Merge pull request #21 from ploxiln/oidc_skip_discovery

OIDC provider: add -skip-oidc-discovery option

README.md

@@ -182,12 +182,14 @@ For LinkedIn, the registration steps are:
 3. Fill in the remaining required fields and Save.
 4. Take note of the **Consumer Key / API Key** and **Consumer Secret / Secret Key**
 
+
 ### Microsoft Azure AD Provider
 
 For adding an application to the Microsoft Azure AD follow [these steps to add an application](https://azure.microsoft.com/en-us/documentation/articles/active-directory-integrating-applications/).
 
 Take note of your `TenantId` if applicable for your situation. The `TenantId` can be used to override the default `common` authorization server with a tenant specific server.
 
+
 ### OpenID Connect Provider
 
 OpenID Connect is a spec for OAUTH 2.0 + identity that is implemented by many major providers and several open source projects. This provider was originally built against CoreOS Dex and we will use it as an example.
@@ -207,6 +209,28 @@ OpenID Connect is a spec for OAUTH 2.0 + identity that is implemented by many ma
 If you enable cookie-refresh, it should be set to the same duration as token lifetime
 (due to a limitation in `oauth2_proxy` - see [bitly/oauth2_proxy#620](https://github.com/bitly/oauth2_proxy/pull/620)).
 
+#### Skip OIDC discovery
+
+Some providers do not support OIDC discovery via their issuer URL, so oauth2_proxy cannot
+simply grab the authorization, token and jwks URI endpoints from the provider's metadata.
+
+In this case, you can set the `-skip-oidc-discovery` option, and supply those required endpoints manually:
+
+```
+    -provider oidc
+    -client-id oauth2_proxy
+    -client-secret proxy
+    -redirect-url http://127.0.0.1:4180/oauth2/callback
+    -oidc-issuer-url http://127.0.0.1:5556
+    -skip-oidc-discovery
+    -login-url http://127.0.0.1:5556/authorize
+    -redeem-url http://127.0.0.1:5556/token
+    -oidc-jwks-url http://127.0.0.1:5556/keys
+    -cookie-secure=false
+    -email-domain example.com
+```
+
+
 ### Discord Auth Provider
 
 1. Create a new Discord Application from <https://discordapp.com/developers/applications/>

main.go

@@ -71,7 +71,9 @@ func mainFlagSet() *flag.FlagSet {
 	flagSet.String("request-logging-format", defaultRequestLoggingFormat, "Template for log lines")
 
 	flagSet.String("provider", "google", "OAuth provider")
-	flagSet.String("oidc-issuer-url", "", "OpenID Connect issuer URL (ie: https://accounts.google.com)")
+	flagSet.String("oidc-issuer-url", "", "OpenID Connect issuer URL (e.g. https://accounts.google.com)")
+	flagSet.String("oidc-jwks-url", "", "OpenID Connect JWKS URL for token verification (e.g. https://www.googleapis.com/oauth2/v3/certs)")
+	flagSet.Bool("skip-oidc-discovery", false, "Skip OIDC discovery (login-url, redeem-url and oidc-jwks-url must be configured)")
 	flagSet.String("login-url", "", "Authentication endpoint")
 	flagSet.String("redeem-url", "", "Token redemption endpoint")
 	flagSet.String("profile-url", "", "Profile access endpoint")

options.go

@@ -68,6 +68,8 @@ type Options struct {
 	// potential overrides.
 	Provider          string `flag:"provider" cfg:"provider"`
 	OIDCIssuerURL     string `flag:"oidc-issuer-url" cfg:"oidc_issuer_url"`
+	OIDCJwksURL       string `flag:"oidc-jwks-url" cfg:"oidc_jwks_url"`
+	SkipOIDCDiscovery bool   `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery"`
 	LoginURL          string `flag:"login-url" cfg:"login_url"`
 	RedeemURL         string `flag:"redeem-url" cfg:"redeem_url"`
 	ProfileURL        string `flag:"profile-url" cfg:"profile_url"`
@@ -265,10 +267,26 @@ func parseProviderInfo(o *Options, msgs []string) []string {
 	case *providers.OIDCProvider:
 		if o.OIDCIssuerURL == "" {
 			msgs = append(msgs, "missing-setting: oidc-issuer-url")
+		}
+		if o.SkipOIDCDiscovery {
+			if o.LoginURL == "" {
+				msgs = append(msgs, "missing setting: login-url")
+			}
+			if o.RedeemURL == "" {
+				msgs = append(msgs, "missing setting: redeem-url")
+			}
+			if o.OIDCJwksURL == "" {
+				msgs = append(msgs, "missing setting: oidc-jwks-url")
+			}
+			if o.OIDCIssuerURL != "" && o.OIDCJwksURL != "" {
+				p.SetVerifier(o.OIDCIssuerURL, o.OIDCJwksURL)
+			}
 		} else {
-			err := p.SetIssuerURL(o.OIDCIssuerURL)
-			if err != nil {
-				msgs = append(msgs, err.Error())
+			if o.OIDCIssuerURL != "" {
+				err := p.SetIssuerURL(o.OIDCIssuerURL)
+				if err != nil {
+					msgs = append(msgs, err.Error())
+				}
 			}
 		}
 	}

options_test.go

@@ -269,3 +269,20 @@ func TestValidateCookieBadName(t *testing.T) {
 	assert.Equal(t, err.Error(), "Invalid configuration:\n"+
 		fmt.Sprintf("  invalid cookie name: %q", o.CookieName))
 }
+
+func TestSkipOIDCDiscovery(t *testing.T) {
+	o := testOptions()
+	o.Provider = "oidc"
+	o.OIDCIssuerURL = "https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/"
+	o.SkipOIDCDiscovery = true
+
+	err := o.Validate()
+	assert.Equal(t, "Invalid configuration:\n"+
+		fmt.Sprintf("  missing setting: login-url\n  missing setting: redeem-url\n  missing setting: oidc-jwks-url"), err.Error())
+
+	o.LoginURL = "https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1_sign_in"
+	o.RedeemURL = "https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_sign_in"
+	o.OIDCJwksURL = "https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/discovery/v2.0/keys"
+
+	assert.Equal(t, nil, o.Validate())
+}

providers/oidc.go

@@ -44,6 +44,13 @@ func (p *OIDCProvider) SetIssuerURL(issuerURL string) error {
 	return nil
 }
 
+func (p *OIDCProvider) SetVerifier(issuerURL string, jwksURL string) {
+	keySet := oidc.NewRemoteKeySet(context.Background(), jwksURL)
+	p.Verifier = oidc.NewVerifier(issuerURL, keySet, &oidc.Config{
+		ClientID: p.ClientID,
+	})
+}
+
 func (p *OIDCProvider) Redeem(redirectURL, code string) (s *SessionState, err error) {
 	ctx := context.Background()
 	c := oauth2.Config{