Compare commits
14 commits
| Author | SHA1 | Date | |
|---|---|---|---|
523baf9c8a
|
|||
|
826b2124d1
|
|||
|
0c133ff09d
|
|||
|
e164030119
|
|||
|
e7bc551234
|
|||
|
e904879622 | ||
|
|
c724f69f15 | ||
|
|
ac61bc673a | ||
|
570b089148 | ||
|
|
b4c7065074 | ||
|
88aff05cc9 | ||
|
|
9a000ff56e | ||
|
|
9a270a6a59 | ||
|
|
140cbf807d |
12 changed files with 150 additions and 95 deletions
2
.github/PULL_REQUEST_TEMPLATE.md
vendored
2
.github/PULL_REQUEST_TEMPLATE.md
vendored
|
|
@ -16,4 +16,4 @@ Please select relevant options:
|
||||||
- [ ] I have added tests that prove my fix is effective or that my feature works
|
- [ ] I have added tests that prove my fix is effective or that my feature works
|
||||||
- [ ] I have checked my code and corrected any misspellings
|
- [ ] I have checked my code and corrected any misspellings
|
||||||
|
|
||||||
Reviewer: @nmeisenzahl
|
Reviewer: @stiviik
|
||||||
|
|
|
||||||
14
Dockerfile
14
Dockerfile
|
|
@ -1,5 +1,5 @@
|
||||||
# Builder
|
# Builder
|
||||||
FROM golang:alpine as builder
|
FROM golang:alpine AS builder
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
# Install git + SSL ca certificates.
|
# Install git + SSL ca certificates.
|
||||||
|
|
@ -31,7 +31,7 @@ RUN go mod download
|
||||||
RUN go mod verify
|
RUN go mod verify
|
||||||
|
|
||||||
# Build the binary.
|
# Build the binary.
|
||||||
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/oidc-forward-auth
|
RUN CGO_ENABLED=0 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/oidc-forward-auth
|
||||||
|
|
||||||
# Runner
|
# Runner
|
||||||
FROM scratch
|
FROM scratch
|
||||||
|
|
@ -52,10 +52,10 @@ USER appuser:appuser
|
||||||
ARG BUILD_DATE
|
ARG BUILD_DATE
|
||||||
ARG VCS_REF
|
ARG VCS_REF
|
||||||
|
|
||||||
# Good docker practice, plus we get microbadger badges
|
# Good docker practice
|
||||||
LABEL org.label-schema.build-date=$BUILD_DATE \
|
LABEL org.opencontainers.image.created=$BUILD_DATE \
|
||||||
org.label-schema.vcs-url="https://github.com/StiviiK/oidc-forward-auth.git" \
|
org.opencontainers.image.authors="StiviiK" \
|
||||||
org.label-schema.vcs-ref=$VCS_REF \
|
org.opencontainers.image.source="https://code.thetadev.de/ThetaDev/oidc-forward-auth" \
|
||||||
org.label-schema.schema-version="1.0"
|
org.opencontainers.image.revision=$VCS_REF
|
||||||
|
|
||||||
ENTRYPOINT ["/go/bin/oidc-forward-auth"]
|
ENTRYPOINT ["/go/bin/oidc-forward-auth"]
|
||||||
|
|
@ -12,6 +12,8 @@ Configuration is currently only via environmnet variables supported:
|
||||||
|CLIENT_SECRET|string|OIDC Client Secret (required)|CLIENT_SECRET|
|
|CLIENT_SECRET|string|OIDC Client Secret (required)|CLIENT_SECRET|
|
||||||
|AUTH_DOMAIN|string|Central auth domain (required)|auth.example.com|
|
|AUTH_DOMAIN|string|Central auth domain (required)|auth.example.com|
|
||||||
|COOKIE_DOMAIN|string|Root domain(s) of protected host(s) (required)|example.com|
|
|COOKIE_DOMAIN|string|Root domain(s) of protected host(s) (required)|example.com|
|
||||||
|
|PORT|string|Port on which the Application is running on|4181|
|
||||||
|
|REDIRECT_URL|string|Redirect URL|/auth/resp|
|
||||||
|
|
||||||
|
|
||||||
# Usage
|
# Usage
|
||||||
|
|
|
||||||
24
go.mod
24
go.mod
|
|
@ -1,14 +1,22 @@
|
||||||
module github.com/StiviiK/keycloak-traefik-forward-auth
|
module github.com/StiviiK/keycloak-traefik-forward-auth
|
||||||
|
|
||||||
go 1.14
|
go 1.21
|
||||||
|
|
||||||
|
toolchain go1.22.2
|
||||||
|
|
||||||
require (
|
require (
|
||||||
github.com/caarlos0/env v3.5.0+incompatible
|
github.com/caarlos0/env v3.5.0+incompatible
|
||||||
github.com/coreos/go-oidc v2.2.1+incompatible
|
github.com/coreos/go-oidc/v3 v3.12.0
|
||||||
github.com/google/uuid v1.1.1
|
github.com/google/uuid v1.6.0
|
||||||
github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
|
github.com/sirupsen/logrus v1.9.3
|
||||||
github.com/sirupsen/logrus v1.6.0
|
golang.org/x/oauth2 v0.25.0
|
||||||
golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37 // indirect
|
)
|
||||||
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
|
|
||||||
gopkg.in/square/go-jose.v2 v2.5.1 // indirect
|
require github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 // indirect
|
||||||
|
|
||||||
|
require (
|
||||||
|
github.com/go-jose/go-jose/v4 v4.0.4 // indirect
|
||||||
|
github.com/tg123/go-htpasswd v1.2.3
|
||||||
|
golang.org/x/crypto v0.32.0 // indirect
|
||||||
|
golang.org/x/sys v0.29.0 // indirect
|
||||||
)
|
)
|
||||||
|
|
|
||||||
65
go.sum
65
go.sum
|
|
@ -1,37 +1,36 @@
|
||||||
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
|
github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 h1:KeNholpO2xKjgaaSyd+DyQRrsQjhbSeS7qe4nEw8aQw=
|
||||||
|
github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962/go.mod h1:kC29dT1vFpj7py2OvG1khBdQpo3kInWP+6QipLbdngo=
|
||||||
github.com/caarlos0/env v3.5.0+incompatible h1:Yy0UN8o9Wtr/jGHZDpCBLpNrzcFLLM2yixi/rBrKyJs=
|
github.com/caarlos0/env v3.5.0+incompatible h1:Yy0UN8o9Wtr/jGHZDpCBLpNrzcFLLM2yixi/rBrKyJs=
|
||||||
github.com/caarlos0/env v3.5.0+incompatible/go.mod h1:tdCsowwCzMLdkqRYDlHpZCp2UooDD3MspDBjZ2AD02Y=
|
github.com/caarlos0/env v3.5.0+incompatible/go.mod h1:tdCsowwCzMLdkqRYDlHpZCp2UooDD3MspDBjZ2AD02Y=
|
||||||
github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
|
github.com/coreos/go-oidc/v3 v3.12.0 h1:sJk+8G2qq94rDI6ehZ71Bol3oUHy63qNYmkiSjrc/Jo=
|
||||||
github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
|
github.com/coreos/go-oidc/v3 v3.12.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
|
||||||
|
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||||
|
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||||
github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
|
github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
|
||||||
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
|
||||||
github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
|
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
|
||||||
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||||
github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
|
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
|
||||||
|
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
||||||
|
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||||
github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 h1:J9b7z+QKAmPf4YLrFg6oQUotqHQeUNWwkvo7jZp1GLU=
|
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
|
||||||
github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
|
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
|
||||||
github.com/sirupsen/logrus v1.6.0 h1:UBcNElsrwanuuMsnGSlYmtmgbb23qDR5dG+6X6Oo89I=
|
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||||
github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
|
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
|
||||||
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
|
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
|
||||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
|
||||||
golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37 h1:cg5LA/zNPRzIXIWSCxQW10Rvpy94aQh3LT/ShoCpkHw=
|
github.com/tg123/go-htpasswd v1.2.3 h1:ALR6ZBIc2m9u70m+eAWUFt5p43ISbIvAvRFYzZPTOY8=
|
||||||
golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
github.com/tg123/go-htpasswd v1.2.3/go.mod h1:FcIrK0J+6zptgVwK1JDlqyajW/1B4PtuJ/FLWl7nx8A=
|
||||||
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
|
||||||
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg=
|
golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
|
||||||
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
|
||||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
|
golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
|
||||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||||
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
|
golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
|
||||||
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
|
||||||
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||||
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||||
golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc=
|
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||||
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
|
||||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
|
||||||
google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
|
|
||||||
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
|
|
||||||
gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
|
|
||||||
gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
|
|
||||||
|
|
|
||||||
8
main.go
8
main.go
|
|
@ -66,10 +66,6 @@ func checkOptions(options *options.Options) error {
|
||||||
return errors.New("Required arg AUTH_DOMAIN is not set")
|
return errors.New("Required arg AUTH_DOMAIN is not set")
|
||||||
}
|
}
|
||||||
|
|
||||||
if options.Port == 0 {
|
|
||||||
return errors.New("Required arg BIND_ADRESS is not set")
|
|
||||||
}
|
|
||||||
|
|
||||||
if options.ClientID == "" {
|
if options.ClientID == "" {
|
||||||
return errors.New("Required arg CLIENT_ID is not set")
|
return errors.New("Required arg CLIENT_ID is not set")
|
||||||
}
|
}
|
||||||
|
|
@ -82,9 +78,5 @@ func checkOptions(options *options.Options) error {
|
||||||
return errors.New("Required arg ISSUER is not set")
|
return errors.New("Required arg ISSUER is not set")
|
||||||
}
|
}
|
||||||
|
|
||||||
if options.RedirectURL == "" {
|
|
||||||
return errors.New("Required arg REDIRECT_URL is not set")
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,6 @@ package forwardauth
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"encoding/json"
|
|
||||||
"errors"
|
"errors"
|
||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
@ -18,7 +17,7 @@ import (
|
||||||
type AuthenticatationResult struct {
|
type AuthenticatationResult struct {
|
||||||
IDToken string
|
IDToken string
|
||||||
RefreshToken string
|
RefreshToken string
|
||||||
IDTokenClaims *json.RawMessage
|
IDTokenClaims *Claims
|
||||||
}
|
}
|
||||||
|
|
||||||
func (fw *ForwardAuth) HandleAuthentication(ctx context.Context, logger *logrus.Entry, state string, code string) (*AuthenticatationResult, error) {
|
func (fw *ForwardAuth) HandleAuthentication(ctx context.Context, logger *logrus.Entry, state string, code string) (*AuthenticatationResult, error) {
|
||||||
|
|
@ -88,13 +87,7 @@ func (fw *ForwardAuth) IsAuthenticated(context context.Context, logger *logrus.E
|
||||||
http.SetCookie(w, fw.MakeRefreshAuthCookie(options, result))
|
http.SetCookie(w, fw.MakeRefreshAuthCookie(options, result))
|
||||||
}
|
}
|
||||||
|
|
||||||
err = json.Unmarshal(*result.IDTokenClaims, &claims)
|
return result.IDTokenClaims, nil
|
||||||
if err != nil {
|
|
||||||
logger.Error(err.Error())
|
|
||||||
return &claims, err
|
|
||||||
}
|
|
||||||
|
|
||||||
return &claims, nil
|
|
||||||
|
|
||||||
case err != nil: // Other error
|
case err != nil: // Other error
|
||||||
logger.Error(err.Error())
|
logger.Error(err.Error())
|
||||||
|
|
|
||||||
|
|
@ -7,10 +7,11 @@ package forwardauth
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"strings"
|
||||||
|
|
||||||
"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/options"
|
"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/options"
|
||||||
"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/utils"
|
"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/utils"
|
||||||
"github.com/coreos/go-oidc"
|
"github.com/coreos/go-oidc/v3/oidc"
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -28,14 +29,15 @@ type Claims struct {
|
||||||
IssuedAt utils.Time `json:"iat"`
|
IssuedAt utils.Time `json:"iat"`
|
||||||
Expiration utils.Time `json:"exp"`
|
Expiration utils.Time `json:"exp"`
|
||||||
|
|
||||||
Name string `json:"name"`
|
Name string `json:"name"`
|
||||||
GivenName string `json:"given_name"`
|
GivenName string `json:"given_name"`
|
||||||
FamilyName string `json:"family_name"`
|
FamilyName string `json:"family_name"`
|
||||||
Email string `json:"email"`
|
Email string `json:"email"`
|
||||||
VerifiedMail bool `json:"email_verified"`
|
VerifiedMail bool `json:"email_verified"`
|
||||||
Picture string `json:"picture"`
|
Picture string `json:"picture"`
|
||||||
Locale string `json:"locale"`
|
Locale string `json:"locale"`
|
||||||
PreferedUsername string `json:"preferred_username"`
|
PreferedUsername string `json:"preferred_username"`
|
||||||
|
Groups []string `json:"groups"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Create creates a new fw auth client from our options
|
// Create creates a new fw auth client from our options
|
||||||
|
|
@ -49,6 +51,9 @@ func Create(ctx context.Context, options *options.Options) (*ForwardAuth, error)
|
||||||
ClientID: options.ClientID,
|
ClientID: options.ClientID,
|
||||||
})
|
})
|
||||||
|
|
||||||
|
scopes := []string{oidc.ScopeOpenID, "profile", "email"}
|
||||||
|
scopes = append(scopes, strings.Split(options.Scopes, " ")...)
|
||||||
|
|
||||||
return &ForwardAuth{
|
return &ForwardAuth{
|
||||||
OidcProvider: provider,
|
OidcProvider: provider,
|
||||||
OAuth2Config: oauth2.Config{
|
OAuth2Config: oauth2.Config{
|
||||||
|
|
@ -60,7 +65,7 @@ func Create(ctx context.Context, options *options.Options) (*ForwardAuth, error)
|
||||||
Endpoint: provider.Endpoint(),
|
Endpoint: provider.Endpoint(),
|
||||||
|
|
||||||
// "openid" is a required scope for OpenID Connect flows.
|
// "openid" is a required scope for OpenID Connect flows.
|
||||||
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
|
Scopes: scopes,
|
||||||
},
|
},
|
||||||
OidcVefifier: verifier,
|
OidcVefifier: verifier,
|
||||||
}, nil
|
}, nil
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,6 @@ package forwardauth
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"encoding/json"
|
|
||||||
"errors"
|
"errors"
|
||||||
|
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
|
|
@ -25,7 +24,7 @@ func (fw *ForwardAuth) VerifyToken(ctx context.Context, oauth2Token *oauth2.Toke
|
||||||
return result, err
|
return result, err
|
||||||
}
|
}
|
||||||
|
|
||||||
result = AuthenticatationResult{rawIDToken, oauth2Token.RefreshToken, new(json.RawMessage)}
|
result = AuthenticatationResult{rawIDToken, oauth2Token.RefreshToken, new(Claims)}
|
||||||
if err := idToken.Claims(&result.IDTokenClaims); err != nil {
|
if err := idToken.Claims(&result.IDTokenClaims); err != nil {
|
||||||
return result, err
|
return result, err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -27,18 +27,22 @@ func Create(fw *forwardauth.ForwardAuth, options *options.Options) *HttpHandler
|
||||||
func (h *HttpHandler) Entrypoint() func(http.ResponseWriter, *http.Request) {
|
func (h *HttpHandler) Entrypoint() func(http.ResponseWriter, *http.Request) {
|
||||||
return func(w http.ResponseWriter, r *http.Request) {
|
return func(w http.ResponseWriter, r *http.Request) {
|
||||||
uri, err := url.Parse(r.Header.Get("X-Forwarded-Uri"))
|
uri, err := url.Parse(r.Header.Get("X-Forwarded-Uri"))
|
||||||
switch {
|
host := r.Header.Get("X-Forwarded-Host")
|
||||||
case err != nil:
|
|
||||||
|
if err != nil {
|
||||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||||
return
|
return
|
||||||
|
|
||||||
case uri.Path == h.options.RedirectURL:
|
|
||||||
h.callbackHandler(w, r, uri)
|
|
||||||
return
|
|
||||||
|
|
||||||
case uri.Path == "/":
|
|
||||||
h.rootHandler(w, r, uri)
|
|
||||||
return
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if host == h.options.AuthDomain {
|
||||||
|
// Handles OIDC callback
|
||||||
|
if uri.Path == h.options.RedirectURL {
|
||||||
|
h.callbackHandler(w, r, uri)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Handles forward auth
|
||||||
|
h.rootHandler(w, r, uri, r.URL)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,7 @@ This code is licensed under MIT license (see LICENSE for details)
|
||||||
package httphandler
|
package httphandler
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
|
||||||
|
|
@ -13,12 +14,25 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
// RootHandler returns a handler function which handles all requests to the root
|
// RootHandler returns a handler function which handles all requests to the root
|
||||||
func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, forwardedURI *url.URL) {
|
func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, forwardedURI *url.URL, queryURI *url.URL) {
|
||||||
logger := logrus.WithFields(logrus.Fields{
|
logger := logrus.WithFields(logrus.Fields{
|
||||||
"SourceIP": r.Header.Get("X-Forwarded-For"),
|
"SourceIP": r.Header.Get("X-Forwarded-For"),
|
||||||
"Path": forwardedURI.Path,
|
"RequestTarget": root.forwardAuth.GetReturnUri(r),
|
||||||
|
"Path": forwardedURI.Path,
|
||||||
})
|
})
|
||||||
|
|
||||||
|
user, pass, usesBasicAuth := r.BasicAuth()
|
||||||
|
if usesBasicAuth && root.options.BypassPwd != nil {
|
||||||
|
if root.options.BypassPwd.Match(user, pass) {
|
||||||
|
logger.Infof("Basic auth successful: %s", user)
|
||||||
|
w.Header().Set("X-Forwarded-User", "bypass@example.com")
|
||||||
|
w.WriteHeader(200)
|
||||||
|
return
|
||||||
|
} else {
|
||||||
|
logger.Errorf("Basic auth failed: %s", user)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
claims, err := root.forwardAuth.IsAuthenticated(r.Context(), logger, w, r, root.options)
|
claims, err := root.forwardAuth.IsAuthenticated(r.Context(), logger, w, r, root.options)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger = logger.WithField("FunctionSource", "RootHandler")
|
logger = logger.WithField("FunctionSource", "RootHandler")
|
||||||
|
|
@ -33,6 +47,24 @@ func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, for
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check group
|
||||||
|
group := queryURI.Query().Get("group")
|
||||||
|
if len(group) > 0 {
|
||||||
|
if !contains(claims.Groups, group) {
|
||||||
|
logger.Warnf("User %s not member of group %s", claims.PreferedUsername, group)
|
||||||
|
http.Error(w, fmt.Sprintf("You need to be a member of the group '%s' to access this site", group), http.StatusForbidden)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
w.Header().Set("X-Forwarded-User", claims.Email)
|
w.Header().Set("X-Forwarded-User", claims.Email)
|
||||||
w.WriteHeader(200)
|
w.WriteHeader(200)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func contains(s []string, e string) bool {
|
||||||
|
for _, a := range s {
|
||||||
|
if a == e {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -6,18 +6,24 @@ package options
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"strings"
|
||||||
|
|
||||||
"github.com/caarlos0/env"
|
"github.com/caarlos0/env"
|
||||||
|
"github.com/tg123/go-htpasswd"
|
||||||
)
|
)
|
||||||
|
|
||||||
type Options struct {
|
type Options struct {
|
||||||
AuthDomain string `env:"AUTH_DOMAIN"`
|
|
||||||
CookieDomain string `env:"COOKIE_DOMAIN"`
|
|
||||||
Port int `env:"PORT"`
|
|
||||||
Issuer string `env:"ISSUER"`
|
Issuer string `env:"ISSUER"`
|
||||||
ClientID string `env:"CLIENT_ID"`
|
ClientID string `env:"CLIENT_ID"`
|
||||||
ClientSecret string `env:"CLIENT_SECRET"`
|
ClientSecret string `env:"CLIENT_SECRET"`
|
||||||
RedirectURL string `env:"REDIRECT_URL"`
|
AuthDomain string `env:"AUTH_DOMAIN"`
|
||||||
|
CookieDomain string `env:"COOKIE_DOMAIN"`
|
||||||
|
Port int `env:"PORT" envDefault:"4181"`
|
||||||
|
RedirectURL string `env:"REDIRECT_URL" envDefault:"/auth/resp"`
|
||||||
|
Scopes string `env:"SCOPES"`
|
||||||
|
BypassUser string `env:"BYPASS_USER"`
|
||||||
|
BypassFile string `env:"BYPASS_FILE"`
|
||||||
|
BypassPwd *htpasswd.File
|
||||||
}
|
}
|
||||||
|
|
||||||
// LoadOptions parses the environment vars and the options
|
// LoadOptions parses the environment vars and the options
|
||||||
|
|
@ -27,5 +33,20 @@ func LoadOptions() (*Options, error) {
|
||||||
return nil, fmt.Errorf("failed to parse options: %s", err)
|
return nil, fmt.Errorf("failed to parse options: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if options.BypassFile != "" {
|
||||||
|
parsed, err := htpasswd.New(options.BypassFile, htpasswd.DefaultSystems, func(err error) {})
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
options.BypassPwd = parsed
|
||||||
|
} else if options.BypassUser != "" {
|
||||||
|
prep := strings.ReplaceAll(options.BypassUser, ";", "\n")
|
||||||
|
parsed, err := htpasswd.NewFromReader(strings.NewReader(prep), htpasswd.DefaultSystems, func(err error) {})
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
options.BypassPwd = parsed
|
||||||
|
}
|
||||||
|
|
||||||
return &options, nil
|
return &options, nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue