in PEM format to use
+	// for verifying JWT tokens
+	PublicKeyFiles []string
+
 	// SkipDiscovery allows to skip OIDC discovery and use manually supplied Endpoints
 	SkipDiscovery bool
 
@@ -59,8 +66,12 @@ func (p ProviderVerifierOptions) validate() error {
 		errs = append(errs, errors.New("missing required setting: issuer-url"))
 	}
 
-	if p.SkipDiscovery && p.JWKsURL == "" {
-		errs = append(errs, errors.New("missing required setting: jwks-url"))
+	if p.SkipDiscovery && p.JWKsURL == "" && len(p.PublicKeyFiles) == 0 {
+		errs = append(errs, errors.New("missing required setting: jwks-url or public-key-files"))
+	}
+
+	if p.JWKsURL != "" && len(p.PublicKeyFiles) > 0 {
+		errs = append(errs, errors.New("mutually exclusive settings: jwks-url and public-key-files"))
 	}
 
 	if len(errs) > 0 {
@@ -91,12 +102,12 @@ func (p ProviderVerifierOptions) toOIDCConfig() *oidc.Config {
 // NewProviderVerifier constructs a ProviderVerifier from the options given.
 func NewProviderVerifier(ctx context.Context, opts ProviderVerifierOptions) (ProviderVerifier, error) {
 	if err := opts.validate(); err != nil {
-		return nil, fmt.Errorf("invalid provider verifier options: %v", err)
+		return nil, fmt.Errorf("invalid provider verifier options: %w", err)
 	}
 
 	verifierBuilder, provider, err := getVerifierBuilder(ctx, opts)
 	if err != nil {
-		return nil, fmt.Errorf("could not get verifier builder: %v", err)
+		return nil, fmt.Errorf("could not get verifier builder: %w", err)
 	}
 	verifier := NewVerifier(verifierBuilder(opts.toOIDCConfig()), opts.toVerificationOptions())
 
@@ -117,22 +128,78 @@ type verifierBuilder func(*oidc.Config) *oidc.IDTokenVerifier
 
 func getVerifierBuilder(ctx context.Context, opts ProviderVerifierOptions) (verifierBuilder, DiscoveryProvider, error) {
 	if opts.SkipDiscovery {
-		// Instead of discovering the JWKs URL, it needs to be specified in the opts already
-		return newVerifierBuilder(ctx, opts.IssuerURL, opts.JWKsURL, opts.SupportedSigningAlgs), nil, nil
+		var keySet oidc.KeySet
+		var err error
+
+		if opts.JWKsURL != "" {
+			keySet = oidc.NewRemoteKeySet(ctx, opts.JWKsURL)
+		} else {
+			keySet, err = newKeySetFromStatic(opts.PublicKeyFiles)
+			if err != nil {
+				return nil, nil, fmt.Errorf("error while parsing public keys: %w", err)
+			}
+		}
+		// Instead of discovering the JWKs URK, it needs to be specified in the opts already
+		return newVerifierBuilder(
+			opts.IssuerURL,
+			keySet,
+			opts.SupportedSigningAlgs,
+		), nil, nil
 	}
 
 	provider, err := NewProvider(ctx, opts.IssuerURL, opts.SkipIssuerVerification)
 	if err != nil {
-		return nil, nil, fmt.Errorf("error while discovery OIDC configuration: %v", err)
+		return nil, nil, fmt.Errorf("error while discovery OIDC configuration: %w", err)
+	}
+
+	return newVerifierBuilder(
+		opts.IssuerURL,
+		oidc.NewRemoteKeySet(ctx, provider.Endpoints().JWKsURL),
+		provider.SupportedSigningAlgs(),
+	), provider, nil
+}
+
+// GetPublicKeyFromBytes parses a PEM-encoded public key from a byte array
+// and returns a crypto.PublicKey object.
+func getPublicKeyFromBytes(bytes []byte) (crypto.PublicKey, error) {
+	block, _ := pem.Decode(bytes)
+	if block == nil {
+		return nil, fmt.Errorf("failed to parse PEM block containing the public key")
+	}
+	publicKey, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse public key: %w", err)
 	}
-	verifierBuilder := newVerifierBuilder(ctx, opts.IssuerURL, provider.Endpoints().JWKsURL, provider.SupportedSigningAlgs())
-	return verifierBuilder, provider, nil
+
+	cryptoPublicKey, ok := publicKey.(crypto.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("failed to cast public key to crypto.PublicKey")
+	}
+
+	return cryptoPublicKey, nil
+}
+
+// newKeySetFromStatic create a StaticKeySet from a set of files
+func newKeySetFromStatic(keys []string) (*oidc.StaticKeySet, error) {
+	keySet := []crypto.PublicKey{}
+	for _, keyFile := range keys {
+		bytes, err := os.ReadFile(keyFile)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read file: %w", err)
+		}
+
+		publicKey, err := getPublicKeyFromBytes(bytes)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create keys: %w", err)
+		}
+		keySet = append(keySet, publicKey)
+	}
+
+	return &oidc.StaticKeySet{PublicKeys: keySet}, nil
 }
 
 // newVerifierBuilder returns a function to create a IDToken verifier from an OIDC config.
-func newVerifierBuilder(ctx context.Context, issuerURL, jwksURL string, supportedSigningAlgs []string) verifierBuilder {
-	ctx = oidc.ClientContext(ctx, requests.DefaultHTTPClient)
-	keySet := oidc.NewRemoteKeySet(ctx, jwksURL)
+func newVerifierBuilder(issuerURL string, keySet oidc.KeySet, supportedSigningAlgs []string) verifierBuilder {
 	return func(oidcConfig *oidc.Config) *oidc.IDTokenVerifier {
 		if len(supportedSigningAlgs) > 0 {
 			oidcConfig.SupportedSigningAlgs = supportedSigningAlgs

pkg/providers/oidc/provider_verifier_test.go

@@ -2,6 +2,8 @@ package oidc
 
 import (
 	"context"
+	"os"
+	"path/filepath"
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
@@ -10,6 +12,39 @@ import (
 	. "github.com/onsi/gomega"
 )
 
+var tempDir string
+var invalidPublicKeyFilePath string
+var validPublicKeyFilePath string
+
+var _ = BeforeSuite(func() {
+	var err error
+
+	// Create a temporary directory and public key file
+	tempDir, err = os.MkdirTemp("/tmp", "provider-verifier-test")
+	Expect(err).ToNot(HaveOccurred())
+
+	invalidPublicKeyFilePath = filepath.Join(tempDir, "invalid.key")
+	validPublicKeyFilePath = filepath.Join(tempDir, "valid.key")
+
+	invalidKeyContents := []byte(`-----BEGIN INVALID KEY-----
+ThisIsNotAValidKey
+-----END INVALID KEY-----`)
+	err = os.WriteFile(invalidPublicKeyFilePath, invalidKeyContents, 0644)
+	Expect(err).ToNot(HaveOccurred())
+
+	validKeyContents := []byte(`-----BEGIN PUBLIC KEY-----
+MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALBJK+8qU+aQu2bHxJ8E95AIu2NINztM
+NmX9R2zI9xlXN8wGQG8kWLYoRLbyiZwY9kdzOBGvYci64wHIjtFswHcCAwEAAQ==
+-----END PUBLIC KEY-----`)
+	err = os.WriteFile(validPublicKeyFilePath, validKeyContents, 0644)
+	Expect(err).ToNot(HaveOccurred())
+})
+
+var _ = AfterSuite(func() {
+	// Clean up temporary directory
+	Expect(os.RemoveAll(tempDir)).To(Succeed())
+})
+
 var _ = Describe("ProviderVerifier", func() {
 	var m *mockoidc.MockOIDC
 
@@ -77,14 +112,42 @@ var _ = Describe("ProviderVerifier", func() {
 				p.SkipDiscovery = true
 				p.JWKsURL = ""
 			},
-			expectedError: "invalid provider verifier options: missing required setting: jwks-url",
+			expectedError: "invalid provider verifier options: missing required setting: jwks-url or public-key-files",
+		}),
+		Entry("with skip discovery, the JWKs URL not empty and len(PublicKeyFiles) is greater than 0", &newProviderVerifierTableInput{
+			modifyOpts: func(p *ProviderVerifierOptions) {
+				p.SkipDiscovery = true
+				p.JWKsURL = "notEmpty"
+				p.PublicKeyFiles = []string{"notEmpty"}
+			},
+			expectedError: "invalid provider verifier options: mutually exclusive settings: jwks-url and public-key-files",
 		}),
-		Entry("should be succesfful when skipping discovery with the JWKs URL specified", &newProviderVerifierTableInput{
+		Entry("should be successful when skipping discovery with the JWKs URL specified", &newProviderVerifierTableInput{
 			modifyOpts: func(p *ProviderVerifierOptions) {
 				p.SkipDiscovery = true
 				p.JWKsURL = m.JWKSEndpoint()
 			},
 		}),
+		Entry("should pass when the key is valid", &newProviderVerifierTableInput{
+			modifyOpts: func(p *ProviderVerifierOptions) {
+				p.SkipDiscovery = true
+				p.PublicKeyFiles = []string{validPublicKeyFilePath}
+			},
+		}),
+		Entry("should fail when the key is invalid", &newProviderVerifierTableInput{
+			modifyOpts: func(p *ProviderVerifierOptions) {
+				p.SkipDiscovery = true
+				p.PublicKeyFiles = []string{invalidPublicKeyFilePath}
+			},
+			expectedError: "could not get verifier builder: error while parsing public keys",
+		}),
+		Entry("should fail when the key file is not found", &newProviderVerifierTableInput{
+			modifyOpts: func(p *ProviderVerifierOptions) {
+				p.SkipDiscovery = true
+				p.PublicKeyFiles = []string{"non-existing"}
+			},
+			expectedError: "could not get verifier builder: error while parsing public keys: failed to read file",
+		}),
 	)
 
 	type verifierTableInput struct {

providers/providers.go

@@ -92,6 +92,7 @@ func newProviderDataFromConfig(providerConfig options.Provider) (*ProviderData,
 			ExtraAudiences:         providerConfig.OIDCConfig.ExtraAudiences,
 			IssuerURL:              providerConfig.OIDCConfig.IssuerURL,
 			JWKsURL:                providerConfig.OIDCConfig.JwksURL,
+			PublicKeyFiles:         providerConfig.OIDCConfig.PublicKeyFiles,
 			SkipDiscovery:          providerConfig.OIDCConfig.SkipDiscovery,
 			SkipIssuerVerification: providerConfig.OIDCConfig.InsecureSkipIssuerVerification,
 		})

providers/providers_test.go

@@ -86,7 +86,7 @@ func TestSkipOIDCDiscovery(t *testing.T) {
 	}
 
 	_, err := newProviderDataFromConfig(providerConfig)
-	g.Expect(err).To(MatchError("error building OIDC ProviderVerifier: invalid provider verifier options: missing required setting: jwks-url"))
+	g.Expect(err).To(MatchError("error building OIDC ProviderVerifier: invalid provider verifier options: missing required setting: jwks-url or public-key-files"))
 
 	providerConfig.LoginURL = msAuthURL
 	providerConfig.RedeemURL = msTokenURL