Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Allow OIDC Bearer Tokens without emails
Browse files Browse the repository at this point in the history
This reverts to functionality before oauth2-proxy#499 where an OIDC
provider could be used with `--skip-jwt-bearer-tokens` and
tokens without an email or profileURL would still be valid.
This logic mirrors `middleware.createSessionStateFromBearerToken`
which used to be the universal logic before oauth2-proxy#499.
  • Loading branch information
Nick Meves committed Aug 11, 2020
1 parent 35ed7a3 commit 033461d
Show file tree
Hide file tree
Showing 3 changed files with 79 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
- [#718](https://github.com/oauth2-proxy/oauth2-proxy/pull/718) Allow Logging to stdout with separate Error Log Channel
- [#690](https://github.com/oauth2-proxy/oauth2-proxy/pull/690) Address GoSec security findings & remediate (@NickMeves)
- [#689](https://github.com/oauth2-proxy/oauth2-proxy/pull/689) Fix finicky logging_handler_test from time drift (@NickMeves)
- [#700](https://github.com/oauth2-proxy/oauth2-proxy/pull/700) Allow OIDC Bearer auth IDTokens to have empty email claim & profile URL (@NickMeves)
- [#699](https://github.com/oauth2-proxy/oauth2-proxy/pull/699) Align persistence ginkgo tests with conventions (@NickMeves)
- [#696](https://github.com/oauth2-proxy/oauth2-proxy/pull/696) Preserve query when building redirect
- [#561](https://github.com/oauth2-proxy/oauth2-proxy/pull/561) Refactor provider URLs to package level vars (@JoelSpeed)
Expand Down
4 changes: 2 additions & 2 deletions providers/oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -231,7 +231,6 @@ func getOIDCHeader(accessToken string) http.Header {
}

func (p *OIDCProvider) findClaimsFromIDToken(ctx context.Context, idToken *oidc.IDToken, accessToken string, profileURL string) (*OIDCClaims, error) {

claims := &OIDCClaims{}
// Extract default claims.
if err := idToken.Claims(&claims); err != nil {
Expand All @@ -250,7 +249,8 @@ func (p *OIDCProvider) findClaimsFromIDToken(ctx context.Context, idToken *oidc.
// userID claim was not present or was empty in the ID Token
if claims.UserID == "" {
if profileURL == "" {
return nil, fmt.Errorf("id_token did not contain user ID claim (%q)", p.UserIDClaim)
claims.UserID = claims.Subject
return claims, nil
}

// If the userinfo endpoint profileURL is defined, then there is a chance the userinfo
Expand Down
76 changes: 76 additions & 0 deletions providers/oidc_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,22 @@ var defaultIDToken idTokenClaims = idTokenClaims{
},
}

var minimalIDToken idTokenClaims = idTokenClaims{
"",
"",
"",
"",
jwt.StandardClaims{
Audience: "https://test.myapp.com",
ExpiresAt: time.Now().Add(time.Duration(5) * time.Minute).Unix(),
Id: "id-some-id",
IssuedAt: time.Now().Unix(),
Issuer: "https://issuer.example.com",
NotBefore: 0,
Subject: "minimal",
},
}

type fakeKeySetStub struct{}

func (fakeKeySetStub) VerifySignature(_ context.Context, jwt string) (payload []byte, err error) {
Expand Down Expand Up @@ -253,6 +269,66 @@ func TestOIDCProviderRefreshSessionIfNeededWithIdToken(t *testing.T) {
assert.Equal(t, refreshToken, existingSession.RefreshToken)
}

func TestCreateSessionStateFromBearerToken(t *testing.T) {
const profileURLEmail = "janed@me.com"

testCases := map[string]struct {
IDToken idTokenClaims
ProfileURL bool
ExpectedEmail string
}{
"Default IDToken": {
IDToken: defaultIDToken,
ProfileURL: true,
ExpectedEmail: profileURLEmail,
},
"Minimal IDToken with no OIDC Profile URL": {
IDToken: minimalIDToken,
ProfileURL: false,
ExpectedEmail: "",
},
"Minimal IDToken with OIDC Profile URL": {
IDToken: minimalIDToken,
ProfileURL: true,
ExpectedEmail: profileURLEmail,
},
}
for testName, tc := range testCases {
t.Run(testName, func(t *testing.T) {
jsonResp := []byte(fmt.Sprintf(`{"email":"%s"}`, profileURLEmail))
server, provider := newTestSetup(jsonResp)
defer server.Close()
if !tc.ProfileURL {
provider.ProfileURL = &url.URL{}
}

rawIDToken, err := newSignedTestIDToken(tc.IDToken)
assert.NoError(t, err)

keyset := fakeKeySetStub{}
verifier := oidc.NewVerifier("https://issuer.example.com", keyset,
&oidc.Config{ClientID: "https://test.myapp.com", SkipExpiryCheck: true})

idToken, err := verifier.Verify(context.Background(), rawIDToken)
assert.NoError(t, err)

ss, err := provider.CreateSessionStateFromBearerToken(context.Background(), rawIDToken, idToken)
assert.NoError(t, err)

if tc.ExpectedEmail != "" {
assert.Equal(t, tc.ExpectedEmail, ss.Email)
assert.NotEqual(t, ss.Email, ss.User)
} else {
assert.Equal(t, tc.IDToken.Subject, ss.Email)
assert.Equal(t, ss.Email, ss.User)
}
assert.Equal(t, rawIDToken, ss.IDToken)
assert.Equal(t, rawIDToken, ss.AccessToken)
assert.Equal(t, "", ss.RefreshToken)
})
}
}

func TestOIDCProvider_findVerifiedIdToken(t *testing.T) {

server, provider := newTestSetup([]byte(""))
Expand Down

0 comments on commit 033461d

Please sign in to comment.