2020-11-13 17:31:39 +00:00
|
|
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
// Package callback provides a handler for the OIDC callback endpoint.
|
|
|
|
package callback
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
2020-11-16 22:07:34 +00:00
|
|
|
"net/url"
|
2020-11-13 23:59:51 +00:00
|
|
|
"path"
|
2020-11-19 01:15:01 +00:00
|
|
|
"time"
|
2020-11-13 17:31:39 +00:00
|
|
|
|
2020-11-18 21:38:13 +00:00
|
|
|
"github.com/ory/fosite"
|
2020-11-19 01:15:01 +00:00
|
|
|
"github.com/ory/fosite/handler/openid"
|
|
|
|
"github.com/ory/fosite/token/jwt"
|
2020-11-18 21:38:13 +00:00
|
|
|
|
2020-11-13 17:31:39 +00:00
|
|
|
"go.pinniped.dev/internal/httputil/httperr"
|
2020-11-13 23:59:51 +00:00
|
|
|
"go.pinniped.dev/internal/oidc"
|
2020-11-16 16:47:49 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/csrftoken"
|
2020-11-13 23:59:51 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/provider"
|
2020-11-16 19:41:00 +00:00
|
|
|
"go.pinniped.dev/internal/plog"
|
2020-11-13 17:31:39 +00:00
|
|
|
)
|
|
|
|
|
2020-11-19 16:08:21 +00:00
|
|
|
const (
|
|
|
|
// defaultUpstreamUsernameClaim is what we will use to extract the username from an upstream OIDC
|
|
|
|
// ID token if the upstream OIDC IDP did not tell us to use another claim.
|
|
|
|
defaultUpstreamUsernameClaim = "sub"
|
|
|
|
|
|
|
|
// downstreamGroupsClaim is what we will use to encode the groups in the downstream OIDC ID token
|
|
|
|
// information.
|
2020-11-19 19:19:01 +00:00
|
|
|
downstreamGroupsClaim = "groups"
|
2020-11-19 16:08:21 +00:00
|
|
|
)
|
|
|
|
|
2020-11-19 16:35:23 +00:00
|
|
|
func NewHandler(
|
|
|
|
downstreamIssuer string,
|
|
|
|
idpListGetter oidc.IDPListGetter,
|
|
|
|
oauthHelper fosite.OAuth2Provider,
|
|
|
|
stateDecoder, cookieDecoder oidc.Decoder,
|
|
|
|
) http.Handler {
|
2020-11-13 17:31:39 +00:00
|
|
|
return httperr.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
|
2020-11-16 22:07:34 +00:00
|
|
|
state, err := validateRequest(r, stateDecoder, cookieDecoder)
|
|
|
|
if err != nil {
|
2020-11-16 16:47:49 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2020-11-19 01:15:01 +00:00
|
|
|
upstreamIDPConfig := findUpstreamIDPConfig(r, idpListGetter)
|
|
|
|
if upstreamIDPConfig == nil {
|
2020-11-16 19:41:00 +00:00
|
|
|
plog.Warning("upstream provider not found")
|
2020-11-13 23:59:51 +00:00
|
|
|
return httperr.New(http.StatusUnprocessableEntity, "upstream provider not found")
|
|
|
|
}
|
|
|
|
|
2020-11-16 22:07:34 +00:00
|
|
|
downstreamAuthParams, err := url.ParseQuery(state.AuthParams)
|
|
|
|
if err != nil {
|
2020-11-19 19:19:01 +00:00
|
|
|
plog.Error("error reading state downstream auth params", err)
|
2020-11-19 13:51:23 +00:00
|
|
|
return httperr.New(http.StatusBadRequest, "error reading state downstream auth params")
|
2020-11-16 22:07:34 +00:00
|
|
|
}
|
|
|
|
|
2020-11-19 01:15:01 +00:00
|
|
|
// Recreate enough of the original authorize request so we can pass it to NewAuthorizeRequest().
|
|
|
|
reconstitutedAuthRequest := &http.Request{Form: downstreamAuthParams}
|
|
|
|
authorizeRequester, err := oauthHelper.NewAuthorizeRequest(r.Context(), reconstitutedAuthRequest)
|
|
|
|
if err != nil {
|
2020-11-19 19:19:01 +00:00
|
|
|
plog.Error("error using state downstream auth params", err)
|
2020-11-19 13:51:23 +00:00
|
|
|
return httperr.New(http.StatusBadRequest, "error using state downstream auth params")
|
2020-11-19 01:15:01 +00:00
|
|
|
}
|
|
|
|
|
2020-11-19 14:28:56 +00:00
|
|
|
// Grant the openid scope only if it was requested.
|
|
|
|
grantOpenIDScopeIfRequested(authorizeRequester)
|
2020-11-19 01:15:01 +00:00
|
|
|
|
|
|
|
_, idTokenClaims, err := upstreamIDPConfig.ExchangeAuthcodeAndValidateTokens(
|
|
|
|
r.Context(),
|
2020-11-19 16:53:53 +00:00
|
|
|
authcode(r),
|
2020-11-19 15:20:46 +00:00
|
|
|
state.PKCECode,
|
|
|
|
state.Nonce,
|
2020-11-16 22:07:34 +00:00
|
|
|
)
|
2020-11-19 01:15:01 +00:00
|
|
|
if err != nil {
|
2020-11-19 19:19:01 +00:00
|
|
|
plog.WarningErr("error exchanging and validating upstream tokens", err, "upstreamName", upstreamIDPConfig.GetName())
|
2020-11-19 14:00:41 +00:00
|
|
|
return httperr.New(http.StatusBadGateway, "error exchanging and validating upstream tokens")
|
2020-11-19 01:15:01 +00:00
|
|
|
}
|
|
|
|
|
2020-11-19 19:19:01 +00:00
|
|
|
username, err := getUsernameFromUpstreamIDToken(upstreamIDPConfig, idTokenClaims)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
2020-11-19 16:08:21 +00:00
|
|
|
}
|
2020-11-19 01:15:01 +00:00
|
|
|
|
2020-11-19 20:53:21 +00:00
|
|
|
groups, err := getGroupsFromUpstreamIDToken(upstreamIDPConfig, idTokenClaims)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2020-11-19 19:19:01 +00:00
|
|
|
openIDSession := makeDownstreamSession(downstreamIssuer, downstreamAuthParams.Get("client_id"), username, groups)
|
|
|
|
authorizeResponder, err := oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, openIDSession)
|
2020-11-19 01:15:01 +00:00
|
|
|
if err != nil {
|
|
|
|
panic(err) // TODO
|
|
|
|
}
|
|
|
|
|
|
|
|
oauthHelper.WriteAuthorizeResponse(w, authorizeRequester, authorizeResponder)
|
2020-11-16 22:07:34 +00:00
|
|
|
|
2020-11-16 19:41:00 +00:00
|
|
|
return nil
|
2020-11-13 17:31:39 +00:00
|
|
|
})
|
|
|
|
}
|
2020-11-13 23:59:51 +00:00
|
|
|
|
2020-11-19 16:53:53 +00:00
|
|
|
func authcode(r *http.Request) string {
|
|
|
|
return r.FormValue("code")
|
|
|
|
}
|
|
|
|
|
2020-11-16 22:07:34 +00:00
|
|
|
func validateRequest(r *http.Request, stateDecoder, cookieDecoder oidc.Decoder) (*oidc.UpstreamStateParamData, error) {
|
2020-11-16 19:41:00 +00:00
|
|
|
if r.Method != http.MethodGet {
|
2020-11-16 22:07:34 +00:00
|
|
|
return nil, httperr.Newf(http.StatusMethodNotAllowed, "%s (try GET)", r.Method)
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
csrfValue, err := readCSRFCookie(r, cookieDecoder)
|
|
|
|
if err != nil {
|
|
|
|
plog.InfoErr("error reading CSRF cookie", err)
|
2020-11-16 22:07:34 +00:00
|
|
|
return nil, err
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
2020-11-19 16:53:53 +00:00
|
|
|
if authcode(r) == "" {
|
2020-11-16 19:41:00 +00:00
|
|
|
plog.Info("code param not found")
|
2020-11-16 22:07:34 +00:00
|
|
|
return nil, httperr.New(http.StatusBadRequest, "code param not found")
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if r.FormValue("state") == "" {
|
|
|
|
plog.Info("state param not found")
|
2020-11-16 22:07:34 +00:00
|
|
|
return nil, httperr.New(http.StatusBadRequest, "state param not found")
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
state, err := readState(r, stateDecoder)
|
|
|
|
if err != nil {
|
|
|
|
plog.InfoErr("error reading state", err)
|
2020-11-16 22:07:34 +00:00
|
|
|
return nil, err
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if state.CSRFToken != csrfValue {
|
|
|
|
plog.InfoErr("CSRF value does not match", err)
|
2020-11-16 22:07:34 +00:00
|
|
|
return nil, httperr.Wrap(http.StatusForbidden, "CSRF value does not match", err)
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
2020-11-16 22:07:34 +00:00
|
|
|
return state, nil
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
2020-11-19 01:15:01 +00:00
|
|
|
func findUpstreamIDPConfig(r *http.Request, idpListGetter oidc.IDPListGetter) provider.UpstreamOIDCIdentityProviderI {
|
2020-11-13 23:59:51 +00:00
|
|
|
_, lastPathComponent := path.Split(r.URL.Path)
|
|
|
|
for _, p := range idpListGetter.GetIDPList() {
|
2020-11-18 21:38:13 +00:00
|
|
|
if p.GetName() == lastPathComponent {
|
2020-11-19 01:15:01 +00:00
|
|
|
return p
|
2020-11-13 23:59:51 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2020-11-16 16:47:49 +00:00
|
|
|
|
2020-11-16 19:41:00 +00:00
|
|
|
func readCSRFCookie(r *http.Request, cookieDecoder oidc.Decoder) (csrftoken.CSRFToken, error) {
|
2020-11-16 16:47:49 +00:00
|
|
|
receivedCSRFCookie, err := r.Cookie(oidc.CSRFCookieName)
|
|
|
|
if err != nil {
|
|
|
|
// Error means that the cookie was not found
|
2020-11-16 19:41:00 +00:00
|
|
|
return "", httperr.Wrap(http.StatusForbidden, "CSRF cookie is missing", err)
|
2020-11-16 16:47:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
var csrfFromCookie csrftoken.CSRFToken
|
|
|
|
err = cookieDecoder.Decode(oidc.CSRFCookieEncodingName, receivedCSRFCookie.Value, &csrfFromCookie)
|
|
|
|
if err != nil {
|
2020-11-16 19:41:00 +00:00
|
|
|
return "", httperr.Wrap(http.StatusForbidden, "error reading CSRF cookie", err)
|
2020-11-16 16:47:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return csrfFromCookie, nil
|
|
|
|
}
|
2020-11-16 19:41:00 +00:00
|
|
|
|
|
|
|
func readState(r *http.Request, stateDecoder oidc.Decoder) (*oidc.UpstreamStateParamData, error) {
|
|
|
|
var state oidc.UpstreamStateParamData
|
|
|
|
if err := stateDecoder.Decode(
|
|
|
|
oidc.UpstreamStateParamEncodingName,
|
|
|
|
r.FormValue("state"),
|
|
|
|
&state,
|
|
|
|
); err != nil {
|
|
|
|
return nil, httperr.New(http.StatusBadRequest, "error reading state")
|
|
|
|
}
|
|
|
|
|
|
|
|
if state.FormatVersion != oidc.UpstreamStateParamFormatVersion {
|
|
|
|
return nil, httperr.New(http.StatusUnprocessableEntity, "state format version is invalid")
|
|
|
|
}
|
|
|
|
|
|
|
|
return &state, nil
|
|
|
|
}
|
2020-11-19 14:28:56 +00:00
|
|
|
|
|
|
|
func grantOpenIDScopeIfRequested(authorizeRequester fosite.AuthorizeRequester) {
|
|
|
|
for _, scope := range authorizeRequester.GetRequestedScopes() {
|
|
|
|
if scope == "openid" {
|
|
|
|
authorizeRequester.GrantScope(scope)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2020-11-19 19:19:01 +00:00
|
|
|
|
|
|
|
func getUsernameFromUpstreamIDToken(
|
|
|
|
upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
|
|
|
|
idTokenClaims map[string]interface{},
|
|
|
|
) (string, error) {
|
|
|
|
usernameClaim := upstreamIDPConfig.GetUsernameClaim()
|
|
|
|
if usernameClaim == "" {
|
|
|
|
// TODO: if we use the default "sub" claim, maybe we should create the username with the issuer
|
|
|
|
// since the spec says the "sub" claim is only unique per issuer.
|
|
|
|
usernameClaim = defaultUpstreamUsernameClaim
|
|
|
|
}
|
|
|
|
|
|
|
|
usernameAsInterface, ok := idTokenClaims[usernameClaim]
|
|
|
|
if !ok {
|
|
|
|
plog.Warning(
|
|
|
|
"no username claim in upstream ID token",
|
|
|
|
"upstreamName", upstreamIDPConfig.GetName(),
|
|
|
|
"configuredUsernameClaim", upstreamIDPConfig.GetUsernameClaim(),
|
|
|
|
"usernameClaim", usernameClaim,
|
|
|
|
)
|
|
|
|
return "", httperr.New(http.StatusUnprocessableEntity, "no username claim in upstream ID token")
|
|
|
|
}
|
|
|
|
|
|
|
|
username, ok := usernameAsInterface.(string)
|
|
|
|
if !ok {
|
2020-11-19 20:53:21 +00:00
|
|
|
plog.Warning(
|
|
|
|
"username claim in upstream ID token has invalid format",
|
|
|
|
"upstreamName", upstreamIDPConfig.GetName(),
|
|
|
|
"configuredUsernameClaim", upstreamIDPConfig.GetUsernameClaim(),
|
|
|
|
"usernameClaim", usernameClaim,
|
|
|
|
)
|
|
|
|
return "", httperr.New(http.StatusUnprocessableEntity, "username claim in upstream ID token has invalid format")
|
2020-11-19 19:19:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return username, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func getGroupsFromUpstreamIDToken(
|
|
|
|
upstreamIDPConfig provider.UpstreamOIDCIdentityProviderI,
|
|
|
|
idTokenClaims map[string]interface{},
|
2020-11-19 20:53:21 +00:00
|
|
|
) ([]string, error) {
|
2020-11-19 19:19:01 +00:00
|
|
|
groupsClaim := upstreamIDPConfig.GetGroupsClaim()
|
|
|
|
if groupsClaim == "" {
|
2020-11-19 20:53:21 +00:00
|
|
|
return nil, nil
|
2020-11-19 19:19:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
groupsAsInterface, ok := idTokenClaims[groupsClaim]
|
|
|
|
if !ok {
|
2020-11-19 20:53:21 +00:00
|
|
|
plog.Warning(
|
|
|
|
"no groups claim in upstream ID token",
|
|
|
|
"upstreamName", upstreamIDPConfig.GetName(),
|
|
|
|
"configuredGroupsClaim", upstreamIDPConfig.GetGroupsClaim(),
|
|
|
|
"groupsClaim", groupsClaim,
|
|
|
|
)
|
|
|
|
return nil, httperr.New(http.StatusUnprocessableEntity, "no groups claim in upstream ID token")
|
2020-11-19 19:19:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
groups, ok := groupsAsInterface.([]string)
|
|
|
|
if !ok {
|
2020-11-19 20:53:21 +00:00
|
|
|
plog.Warning(
|
|
|
|
"groups claim in upstream ID token has invalid format",
|
|
|
|
"upstreamName", upstreamIDPConfig.GetName(),
|
|
|
|
"configuredGroupsClaim", upstreamIDPConfig.GetGroupsClaim(),
|
|
|
|
"groupsClaim", groupsClaim,
|
|
|
|
)
|
|
|
|
return nil, httperr.New(http.StatusUnprocessableEntity, "groups claim in upstream ID token has invalid format")
|
2020-11-19 19:19:01 +00:00
|
|
|
}
|
|
|
|
|
2020-11-19 20:53:21 +00:00
|
|
|
return groups, nil
|
2020-11-19 19:19:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func makeDownstreamSession(issuer, clientID, username string, groups []string) *openid.DefaultSession {
|
|
|
|
now := time.Now()
|
|
|
|
openIDSession := &openid.DefaultSession{
|
|
|
|
Claims: &jwt.IDTokenClaims{
|
|
|
|
Issuer: issuer,
|
|
|
|
Subject: username,
|
|
|
|
Audience: []string{clientID},
|
|
|
|
ExpiresAt: now.Add(time.Minute * 30), // TODO use the right value here
|
|
|
|
IssuedAt: now, // TODO test this
|
|
|
|
RequestedAt: now, // TODO test this
|
|
|
|
AuthTime: now, // TODO test this
|
|
|
|
},
|
|
|
|
}
|
|
|
|
if groups != nil {
|
|
|
|
openIDSession.Claims.Extra = map[string]interface{}{
|
|
|
|
downstreamGroupsClaim: groups,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return openIDSession
|
|
|
|
}
|