Skip client

CHANGELOG.md

@@ -23,7 +23,8 @@ FEATURES
 * added spelling code coverage to the ci build [#PR208](https://github.com/gambol99/keycloak-proxy/pull/208)
 * update the encryption to use aes gcm [#PR220](https://github.com/gambol99/keycloak-proxy/pull/220)
 * added the --enable-encrypted-token option to enable encrypting the access token:wq
-
+* added the --skip-client-id option to permit skipping the verification of the auduence against client in token [#PR236](https://github.com/gambol99/keycloak-proxy/pull/236)
+* updated the base image to apline 3.6 in commit [0fdebaf821](https://github.com/gambol99/keycloak-proxy/pull/236/commits/0fdebaf8215e9480896f01ec7ab2ef7caa242da1)
 
 BREAKING CHANGES:
 * the proxy no longer uses prefixes for resources, if you wish to use wildcard urls you need
@@ -33,6 +34,9 @@ BREAKING CHANGES:
 * changed option from log-requests -> enable-logging [#PR199](https://github.com/gambol99/keycloak-proxy/pull/199)
 * changed option from json-format -> enable-json-logging [#PR199](https://github.com/gambol99/keycloak-proxy/pull/199)
 
+MISC:
+* Switch to using a go-oidc [fork](https://github.com/gambol99/go-oidc/commit/2111f98a1397a35f1800f4c3c354a7abebbef75c) for now, until i get the various bit merged upstream
+
 #### **2.0.7**
 
 FIXES:

Dockerfile

@@ -1,8 +1,7 @@
-FROM alpine:3.5
+FROM alpine:3.6
 MAINTAINER Rohith <gambol99@gmail.com>
 
-RUN apk update && \
-    apk add ca-certificates
+RUN apk add ca-certificates --update
 
 ADD templates/ /opt/templates
 ADD bin/keycloak-proxy /opt/keycloak-proxy

Makefile

@@ -2,7 +2,7 @@ NAME=keycloak-proxy
 AUTHOR=gambol99
 AUTHOR_EMAIL=gambol99@gmail.com
 REGISTRY=quay.io
-GOVERSION ?= 1.8.1
+GOVERSION ?= 1.8.3
 ROOT_DIR=${PWD}
 HARDWARE=$(shell uname -m)
 GIT_SHA=$(shell git --no-pager describe --always --dirty)

doc.go

@@ -22,7 +22,7 @@ import (
 	"strconv"
 	"time"
 
-	"github.com/coreos/go-oidc/jose"
+	"github.com/gambol99/go-oidc/jose"
 )
 
 var (
@@ -184,6 +184,8 @@ type Config struct {
 	TLSClientCertificate string `json:"tls-client-certificate" yaml:"tls-client-certificate" usage:"path to the client certificate for outbound connections in reverse and forwarding proxy modes"`
 	// SkipUpstreamTLSVerify skips the verification of any upstream tls
 	SkipUpstreamTLSVerify bool `json:"skip-upstream-tls-verify" yaml:"skip-upstream-tls-verify" usage:"skip the verification of any upstream TLS"`
+	// SkipClientID indicates we don't need to check the client id of the token
+	SkipClientID bool `json:"skip-client-id" yaml:"skip-client-id" usage:"skip the check on the client token"`
 
 	// CorsOrigins is a list of origins permitted
 	CorsOrigins []string `json:"cors-origins" yaml:"cors-origins" usage:"origins to add to the CORE origins control (Access-Control-Allow-Origin)"`

forwarding.go

@@ -21,8 +21,8 @@ import (
 	"time"
 
 	log "github.com/Sirupsen/logrus"
-	"github.com/coreos/go-oidc/jose"
-	"github.com/coreos/go-oidc/oidc"
+	"github.com/gambol99/go-oidc/jose"
+	"github.com/gambol99/go-oidc/oidc"
 	"github.com/labstack/echo"
 )
 

handlers.go

@@ -30,7 +30,7 @@ import (
 	"time"
 
 	log "github.com/Sirupsen/logrus"
-	"github.com/coreos/go-oidc/oauth2"
+	"github.com/gambol99/go-oidc/oauth2"
 	"github.com/labstack/echo"
 )
 

middleware.go

@@ -24,7 +24,7 @@ import (
 
 	"github.com/PuerkitoBio/purell"
 	log "github.com/Sirupsen/logrus"
-	"github.com/coreos/go-oidc/jose"
+	"github.com/gambol99/go-oidc/jose"
 	"github.com/labstack/echo"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/unrolled/secure"
@@ -101,7 +101,7 @@ func (r *oauthProxy) metricsMiddleware() echo.MiddlewareFunc {
 		},
 		[]string{"code", "method"},
 	)
-	prometheus.MustRegisterOrGet(statusMetrics)
+	prometheus.MustRegister(statusMetrics)
 
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(cx echo.Context) error {
@@ -303,6 +303,7 @@ func (r *oauthProxy) admissionMiddleware(resource *Resource) echo.MiddlewareFunc
 
 			log.WithFields(log.Fields{
 				"access":   "permitted",
+				"client":   user.audience,
 				"email":    user.email,
 				"expires":  time.Until(user.expiresAt).String(),
 				"resource": resource.URL,

middleware_test.go

@@ -25,7 +25,7 @@ import (
 	"time"
 
 	log "github.com/Sirupsen/logrus"
-	"github.com/coreos/go-oidc/jose"
+	"github.com/gambol99/go-oidc/jose"
 	"github.com/go-resty/resty"
 	"github.com/labstack/echo/middleware"
 	"github.com/stretchr/testify/assert"
@@ -78,6 +78,7 @@ func newFakeProxy(c *Config) *fakeProxy {
 	auth := newFakeAuthServer()
 	c.DiscoveryURL = auth.getLocation()
 	c.RevocationEndpoint = auth.getRevocationURL()
+	c.Verbose = false
 	proxy, err := newProxy(c)
 	if err != nil {
 		panic("failed to create fake proxy service, error: " + err.Error())

misc.go

@@ -23,7 +23,7 @@ import (
 	"time"
 
 	log "github.com/Sirupsen/logrus"
-	"github.com/coreos/go-oidc/jose"
+	"github.com/gambol99/go-oidc/jose"
 	"github.com/labstack/echo"
 )
 

oauth.go

@@ -24,9 +24,9 @@ import (
 	"strings"
 	"time"
 
-	"github.com/coreos/go-oidc/jose"
-	"github.com/coreos/go-oidc/oauth2"
-	"github.com/coreos/go-oidc/oidc"
+	"github.com/gambol99/go-oidc/jose"
+	"github.com/gambol99/go-oidc/oauth2"
+	"github.com/gambol99/go-oidc/oidc"
 )
 
 // getOAuthClient returns a oauth2 client from the openid client

oauth_test.go

@@ -27,8 +27,8 @@ import (
 	"testing"
 	"time"
 
-	"github.com/coreos/go-oidc/jose"
-	"github.com/coreos/go-oidc/oauth2"
+	"github.com/gambol99/go-oidc/jose"
+	"github.com/gambol99/go-oidc/oauth2"
 	"github.com/labstack/echo"
 	"github.com/stretchr/testify/assert"
 )

server.go

@@ -34,7 +34,7 @@ import (
 
 	log "github.com/Sirupsen/logrus"
 	"github.com/armon/go-proxyproto"
-	"github.com/coreos/go-oidc/oidc"
+	"github.com/gambol99/go-oidc/oidc"
 	"github.com/gambol99/goproxy"
 	"github.com/labstack/echo"
 	"github.com/labstack/echo/middleware"

server_test.go

@@ -28,7 +28,7 @@ import (
 	"time"
 
 	log "github.com/Sirupsen/logrus"
-	"github.com/coreos/go-oidc/jose"
+	"github.com/gambol99/go-oidc/jose"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -226,6 +226,70 @@ func TestTokenEncryption(t *testing.T) {
 	newFakeProxy(c).RunTests(t, requests)
 }
 
+func TestSkipClientIDDisabled(t *testing.T) {
+	c := newFakeKeycloakConfig()
+	p := newFakeProxy(c)
+	// create two token, one with a bad client id
+	bad := newTestToken(p.idp.getLocation())
+	bad.merge(jose.Claims{"aud": "bad_client_id"})
+	badSigned, _ := p.idp.signToken(bad.claims)
+	// and the good
+	good := newTestToken(p.idp.getLocation())
+	goodSigned, _ := p.idp.signToken(good.claims)
+	requests := []fakeRequest{
+		{
+			URI:           "/auth_all/test",
+			RawToken:      goodSigned.Encode(),
+			ExpectedProxy: true,
+			ExpectedCode:  http.StatusOK,
+		},
+		{
+			URI:          "/auth_all/test",
+			RawToken:     badSigned.Encode(),
+			ExpectedCode: http.StatusForbidden,
+		},
+	}
+	p.RunTests(t, requests)
+}
+
+func TestSkipClientIDEnabled(t *testing.T) {
+	c := newFakeKeycloakConfig()
+	c.SkipClientID = true
+	p := newFakeProxy(c)
+	// create two token, one with a bad client id
+	bad := newTestToken(p.idp.getLocation())
+	bad.merge(jose.Claims{"aud": "bad_client_id"})
+	badSigned, _ := p.idp.signToken(bad.claims)
+	// and the good
+	good := newTestToken(p.idp.getLocation())
+	goodSigned, _ := p.idp.signToken(good.claims)
+	// bad issuer
+	badIssurer := newTestToken("http://someone_else")
+	badIssurer.merge(jose.Claims{"aud": "bad_client_id"})
+	badIssuerSigned, _ := p.idp.signToken(badIssurer.claims)
+
+	requests := []fakeRequest{
+		{
+			URI:           "/auth_all/test",
+			RawToken:      goodSigned.Encode(),
+			ExpectedProxy: true,
+			ExpectedCode:  http.StatusOK,
+		},
+		{
+			URI:           "/auth_all/test",
+			RawToken:      badSigned.Encode(),
+			ExpectedProxy: true,
+			ExpectedCode:  http.StatusOK,
+		},
+		{
+			URI:          "/auth_all/test",
+			RawToken:     badIssuerSigned.Encode(),
+			ExpectedCode: http.StatusForbidden,
+		},
+	}
+	p.RunTests(t, requests)
+}
+
 func newTestService() string {
 	_, _, u := newTestProxyService(nil)
 	return u

session.go

@@ -20,7 +20,7 @@ import (
 	"strings"
 
 	log "github.com/Sirupsen/logrus"
-	"github.com/coreos/go-oidc/jose"
+	"github.com/gambol99/go-oidc/jose"
 )
 
 // getIdentity retrieves the user identity from a request, either from a session cookie or a bearer token

stores.go

@@ -20,7 +20,7 @@ import (
 	"net/url"
 
 	log "github.com/Sirupsen/logrus"
-	"github.com/coreos/go-oidc/jose"
+	"github.com/gambol99/go-oidc/jose"
 )
 
 // createStorage creates the store client for use

user_context.go

@@ -20,8 +20,8 @@ import (
 	"strings"
 	"time"
 
-	"github.com/coreos/go-oidc/jose"
-	"github.com/coreos/go-oidc/oidc"
+	"github.com/gambol99/go-oidc/jose"
+	"github.com/gambol99/go-oidc/oidc"
 )
 
 // extractIdentity parse the jwt token and extracts the various elements is order to construct