feat: do not use long-lived session cookies by default

Updated: Changed deprecated labels

.github/PULL_REQUEST_TEMPLATE.md

@@ -16,4 +16,4 @@ Please select relevant options:
 - [ ] I have added tests that prove my fix is effective or that my feature works
 - [ ] I have checked my code and corrected any misspellings
 
-Reviewer: @nmeisenzahl 
+Reviewer: @stiviik 

Dockerfile

@@ -1,5 +1,5 @@
 # Builder
-FROM golang:alpine as builder
+FROM golang:alpine AS builder
 WORKDIR /app
 
 # Install git + SSL ca certificates.
@@ -31,7 +31,7 @@ RUN go mod download
 RUN go mod verify
 
 # Build the binary.
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/oidc-forward-auth
+RUN CGO_ENABLED=0 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/oidc-forward-auth
 
 # Runner
 FROM scratch
@@ -52,10 +52,10 @@ USER appuser:appuser
 ARG BUILD_DATE
 ARG VCS_REF
 
-# Good docker practice, plus we get microbadger badges
+# Good docker practice
-LABEL org.label-schema.build-date=$BUILD_DATE \
+LABEL org.opencontainers.image.created=$BUILD_DATE \
-      org.label-schema.vcs-url="https://github.com/StiviiK/oidc-forward-auth.git" \
+      org.opencontainers.image.authors="StiviiK" \
-      org.label-schema.vcs-ref=$VCS_REF \
+      org.opencontainers.image.source="https://code.thetadev.de/ThetaDev/oidc-forward-auth" \
-      org.label-schema.schema-version="1.0"
+      org.opencontainers.image.revision=$VCS_REF
 
 ENTRYPOINT ["/go/bin/oidc-forward-auth"]

README.md

@@ -12,6 +12,8 @@ Configuration is currently only via environmnet variables supported:
 |CLIENT_SECRET|string|OIDC Client Secret (required)|CLIENT_SECRET|
 |AUTH_DOMAIN|string|Central auth domain (required)|auth.example.com|
 |COOKIE_DOMAIN|string|Root domain(s) of protected host(s) (required)|example.com|
+|PORT|string|Port on which the Application is running on|4181|
+|REDIRECT_URL|string|Redirect URL|/auth/resp|
 
 
 # Usage

go.mod

@@ -1,14 +1,25 @@
 module github.com/StiviiK/keycloak-traefik-forward-auth
 
-go 1.14
+go 1.24
+
+toolchain go1.24.2
 
 require (
 	github.com/caarlos0/env v3.5.0+incompatible
-	github.com/coreos/go-oidc v2.2.1+incompatible
+	github.com/coreos/go-oidc/v3 v3.14.1
-	github.com/google/uuid v1.1.1
+	github.com/google/uuid v1.6.0
-	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
+	github.com/sirupsen/logrus v1.9.3
-	github.com/sirupsen/logrus v1.6.0
+	golang.org/x/oauth2 v0.30.0
-	golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37 // indirect
+)
-	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
+
-	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
+require (
+	github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 // indirect
+	github.com/pzentenoe/go-cache v1.0.0 // indirect
+)
+
+require (
+	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
+	github.com/tg123/go-htpasswd v1.2.4
+	golang.org/x/crypto v0.38.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
 )

go.sum

@@ -1,37 +1,38 @@
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 h1:IEjq88XO4PuBDcvmjQJcQGg+w+UaafSy8G5Kcb5tBhI=
+github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5/go.mod h1:exZ0C/1emQJAw5tHOaUDyY1ycttqBAPcxuzf7QbY6ec=
 github.com/caarlos0/env v3.5.0+incompatible h1:Yy0UN8o9Wtr/jGHZDpCBLpNrzcFLLM2yixi/rBrKyJs=
 github.com/caarlos0/env v3.5.0+incompatible/go.mod h1:tdCsowwCzMLdkqRYDlHpZCp2UooDD3MspDBjZ2AD02Y=
-github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
+github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
-github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
+github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
+github.com/go-jose/go-jose/v4 v4.1.0 h1:cYSYxd3pw5zd2FSXk2vGdn9igQU2PS8MuxrCOCl0FdY=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/go-jose/go-jose/v4 v4.1.0/go.mod h1:GG/vqmYm3Von2nYiB2vGTXzdoNKE5tix5tuc6iAd+sw=
-github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 h1:J9b7z+QKAmPf4YLrFg6oQUotqHQeUNWwkvo7jZp1GLU=
+github.com/pzentenoe/go-cache v1.0.0 h1:6jHsrh4CGKSBBmvNrEDn+EN9cJd4qOqLsHb7xWWEPBM=
-github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
+github.com/pzentenoe/go-cache v1.0.0/go.mod h1:1JaNc73+p1tmcbNJwK55vtPR40h0hIoqqjlnhBZevBw=
-github.com/sirupsen/logrus v1.6.0 h1:UBcNElsrwanuuMsnGSlYmtmgbb23qDR5dG+6X6Oo89I=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
-github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37 h1:cg5LA/zNPRzIXIWSCxQW10Rvpy94aQh3LT/ShoCpkHw=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+github.com/tg123/go-htpasswd v1.2.4 h1:HgH8KKCjdmo7jjXWN9k1nefPBd7Be3tFCTjc2jPraPU=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg=
+github.com/tg123/go-htpasswd v1.2.4/go.mod h1:EKThQok9xHkun6NBMynNv6Jmu24A33XdZzzl4Q7H1+0=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
+golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
-gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=

main.go

@@ -66,10 +66,6 @@ func checkOptions(options *options.Options) error {
 		return errors.New("Required arg AUTH_DOMAIN is not set")
 	}
 
-	if options.Port == 0 {
-		return errors.New("Required arg BIND_ADRESS is not set")
-	}
-
 	if options.ClientID == "" {
 		return errors.New("Required arg CLIENT_ID is not set")
 	}
@@ -82,9 +78,5 @@ func checkOptions(options *options.Options) error {
 		return errors.New("Required arg ISSUER is not set")
 	}
 
-	if options.RedirectURL == "" {
-		return errors.New("Required arg REDIRECT_URL is not set")
-	}
-
 	return nil
 }

pkg/forwardauth/auth.go

@@ -6,7 +6,6 @@ package forwardauth
 
 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"net/http"
 	"strings"
@@ -18,7 +17,7 @@ import (
 type AuthenticatationResult struct {
 	IDToken       string
 	RefreshToken  string
-	IDTokenClaims *json.RawMessage
+	IDTokenClaims *Claims
 }
 
 func (fw *ForwardAuth) HandleAuthentication(ctx context.Context, logger *logrus.Entry, state string, code string) (*AuthenticatationResult, error) {
@@ -45,15 +44,22 @@ func (fw *ForwardAuth) IsAuthenticated(context context.Context, logger *logrus.E
 	var claims Claims
 	logger = logger.WithField("FunctionSource", "IsAuthenticated")
 
-	// Check if we have an Auth cookie
+	// Check if we have a session cookie
-	cookie, err := fw.GetAuthCookie(r)
+	cookie, err := fw.GetSessionCookie(r, options)
 	if err != nil {
 		logger.Error(err.Error())
 		return &claims, err
 	}
 
+	sessionId := cookie.Value
+	session := fw.SessionCache.Get(sessionId)
+	if session == nil {
+		err = errors.New("session not found")
+		return &claims, err
+	}
+
 	// check if the token is valid
-	idToken, err := fw.OidcVefifier.Verify(context, cookie.Value)
+	idToken, err := fw.OidcVefifier.Verify(context, session.IDToken)
 
 	switch {
 	case err == nil: // Token is valid
@@ -66,42 +72,24 @@ func (fw *ForwardAuth) IsAuthenticated(context context.Context, logger *logrus.E
 		}
 
 		return &claims, nil
-
-		// Todo: Updating the cookies does sadly not work here
 	case strings.Contains(err.Error(), "expired"): // Token is expired
 		logger.Info("Received expired token, trying to refesh it.")
 
-		refreshCookie, err := fw.GetRefreshAuthCookie(r)
+		result, err := fw.RefreshToken(context, session.RefreshToken)
 		if err != nil {
+			fw.SessionCache.Delete(sessionId)
 			logger.Error(err.Error())
 			return &claims, err
 		}
 
-		result, err := fw.RefreshToken(context, refreshCookie.Value)
+		newSession := SessionCacheItem{IDToken: result.IDToken, RefreshToken: result.RefreshToken}
-		if err != nil {
+		fw.SessionCache.Update(sessionId, &newSession)
-			logger.Error(err.Error())
-			return &claims, err
-		}
 
-		http.SetCookie(w, fw.MakeAuthCookie(options, result))
+		return result.IDTokenClaims, nil
-		if len(result.RefreshToken) > 0 { // Do we have an refresh token?
-			http.SetCookie(w, fw.MakeRefreshAuthCookie(options, result))
-		}
 
-		err = json.Unmarshal(*result.IDTokenClaims, &claims)
+	default: // Other error
-		if err != nil {
+		fw.SessionCache.Delete(sessionId)
-			logger.Error(err.Error())
-			return &claims, err
-		}
-
-		return &claims, nil
-
-	case err != nil: // Other error
 		logger.Error(err.Error())
 		return &claims, err
-
-	default:
-		logger.Error("default case, should not happen")
-		return &claims, errors.New("default case")
 	}
 }

pkg/forwardauth/cookies.go

@@ -26,15 +26,15 @@ func getBaseCookie(options *options.Options) *http.Cookie {
 
 func (fw *ForwardAuth) MakeCSRFCookie(w http.ResponseWriter, r *http.Request, options *options.Options, state string) *http.Cookie {
 	cookie := getBaseCookie(options)
-	cookie.Name = "__auth_csrf"
+	cookie.Name = options.CookiePrefix + "csrf"
 	cookie.Value = fmt.Sprintf("%s|%s", fw.GetReturnUri(r), state)
 	cookie.Expires = time.Now().Local().Add(time.Hour)
 
 	return cookie
 }
 
-func (fw *ForwardAuth) ValidateCSRFCookie(r *http.Request) (state string, redirect string, error error) {
+func (fw *ForwardAuth) ValidateCSRFCookie(r *http.Request, options *options.Options) (state string, redirect string, error error) {
-	csrfCookie, err := r.Cookie("__auth_csrf")
+	csrfCookie, err := r.Cookie(options.CookiePrefix + "csrf")
 	if err != nil {
 		return "", "", errors.New("Missing csrf cookie")
 	}
@@ -58,49 +58,30 @@ func (fw *ForwardAuth) ValidateCSRFCookie(r *http.Request) (state string, redire
 
 func (fw *ForwardAuth) ClearCSRFCookie(options *options.Options) *http.Cookie {
 	cookie := getBaseCookie(options)
-	cookie.Name = "__auth_csrf"
+	cookie.Name = options.CookiePrefix + "csrf"
 	cookie.Expires = time.Now().Local().Add(time.Hour * -1)
 
 	return cookie
 }
 
-func (fw *ForwardAuth) MakeAuthCookie(options *options.Options, authResult *AuthenticatationResult) *http.Cookie {
+func (fw *ForwardAuth) MakeSessionCookie(options *options.Options, sessionId string) *http.Cookie {
 	cookie := getBaseCookie(options)
-	cookie.Name = "__auth"
+	cookie.Name = options.CookiePrefix + "session"
-	cookie.Value = authResult.IDToken
+	cookie.Value = sessionId
-	cookie.Expires = time.Now().Local().Add(time.Hour * 24)
+	if options.SessionLifetime > 0 {
+		cookie.Expires = time.Now().Local().Add(time.Hour * time.Duration(options.SessionLifetime))
+	}
 
 	return cookie
 }
 
-func (fw *ForwardAuth) GetAuthCookie(r *http.Request) (*http.Cookie, error) {
+func (fw *ForwardAuth) GetSessionCookie(r *http.Request, options *options.Options) (*http.Cookie, error) {
-	return r.Cookie("__auth")
+	return r.Cookie(options.CookiePrefix + "session")
 }
 
-func (fw *ForwardAuth) ClearAuthCookie(options *options.Options) *http.Cookie {
+func (fw *ForwardAuth) ClearSessionCookie(options *options.Options) *http.Cookie {
 	cookie := getBaseCookie(options)
-	cookie.Name = "__auth"
+	cookie.Name = options.CookiePrefix + "session"
-	cookie.Expires = time.Now().Local().Add(time.Hour * -1)
-
-	return cookie
-}
-
-func (fw *ForwardAuth) MakeRefreshAuthCookie(options *options.Options, authResult *AuthenticatationResult) *http.Cookie {
-	cookie := getBaseCookie(options)
-	cookie.Name = "__auth_refresh"
-	cookie.Value = authResult.RefreshToken
-	cookie.Expires = time.Now().Local().Add(time.Hour * 24)
-
-	return cookie
-}
-
-func (fw *ForwardAuth) GetRefreshAuthCookie(r *http.Request) (*http.Cookie, error) {
-	return r.Cookie("__auth_refresh")
-}
-
-func (fw *ForwardAuth) ClearRefreshAuthCookie(options *options.Options) *http.Cookie {
-	cookie := getBaseCookie(options)
-	cookie.Name = "__auth_refresh"
 	cookie.Expires = time.Now().Local().Add(time.Hour * -1)
 
 	return cookie

pkg/forwardauth/forwardauth.go

@@ -7,10 +7,11 @@ package forwardauth
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/options"
 	"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/utils"
-	"github.com/coreos/go-oidc"
+	"github.com/coreos/go-oidc/v3/oidc"
 	"golang.org/x/oauth2"
 )
 
@@ -19,6 +20,7 @@ type ForwardAuth struct {
 	OidcProvider *oidc.Provider
 	OAuth2Config oauth2.Config
 	OidcVefifier *oidc.IDTokenVerifier
+	SessionCache SessionCache
 }
 
 // Claims represents the claims struct which we get from the identity provider
@@ -28,14 +30,15 @@ type Claims struct {
 	IssuedAt   utils.Time `json:"iat"`
 	Expiration utils.Time `json:"exp"`
 
-	Name             string `json:"name"`
+	Name             string   `json:"name"`
-	GivenName        string `json:"given_name"`
+	GivenName        string   `json:"given_name"`
-	FamilyName       string `json:"family_name"`
+	FamilyName       string   `json:"family_name"`
-	Email            string `json:"email"`
+	Email            string   `json:"email"`
-	VerifiedMail     bool   `json:"email_verified"`
+	VerifiedMail     bool     `json:"email_verified"`
-	Picture          string `json:"picture"`
+	Picture          string   `json:"picture"`
-	Locale           string `json:"locale"`
+	Locale           string   `json:"locale"`
-	PreferedUsername string `json:"preferred_username"`
+	PreferedUsername string   `json:"preferred_username"`
+	Groups           []string `json:"groups"`
 }
 
 // Create creates a new fw auth client from our options
@@ -49,6 +52,9 @@ func Create(ctx context.Context, options *options.Options) (*ForwardAuth, error)
 		ClientID: options.ClientID,
 	})
 
+	scopes := []string{oidc.ScopeOpenID, "profile", "email"}
+	scopes = append(scopes, strings.Split(options.Scopes, " ")...)
+
 	return &ForwardAuth{
 		OidcProvider: provider,
 		OAuth2Config: oauth2.Config{
@@ -60,8 +66,9 @@ func Create(ctx context.Context, options *options.Options) (*ForwardAuth, error)
 			Endpoint: provider.Endpoint(),
 
 			// "openid" is a required scope for OpenID Connect flows.
-			Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
+			Scopes: scopes,
 		},
 		OidcVefifier: verifier,
+		SessionCache: newSessionCache(options),
 	}, nil
 }

pkg/forwardauth/session.go

@@ -0,0 +1,61 @@
+package forwardauth
+
+import (
+	"time"
+
+	"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/options"
+	"github.com/google/uuid"
+	"github.com/pzentenoe/go-cache"
+)
+
+type SessionCache struct {
+	internal  *cache.Cache
+	longLived bool
+}
+
+type SessionCacheItem struct {
+	IDToken      string
+	RefreshToken string
+}
+
+func newSessionCache(options *options.Options) SessionCache {
+	longLived := options.SessionLifetime > 0
+	var nd int
+	if longLived {
+		nd = options.SessionLifetime
+	} else {
+		nd = 12
+	}
+
+	return SessionCache{
+		internal: cache.New(time.Hour*time.Duration(nd), time.Hour),
+		longLived: longLived,
+	}
+}
+
+func (c *SessionCache) Get(sessionId string) *SessionCacheItem {
+	itm, _ := c.internal.Get(sessionId)
+	if itm == nil {
+		return nil
+	}
+	return itm.(*SessionCacheItem)
+}
+
+func (c *SessionCache) Create(session *SessionCacheItem) string {
+	sessionId := uuid.New().String()
+	c.internal.SetDefault(sessionId, session)
+	return sessionId
+}
+
+func (c *SessionCache) Update(sessionId string, session *SessionCacheItem) {
+	_, exp, found := c.internal.GetWithExpiration(sessionId)
+	if found && c.longLived {
+		c.internal.Set(sessionId, session, exp.Sub(time.Now()))
+	} else {
+		c.internal.SetDefault(sessionId, session)
+	}
+}
+
+func (c *SessionCache) Delete(sessionId string) {
+	c.internal.Delete(sessionId)
+}

pkg/forwardauth/token.go

@@ -6,7 +6,6 @@ package forwardauth
 
 import (
 	"context"
-	"encoding/json"
 	"errors"
 
 	"golang.org/x/oauth2"
@@ -25,7 +24,7 @@ func (fw *ForwardAuth) VerifyToken(ctx context.Context, oauth2Token *oauth2.Toke
 		return result, err
 	}
 
-	result = AuthenticatationResult{rawIDToken, oauth2Token.RefreshToken, new(json.RawMessage)}
+	result = AuthenticatationResult{rawIDToken, oauth2Token.RefreshToken, new(Claims)}
 	if err := idToken.Claims(&result.IDTokenClaims); err != nil {
 		return result, err
 	}

pkg/httphandler/callback.go

@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/url"
 
+	"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/forwardauth"
 	"github.com/sirupsen/logrus"
 )
 
@@ -19,7 +20,7 @@ func (root *HttpHandler) callbackHandler(w http.ResponseWriter, r *http.Request,
 	})
 
 	// check for the csrf cookie
-	state, redirect, err := root.forwardAuth.ValidateCSRFCookie(r)
+	state, redirect, err := root.forwardAuth.ValidateCSRFCookie(r, root.options)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusUnauthorized)
 		return
@@ -41,9 +42,9 @@ func (root *HttpHandler) callbackHandler(w http.ResponseWriter, r *http.Request,
 	// clear the csrf cookie
 	http.SetCookie(w, root.forwardAuth.ClearCSRFCookie(root.options))
 
-	http.SetCookie(w, root.forwardAuth.MakeAuthCookie(root.options, authResult))
+	newSession := forwardauth.SessionCacheItem{IDToken: authResult.IDToken, RefreshToken: authResult.RefreshToken}
-	//if len(authResult.RefreshToken) > 0 { // Do we have an refresh token?
+	sessionId := root.forwardAuth.SessionCache.Create(&newSession)
-	//	http.SetCookie(w, root.forwardAuth.MakeRefreshAuthCookie(root.options, authResult))
+
-	//}
+	http.SetCookie(w, root.forwardAuth.MakeSessionCookie(root.options, sessionId))
 	http.Redirect(w, r, redirect, http.StatusTemporaryRedirect)
 }

pkg/httphandler/handler.go

@@ -27,18 +27,22 @@ func Create(fw *forwardauth.ForwardAuth, options *options.Options) *HttpHandler
 func (h *HttpHandler) Entrypoint() func(http.ResponseWriter, *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		uri, err := url.Parse(r.Header.Get("X-Forwarded-Uri"))
-		switch {
+		host := r.Header.Get("X-Forwarded-Host")
-		case err != nil:
+
+		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
-
-		case uri.Path == h.options.RedirectURL:
-			h.callbackHandler(w, r, uri)
-			return
-
-		case uri.Path == "/":
-			h.rootHandler(w, r, uri)
-			return
 		}
+
+		if host == h.options.AuthDomain {
+			// Handles OIDC callback
+			if uri.Path == h.options.RedirectURL {
+				h.callbackHandler(w, r, uri)
+				return
+			}
+		}
+
+		// Handles forward auth
+		h.rootHandler(w, r, uri, r.URL)
 	}
 }

pkg/httphandler/root.go

@@ -5,6 +5,7 @@ This code is licensed under MIT license (see LICENSE for details)
 package httphandler
 
 import (
+	"fmt"
 	"net/http"
 	"net/url"
 
@@ -13,19 +14,31 @@ import (
 )
 
 // RootHandler returns a handler function which handles all requests to the root
-func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, forwardedURI *url.URL) {
+func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, forwardedURI *url.URL, queryURI *url.URL) {
 	logger := logrus.WithFields(logrus.Fields{
-		"SourceIP": r.Header.Get("X-Forwarded-For"),
+		"SourceIP":      r.Header.Get("X-Forwarded-For"),
-		"Path":     forwardedURI.Path,
+		"RequestTarget": root.forwardAuth.GetReturnUri(r),
+		"Path":          forwardedURI.Path,
 	})
 
+	user, pass, usesBasicAuth := r.BasicAuth()
+	if usesBasicAuth && root.options.BypassPwd != nil {
+		if root.options.BypassPwd.Match(user, pass) {
+			logger.Infof("Basic auth successful: %s", user)
+			w.Header().Set("X-Forwarded-User", "bypass@example.com")
+			w.WriteHeader(200)
+			return
+		} else {
+			logger.Errorf("Basic auth failed: %s", user)
+		}
+	}
+
 	claims, err := root.forwardAuth.IsAuthenticated(r.Context(), logger, w, r, root.options)
 	if err != nil {
 		logger = logger.WithField("FunctionSource", "RootHandler")
 		logger.Warn("IsAuthenticated failed, initating login flow.")
 
-		http.SetCookie(w, root.forwardAuth.ClearAuthCookie(root.options))
+		http.SetCookie(w, root.forwardAuth.ClearSessionCookie(root.options))
-		//http.SetCookie(w, root.forwardAuth.ClearRefreshAuthCookie(root.options))
 
 		state := uuid.New().String()
 		http.SetCookie(w, root.forwardAuth.MakeCSRFCookie(w, r, root.options, state))
@@ -33,6 +46,24 @@ func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, for
 		return
 	}
 
+	// Check group
+	group := queryURI.Query().Get("group")
+	if len(group) > 0 {
+		if !contains(claims.Groups, group) {
+			logger.Warnf("User %s not member of group %s", claims.PreferedUsername, group)
+			http.Error(w, fmt.Sprintf("You need to be a member of the group '%s' to access this site", group), http.StatusForbidden)
+		}
+	}
+
 	w.Header().Set("X-Forwarded-User", claims.Email)
 	w.WriteHeader(200)
 }
+
+func contains(s []string, e string) bool {
+	for _, a := range s {
+		if a == e {
+			return true
+		}
+	}
+	return false
+}

pkg/options/options.go

@@ -6,18 +6,26 @@ package options
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/caarlos0/env"
+	"github.com/tg123/go-htpasswd"
 )
 
 type Options struct {
-	AuthDomain   string `env:"AUTH_DOMAIN"`
+	Issuer          string `env:"ISSUER"`
-	CookieDomain string `env:"COOKIE_DOMAIN"`
+	ClientID        string `env:"CLIENT_ID"`
-	Port         int    `env:"PORT"`
+	ClientSecret    string `env:"CLIENT_SECRET"`
-	Issuer       string `env:"ISSUER"`
+	AuthDomain      string `env:"AUTH_DOMAIN"`
-	ClientID     string `env:"CLIENT_ID"`
+	CookieDomain    string `env:"COOKIE_DOMAIN"`
-	ClientSecret string `env:"CLIENT_SECRET"`
+	CookiePrefix    string `env:"COOKIE_PREFIX" envDefault:"oidca_"`
-	RedirectURL  string `env:"REDIRECT_URL"`
+	Port            int    `env:"PORT" envDefault:"4181"`
+	RedirectURL     string `env:"REDIRECT_URL" envDefault:"/auth/resp"`
+	Scopes          string `env:"SCOPES"`
+	BypassUser      string `env:"BYPASS_USER"`
+	BypassFile      string `env:"BYPASS_FILE"`
+	BypassPwd       *htpasswd.File
+	SessionLifetime int `env:"SESSION_LIFETIME" envDefault:"0"`
 }
 
 // LoadOptions parses the environment vars and the options
@@ -27,5 +35,20 @@ func LoadOptions() (*Options, error) {
 		return nil, fmt.Errorf("failed to parse options: %s", err)
 	}
 
+	if options.BypassFile != "" {
+		parsed, err := htpasswd.New(options.BypassFile, htpasswd.DefaultSystems, func(err error) {})
+		if err != nil {
+			return nil, err
+		}
+		options.BypassPwd = parsed
+	} else if options.BypassUser != "" {
+		prep := strings.ReplaceAll(options.BypassUser, ";", "\n")
+		parsed, err := htpasswd.NewFromReader(strings.NewReader(prep), htpasswd.DefaultSystems, func(err error) {})
+		if err != nil {
+			return nil, err
+		}
+		options.BypassPwd = parsed
+	}
+
 	return &options, nil
 }