2021-01-14 21:46:01 +00:00
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
2020-11-30 20:54:11 +00:00
// SPDX-License-Identifier: Apache-2.0
// Package upstreamoidc implements an abstraction of upstream OIDC provider interactions.
package upstreamoidc
import (
"context"
2021-09-28 15:51:01 +00:00
"encoding/json"
2021-08-12 17:00:18 +00:00
"fmt"
2021-10-22 21:32:26 +00:00
"io"
2020-11-30 20:54:11 +00:00
"net/http"
"net/url"
2021-10-22 21:32:26 +00:00
"strings"
2020-11-30 20:54:11 +00:00
2021-01-20 17:54:44 +00:00
coreosoidc "github.com/coreos/go-oidc/v3/oidc"
2020-11-30 20:54:11 +00:00
"golang.org/x/oauth2"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2021-10-08 22:48:21 +00:00
"k8s.io/apimachinery/pkg/types"
2021-09-28 15:51:01 +00:00
"k8s.io/apimachinery/pkg/util/sets"
2020-11-30 20:54:11 +00:00
"go.pinniped.dev/internal/httputil/httperr"
2021-01-09 19:27:35 +00:00
"go.pinniped.dev/internal/oidc"
2020-11-30 20:54:11 +00:00
"go.pinniped.dev/internal/oidc/provider"
2021-01-14 21:46:01 +00:00
"go.pinniped.dev/internal/plog"
2020-11-30 20:54:11 +00:00
"go.pinniped.dev/pkg/oidcclient/nonce"
2020-11-30 23:02:03 +00:00
"go.pinniped.dev/pkg/oidcclient/oidctypes"
2020-11-30 20:54:11 +00:00
"go.pinniped.dev/pkg/oidcclient/pkce"
)
2021-01-09 19:27:35 +00:00
func New ( config * oauth2 . Config , provider * coreosoidc . Provider , client * http . Client ) provider . UpstreamOIDCIdentityProviderI {
2020-12-02 16:27:20 +00:00
return & ProviderConfig { Config : config , Provider : provider , Client : client }
2020-11-30 23:14:57 +00:00
}
2020-11-30 20:54:11 +00:00
// ProviderConfig holds the active configuration of an upstream OIDC provider.
type ProviderConfig struct {
2021-10-08 22:48:21 +00:00
Name string
ResourceUID types . UID
UsernameClaim string
GroupsClaim string
Config * oauth2 . Config
Client * http . Client
AllowPasswordGrant bool
AdditionalAuthcodeParams map [ string ] string
2021-10-22 21:32:26 +00:00
RevocationURL * url . URL // will commonly be nil: many providers do not offer this
2021-10-08 22:48:21 +00:00
Provider interface {
2021-01-09 19:27:35 +00:00
Verifier ( * coreosoidc . Config ) * coreosoidc . IDTokenVerifier
2021-09-28 15:29:20 +00:00
Claims ( v interface { } ) error
2021-01-09 19:27:35 +00:00
UserInfo ( ctx context . Context , tokenSource oauth2 . TokenSource ) ( * coreosoidc . UserInfo , error )
2020-11-30 20:54:11 +00:00
}
}
2021-10-13 19:31:20 +00:00
var _ provider . UpstreamOIDCIdentityProviderI = ( * ProviderConfig ) ( nil )
2021-10-08 22:48:21 +00:00
func ( p * ProviderConfig ) GetResourceUID ( ) types . UID {
return p . ResourceUID
}
2021-10-22 21:32:26 +00:00
func ( p * ProviderConfig ) GetRevocationURL ( ) * url . URL {
return p . RevocationURL
}
2021-10-08 22:48:21 +00:00
func ( p * ProviderConfig ) GetAdditionalAuthcodeParams ( ) map [ string ] string {
return p . AdditionalAuthcodeParams
}
2020-11-30 20:54:11 +00:00
func ( p * ProviderConfig ) GetName ( ) string {
return p . Name
}
func ( p * ProviderConfig ) GetClientID ( ) string {
return p . Config . ClientID
}
func ( p * ProviderConfig ) GetAuthorizationURL ( ) * url . URL {
result , _ := url . Parse ( p . Config . Endpoint . AuthURL )
return result
}
func ( p * ProviderConfig ) GetScopes ( ) [ ] string {
return p . Config . Scopes
}
func ( p * ProviderConfig ) GetUsernameClaim ( ) string {
return p . UsernameClaim
}
func ( p * ProviderConfig ) GetGroupsClaim ( ) string {
return p . GroupsClaim
}
2021-08-12 17:00:18 +00:00
func ( p * ProviderConfig ) AllowsPasswordGrant ( ) bool {
return p . AllowPasswordGrant
}
func ( p * ProviderConfig ) PasswordCredentialsGrantAndValidateTokens ( ctx context . Context , username , password string ) ( * oidctypes . Token , error ) {
// Disallow this grant when requested.
if ! p . AllowPasswordGrant {
2021-08-16 21:27:40 +00:00
return nil , fmt . Errorf ( "resource owner password credentials grant is not allowed for this upstream provider according to its configuration" )
2021-08-12 17:00:18 +00:00
}
// Note that this implicitly uses the scopes from p.Config.Scopes.
tok , err := p . Config . PasswordCredentialsToken (
coreosoidc . ClientContext ( ctx , p . Client ) ,
username ,
password ,
)
if err != nil {
return nil , err
}
// There is no nonce to validate for a resource owner password credentials grant because it skips using
// the authorize endpoint and goes straight to the token endpoint.
2021-08-17 20:14:09 +00:00
const skipNonceValidation nonce . Nonce = ""
2021-08-12 17:00:18 +00:00
return p . ValidateToken ( ctx , tok , skipNonceValidation )
}
2020-12-04 21:33:36 +00:00
func ( p * ProviderConfig ) ExchangeAuthcodeAndValidateTokens ( ctx context . Context , authcode string , pkceCodeVerifier pkce . Code , expectedIDTokenNonce nonce . Nonce , redirectURI string ) ( * oidctypes . Token , error ) {
2020-12-02 16:36:07 +00:00
tok , err := p . Config . Exchange (
2021-01-09 19:27:35 +00:00
coreosoidc . ClientContext ( ctx , p . Client ) ,
2020-12-02 16:36:07 +00:00
authcode ,
pkceCodeVerifier . Verifier ( ) ,
oauth2 . SetAuthURLParam ( "redirect_uri" , redirectURI ) ,
)
2020-11-30 20:54:11 +00:00
if err != nil {
2020-12-04 21:33:36 +00:00
return nil , err
2020-11-30 20:54:11 +00:00
}
2020-11-30 23:08:27 +00:00
return p . ValidateToken ( ctx , tok , expectedIDTokenNonce )
}
2021-10-13 19:31:20 +00:00
func ( p * ProviderConfig ) PerformRefresh ( ctx context . Context , refreshToken string ) ( * oauth2 . Token , error ) {
2021-10-13 21:05:00 +00:00
// Use the provided HTTP client to benefit from its CA, proxy, and other settings.
httpClientContext := coreosoidc . ClientContext ( ctx , p . Client )
2021-10-13 19:31:20 +00:00
// Create a TokenSource without an access token, so it thinks that a refresh is immediately required.
// Then ask it for the tokens to cause it to perform the refresh and return the results.
2021-10-13 21:05:00 +00:00
return p . Config . TokenSource ( httpClientContext , & oauth2 . Token { RefreshToken : refreshToken } ) . Token ( )
2021-10-13 19:31:20 +00:00
}
2021-12-03 21:44:24 +00:00
// RevokeToken will attempt to revoke the given token, if the provider has a revocation endpoint.
2021-12-08 22:29:25 +00:00
// It may return an error wrapped by a RetryableRevocationError, which is an error indicating that it may
// be worth trying to revoke the same token again later. Any other error returned should be assumed to
// represent an error such that it is not worth retrying revocation later, even though revocation failed.
2021-12-03 21:44:24 +00:00
func ( p * ProviderConfig ) RevokeToken ( ctx context . Context , token string , tokenType provider . RevocableTokenType ) error {
2021-10-22 21:32:26 +00:00
if p . RevocationURL == nil {
2021-12-03 21:44:24 +00:00
plog . Trace ( "RevokeToken() was called but upstream provider has no available revocation endpoint" ,
"providerName" , p . Name ,
"tokenType" , tokenType ,
)
2021-10-22 21:32:26 +00:00
return nil
}
// First try using client auth in the request params.
2021-12-03 21:44:24 +00:00
tryAnotherClientAuthMethod , err := p . tryRevokeToken ( ctx , token , tokenType , false )
2021-10-22 21:32:26 +00:00
if tryAnotherClientAuthMethod {
// Try again using basic auth this time. Overwrite the first client auth error,
// which isn't useful anymore when retrying.
2021-12-03 21:44:24 +00:00
_ , err = p . tryRevokeToken ( ctx , token , tokenType , true )
2021-10-22 21:32:26 +00:00
}
return err
}
2021-12-03 21:44:24 +00:00
// tryRevokeToken will call the revocation endpoint using either basic auth or by including
2021-10-22 21:32:26 +00:00
// client auth in the request params. It will return an error when the request failed. If the
// request failed for a reason that might be due to bad client auth, then it will return true
// for the tryAnotherClientAuthMethod return value, indicating that it might be worth trying
// again using the other client auth method.
// RFC 7009 defines how to make a revocation request and how to interpret the response.
// See https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 for details.
2021-12-03 21:44:24 +00:00
func ( p * ProviderConfig ) tryRevokeToken (
2021-10-22 21:32:26 +00:00
ctx context . Context ,
2021-12-03 21:44:24 +00:00
token string ,
tokenType provider . RevocableTokenType ,
2021-10-22 21:32:26 +00:00
useBasicAuth bool ,
) ( tryAnotherClientAuthMethod bool , err error ) {
clientID := p . Config . ClientID
clientSecret := p . Config . ClientSecret
// Use the provided HTTP client to benefit from its CA, proxy, and other settings.
httpClient := p . Client
params := url . Values {
2021-12-03 21:44:24 +00:00
"token" : [ ] string { token } ,
"token_type_hint" : [ ] string { string ( tokenType ) } ,
2021-10-22 21:32:26 +00:00
}
if ! useBasicAuth {
params [ "client_id" ] = [ ] string { clientID }
params [ "client_secret" ] = [ ] string { clientSecret }
}
req , err := http . NewRequestWithContext ( ctx , http . MethodPost , p . RevocationURL . String ( ) , strings . NewReader ( params . Encode ( ) ) )
if err != nil {
// This shouldn't really happen since we already know that the method and URL are legal.
return false , err
}
req . Header . Set ( "Content-Type" , "application/x-www-form-urlencoded" )
if useBasicAuth {
req . SetBasicAuth ( clientID , clientSecret )
}
resp , err := httpClient . Do ( req )
if err != nil {
// Couldn't connect to the server or some similar error.
2021-12-08 22:29:25 +00:00
// Could be a temporary network problem, so it might be worth retrying.
return false , provider . NewRetryableRevocationError ( err )
2021-10-22 21:32:26 +00:00
}
defer resp . Body . Close ( )
2021-12-08 22:29:25 +00:00
status := resp . StatusCode
switch {
case status == http . StatusOK :
2021-10-22 21:32:26 +00:00
// Success!
2021-12-03 21:44:24 +00:00
plog . Trace ( "RevokeToken() got 200 OK response from provider's revocation endpoint" , "providerName" , p . Name , "usedBasicAuth" , useBasicAuth )
2021-10-22 21:32:26 +00:00
return false , nil
2021-12-08 22:29:25 +00:00
case status == http . StatusBadRequest :
2021-10-22 21:32:26 +00:00
// Bad request might be due to bad client auth method. Try to detect that.
2021-12-03 21:44:24 +00:00
plog . Trace ( "RevokeToken() got 400 Bad Request response from provider's revocation endpoint" , "providerName" , p . Name , "usedBasicAuth" , useBasicAuth )
2021-10-22 21:32:26 +00:00
body , err := io . ReadAll ( resp . Body )
if err != nil {
return false ,
2021-12-08 22:29:25 +00:00
fmt . Errorf ( "error reading response body on response with status code %d: %w" , status , err )
2021-10-22 21:32:26 +00:00
}
var parsedResp struct {
ErrorType string ` json:"error" `
ErrorDescription string ` json:"error_description" `
}
bodyStr := strings . TrimSpace ( string ( body ) ) // trimmed for logging purposes
err = json . Unmarshal ( body , & parsedResp )
if err != nil {
return false ,
2021-12-08 22:29:25 +00:00
fmt . Errorf ( "error parsing response body %q on response with status code %d: %w" , bodyStr , status , err )
2021-10-22 21:32:26 +00:00
}
2021-12-08 22:29:25 +00:00
err = fmt . Errorf ( "server responded with status %d with body: %s" , status , bodyStr )
2021-10-22 21:32:26 +00:00
if parsedResp . ErrorType != "invalid_client" {
2021-12-08 22:29:25 +00:00
// Got an error unrelated to client auth, so not worth trying client auth again. Also, these are errors
// of the type where the server is pretty conclusively rejecting our request, so they are generally
// not worth trying again later either.
// These errors could be any of the other errors from https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
// or "unsupported_token_type" from https://datatracker.ietf.org/doc/html/rfc7009#section-2.2.1
// or could be some unspecified custom error added by the OIDC provider.
2021-10-22 21:32:26 +00:00
return false , err
}
// Got an "invalid_client" response, which might mean client auth failed, so it may be worth trying again
// using another client auth method. See https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
2021-12-03 21:44:24 +00:00
plog . Trace ( "RevokeToken()'s 400 Bad Request response from provider's revocation endpoint was type 'invalid_client'" , "providerName" , p . Name , "usedBasicAuth" , useBasicAuth )
2021-10-22 21:32:26 +00:00
return true , err
2021-12-08 22:29:25 +00:00
case status >= 500 && status <= 599 :
// The spec says 503 Service Unavailable should be retried by the client later.
// See https://datatracker.ietf.org/doc/html/rfc7009#section-2.2.1.
// Other forms of 5xx server errors are not particularly conclusive failures. For example, gateway errors could
// be caused by an underlying problem which could potentially become resolved in the near future. We'll be
// optimistic and call all 5xx errors retryable.
plog . Trace ( "RevokeToken() got unexpected error response from provider's revocation endpoint" , "providerName" , p . Name , "usedBasicAuth" , useBasicAuth , "statusCode" , status )
return false , provider . NewRetryableRevocationError ( fmt . Errorf ( "server responded with status %d" , status ) )
2021-10-22 21:32:26 +00:00
default :
2021-12-08 22:29:25 +00:00
// Any other error is probably not due to failed client auth, and is probably not worth retrying later.
plog . Trace ( "RevokeToken() got unexpected error response from provider's revocation endpoint" , "providerName" , p . Name , "usedBasicAuth" , useBasicAuth , "statusCode" , status )
return false , fmt . Errorf ( "server responded with status %d" , status )
2021-10-22 21:32:26 +00:00
}
}
2021-10-13 19:31:20 +00:00
// ValidateToken will validate the ID token. It will also merge the claims from the userinfo endpoint response,
// if the provider offers the userinfo endpoint.
2020-12-04 21:33:36 +00:00
func ( p * ProviderConfig ) ValidateToken ( ctx context . Context , tok * oauth2 . Token , expectedIDTokenNonce nonce . Nonce ) ( * oidctypes . Token , error ) {
2020-11-30 20:54:11 +00:00
idTok , hasIDTok := tok . Extra ( "id_token" ) . ( string )
if ! hasIDTok {
2020-12-04 21:33:36 +00:00
return nil , httperr . New ( http . StatusBadRequest , "received response missing ID token" )
2020-11-30 20:54:11 +00:00
}
2021-01-09 19:27:35 +00:00
validated , err := p . Provider . Verifier ( & coreosoidc . Config { ClientID : p . GetClientID ( ) } ) . Verify ( coreosoidc . ClientContext ( ctx , p . Client ) , idTok )
2020-11-30 20:54:11 +00:00
if err != nil {
2020-12-04 21:33:36 +00:00
return nil , httperr . Wrap ( http . StatusBadRequest , "received invalid ID token" , err )
2020-11-30 20:54:11 +00:00
}
if validated . AccessTokenHash != "" {
if err := validated . VerifyAccessToken ( tok . AccessToken ) ; err != nil {
2020-12-04 21:33:36 +00:00
return nil , httperr . Wrap ( http . StatusBadRequest , "received invalid ID token" , err )
2020-11-30 20:54:11 +00:00
}
}
if expectedIDTokenNonce != "" {
if err := expectedIDTokenNonce . Validate ( validated ) ; err != nil {
2020-12-04 21:33:36 +00:00
return nil , httperr . Wrap ( http . StatusBadRequest , "received ID token with invalid nonce" , err )
2020-11-30 20:54:11 +00:00
}
}
var validatedClaims map [ string ] interface { }
if err := validated . Claims ( & validatedClaims ) ; err != nil {
2021-01-09 19:27:35 +00:00
return nil , httperr . Wrap ( http . StatusInternalServerError , "could not unmarshal id token claims" , err )
}
2021-09-28 15:51:01 +00:00
maybeLogClaims ( "claims from ID token" , p . Name , validatedClaims )
2021-01-09 19:27:35 +00:00
2021-10-13 19:31:20 +00:00
if err := p . maybeFetchUserInfoAndMergeClaims ( ctx , tok , validatedClaims ) ; err != nil {
2021-01-09 19:27:35 +00:00
return nil , httperr . Wrap ( http . StatusInternalServerError , "could not fetch user info claims" , err )
2020-11-30 20:54:11 +00:00
}
2020-12-04 21:33:36 +00:00
return & oidctypes . Token {
2020-11-30 23:02:03 +00:00
AccessToken : & oidctypes . AccessToken {
2020-11-30 20:54:11 +00:00
Token : tok . AccessToken ,
Type : tok . TokenType ,
Expiry : metav1 . NewTime ( tok . Expiry ) ,
} ,
2020-11-30 23:02:03 +00:00
RefreshToken : & oidctypes . RefreshToken {
2020-11-30 20:54:11 +00:00
Token : tok . RefreshToken ,
} ,
2020-11-30 23:02:03 +00:00
IDToken : & oidctypes . IDToken {
2020-11-30 20:54:11 +00:00
Token : idTok ,
Expiry : metav1 . NewTime ( validated . Expiry ) ,
2020-12-04 21:33:36 +00:00
Claims : validatedClaims ,
2020-11-30 20:54:11 +00:00
} ,
2020-12-04 21:33:36 +00:00
} , nil
2020-11-30 20:54:11 +00:00
}
2021-01-09 19:27:35 +00:00
2021-10-13 19:31:20 +00:00
func ( p * ProviderConfig ) maybeFetchUserInfoAndMergeClaims ( ctx context . Context , tok * oauth2 . Token , claims map [ string ] interface { } ) error {
2021-01-09 19:27:35 +00:00
idTokenSubject , _ := claims [ oidc . IDTokenSubjectClaim ] . ( string )
if len ( idTokenSubject ) == 0 {
return nil // defer to existing ID token validation
}
2021-09-28 15:29:20 +00:00
providerJSON := & struct {
UserInfoURL string ` json:"userinfo_endpoint" `
} { }
if err := p . Provider . Claims ( providerJSON ) ; err != nil {
// this should never happen because we should have already parsed these claims at an earlier stage
return httperr . Wrap ( http . StatusInternalServerError , "could not unmarshal discovery JSON" , err )
}
// implementing the user info endpoint is not required, skip this logic when it is absent
if len ( providerJSON . UserInfoURL ) == 0 {
return nil
}
2021-01-09 19:27:35 +00:00
userInfo , err := p . Provider . UserInfo ( coreosoidc . ClientContext ( ctx , p . Client ) , oauth2 . StaticTokenSource ( tok ) )
if err != nil {
return httperr . Wrap ( http . StatusInternalServerError , "could not get user info" , err )
}
// The sub (subject) Claim MUST always be returned in the UserInfo Response.
//
// NOTE: Due to the possibility of token substitution attacks (see Section 16.11), the UserInfo Response is not
// guaranteed to be about the End-User identified by the sub (subject) element of the ID Token. The sub Claim in
// the UserInfo Response MUST be verified to exactly match the sub Claim in the ID Token; if they do not match,
// the UserInfo Response values MUST NOT be used.
//
// http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
if len ( userInfo . Subject ) == 0 || userInfo . Subject != idTokenSubject {
return httperr . Newf ( http . StatusUnprocessableEntity , "userinfo 'sub' claim (%s) did not match id_token 'sub' claim (%s)" , userInfo . Subject , idTokenSubject )
}
// merge existing claims with user info claims
if err := userInfo . Claims ( & claims ) ; err != nil {
return httperr . Wrap ( http . StatusInternalServerError , "could not unmarshal user info claims" , err )
}
2021-09-28 15:51:01 +00:00
maybeLogClaims ( "claims from ID token and userinfo" , p . Name , claims )
2021-01-09 19:27:35 +00:00
return nil
}
2021-09-28 15:51:01 +00:00
func maybeLogClaims ( msg , name string , claims map [ string ] interface { } ) {
if plog . Enabled ( plog . LevelAll ) { // log keys and values at all level
data , _ := json . Marshal ( claims ) // nothing we can do if it fails, but it really never should
plog . Info ( msg , "providerName" , name , "claims" , string ( data ) )
return
}
if plog . Enabled ( plog . LevelDebug ) { // log keys at debug level
keys := sets . StringKeySet ( claims ) . List ( ) // note: this is only safe because the compiler asserts that claims is a map[string]<anything>
plog . Info ( msg , "providerName" , name , "keys" , keys )
return
}
}