DO NOT MERGE: changes for testing introspection with access token tha…

…t aren't jwt tokens
tuunit · Oct 29, 2023 · b754ae5 · b754ae5
1 parent c0d01c3
commit b754ae5
Show file tree

Hide file tree

Showing 8 changed files with 78 additions and 14 deletions.
diff --git a/Makefile b/Makefile
@@ -49,7 +49,7 @@ DOCKER_BUILDX_PUSH_X_PLATFORM := $(DOCKER_BUILDX_PUSH) --platform ${DOCKER_BUILD
 
 .PHONY: docker
 docker:
-	$(DOCKER_BUILDX_X_PLATFORM) -t $(REGISTRY)/oauth2-proxy:latest -t $(REGISTRY)/oauth2-proxy:${VERSION} .
+	$(DOCKER_BUILDX_X_PLATFORM) -t ghcr.io/tuunit/oauth2-proxy:v7.5.1-introspection .
 
 .PHONY: docker-all
 docker-all: docker
@@ -61,7 +61,7 @@ docker-all: docker
 
 .PHONY: docker-push
 docker-push:
-	$(DOCKER_BUILDX_PUSH_X_PLATFORM) -t $(REGISTRY)/oauth2-proxy:latest -t $(REGISTRY)/oauth2-proxy:${VERSION} .
+	$(DOCKER_BUILDX_PUSH_X_PLATFORM) -t ghcr.io/tuunit/oauth2-proxy:v7.5.1-introspection .
 
 .PHONY: docker-push-all
 docker-push-all: docker-push

diff --git a/contrib/local-environment/docker-compose-keycloak.yaml b/contrib/local-environment/docker-compose-keycloak.yaml
@@ -37,6 +37,8 @@ services:
     hostname: httpbin
     networks:
       httpbin: {}
+    ports:
+      - 8080:80/tcp
 
   keycloak:
     container_name: keycloak

diff --git a/contrib/local-environment/keycloak/master-realm.json b/contrib/local-environment/keycloak/master-realm.json
@@ -509,7 +509,7 @@
       "clientAuthenticatorType": "client-secret",
       "secret": "72341b6d-7065-4518-a0e4-50ee15025608",
       "redirectUris": [
-        "http://oauth2-proxy.localtest.me:4180/oauth2/callback"
+        "http://localhost:4180/oauth2/callback"
       ],
       "webOrigins": [],
       "notBefore": 0,

diff --git a/contrib/local-environment/oauth2-proxy-keycloak.cfg b/contrib/local-environment/oauth2-proxy-keycloak.cfg
@@ -2,19 +2,19 @@ http_address="0.0.0.0:4180"
 cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
 email_domains=["example.com"]
 cookie_secure="false"
-upstreams="http://httpbin"
-cookie_domains=[".localtest.me"] # Required so cookie can be read on all subdomains.
-whitelist_domains=[".localtest.me"] # Required to allow redirection back to original requested target.
+upstreams="http://localhost:8080"
+cookie_domains=["*"] # Required so cookie can be read on all subdomains.
+whitelist_domains=["*"] # Required to allow redirection back to original requested target.
 
 # keycloak provider
 client_secret="72341b6d-7065-4518-a0e4-50ee15025608"
 client_id="oauth2-proxy"
-redirect_url="http://oauth2-proxy.localtest.me:4180/oauth2/callback"
+redirect_url="http://localhost:4180/oauth2/callback"
 
 # in this case oauth2-proxy is going to visit
 # http://keycloak.localtest.me:9080/auth/realms/master/.well-known/openid-configuration for configuration
-oidc_issuer_url="http://keycloak.localtest.me:9080/auth/realms/master"
-provider="oidc"
+oidc_issuer_url="http://localhost:9080/auth/realms/master"
+provider="keycloak-oidc"
 provider_display_name="Keycloak"
 
 
diff --git a/contrib/local-environment/oauth2-proxy.cfg b/contrib/local-environment/oauth2-proxy.cfg
@@ -8,4 +8,4 @@ client_id="oauth2-proxy"
 cookie_secure="false"
 
 redirect_url="http://localhost:4180/oauth2/callback"
-upstreams="http://httpbin"
+upstreams="http://localhost:8080/"
diff --git a/pkg/providers/util/claim_extractor.go b/pkg/providers/util/claim_extractor.go
@@ -47,6 +47,15 @@ func NewClaimExtractor(ctx context.Context, idToken string, profileURL *url.URL,
 	}, nil
 }
 
+func NewAccessTokenClaimExtractor(ctx context.Context, payload *simplejson.Json, profileURL *url.URL, profileRequestHeaders http.Header) (ClaimExtractor, error) {
+	return &claimExtractor{
+		ctx:            ctx,
+		profileURL:     profileURL,
+		requestHeaders: profileRequestHeaders,
+		tokenClaims:    payload,
+	}, nil
+}
+
 // claimExtractor implements the ClaimExtractor interface
 type claimExtractor struct {
 	profileURL     *url.URL

diff --git a/providers/keycloak_oidc.go b/providers/keycloak_oidc.go
@@ -58,6 +58,20 @@ func (p *KeycloakOIDCProvider) CreateSessionFromToken(ctx context.Context, token
 	return ss, nil
 }
 
+func (p *KeycloakOIDCProvider) CreateSessionFromIntrospectedToken(ctx context.Context, token string) (*sessions.SessionState, error) {
+	ss, err := p.OIDCProvider.CreateSessionFromIntrospectedToken(ctx, token)
+	if err != nil {
+		return nil, fmt.Errorf("could not create session from token: %v", err)
+	}
+
+	// Extract custom keycloak roles and enrich session
+	if err := p.extractRoles(ctx, ss); err != nil {
+		return nil, err
+	}
+
+	return ss, nil
+}
+
 // EnrichSession is called after Redeem to allow providers to enrich session fields
 // such as User, Email, Groups with provider specific API calls.
 func (p *KeycloakOIDCProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error {

diff --git a/providers/oidc.go b/providers/oidc.go
@@ -12,6 +12,7 @@ import (
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/providers/util"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
 	"golang.org/x/oauth2"
 )
@@ -214,13 +215,51 @@ func (p *OIDCProvider) CreateSessionFromToken(ctx context.Context, token string)
 }
 
 // CreateSessionFromIntrospectedToken converts Bearer Tokens into sessions after valified using introspection endpoint
-func (p *OIDCProvider) CreateSessionFromIntrospectedToken(ctx context.Context, token string) (*sessions.SessionState, error) {
-
-	_, err := p.introspectToken(token)
+func (p *OIDCProvider) CreateSessionFromIntrospectedToken(ctx context.Context, accessToken string) (*sessions.SessionState, error) {
+	payload, err := p.introspectToken(accessToken)
 	if err != nil {
 		return nil, err
 	}
-	return p.CreateSessionFromToken(ctx, token)
+
+	extractor, err := util.NewAccessTokenClaimExtractor(context.TODO(), payload, p.ProfileURL, p.getAuthorizationHeader(accessToken))
+	if err != nil {
+		return nil, fmt.Errorf("could not initialise claim extractor: %v", err)
+	}
+
+	ss := &sessions.SessionState{AccessToken: accessToken}
+
+	for _, c := range []struct {
+		claim string
+		dst   interface{}
+	}{
+		{p.UserClaim, &ss.User},
+		{p.EmailClaim, &ss.Email},
+		{p.GroupsClaim, &ss.Groups},
+		// TODO (@NickMeves) Deprecate for dynamic claim to session mapping
+		{"preferred_username", &ss.PreferredUsername},
+	} {
+		if _, err := extractor.GetClaimInto(c.claim, c.dst); err != nil {
+			return nil, err
+		}
+	}
+
+	// `email_verified` must be present and explicitly set to `false` to be
+	// considered unverified.
+	verifyEmail := (p.EmailClaim == options.OIDCEmailClaim) && !p.AllowUnverifiedEmail
+
+	if verifyEmail {
+		var verified bool
+		exists, err := extractor.GetClaimInto("email_verified", &verified)
+		if err != nil {
+			return nil, err
+		}
+
+		if exists && !verified {
+			return nil, fmt.Errorf("email in id_token (%s) isn't verified", ss.Email)
+		}
+	}
+
+	return ss, nil
 }
 
 // createSession takes an oauth2.Token and creates a SessionState from it.