wn/traefik-forward-auth
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add support for resource indicator to OIDC provider (#131)

Browse Source
This commit is contained in:
Thom Seddon 2020-06-11 12:24:51 +01:00 committed by GitHub
parent fb8b216481
commit 2937b04fdb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 37 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -152,6 +152,7 @@ OIDC Provider:
--providers.oidc.issuer-url= Issuer URL [$PROVIDERS_OIDC_ISSUER_URL]
--providers.oidc.client-id= Client ID [$PROVIDERS_OIDC_CLIENT_ID]
--providers.oidc.client-secret= Client Secret [$PROVIDERS_OIDC_CLIENT_SECRET]
--providers.oidc.resource= Optional resource indicator [$PROVIDERS_OIDC_RESOURCE]
Help Options:
-h, --help Show this help message

4
internal/provider/oidc.go
View File

@ -10,12 +10,12 @@ import (
// OIDC provider
type OIDC struct {
OAuthProvider
IssuerURL string `long:"issuer-url" env:"ISSUER_URL" description:"Issuer URL"`
ClientID string `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
ClientSecret string `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`
OAuthProvider
provider *oidc.Provider
verifier *oidc.IDTokenVerifier
}

27
internal/provider/oidc_test.go
View File

@ -59,6 +59,33 @@ func TestOIDCGetLoginURL(t *testing.T) {
// Calling the method should not modify the underlying config
assert.Equal("", provider.Config.RedirectURL)
//
// Test with resource config option
//
provider.Resource = "resourcetest"
// Check url
uri, err = url.Parse(provider.GetLoginURL("http://example.com/_oauth", "state"))
assert.Nil(err)
assert.Equal(serverURL.Scheme, uri.Scheme)
assert.Equal(serverURL.Host, uri.Host)
assert.Equal("/auth", uri.Path)
// Check query string
qs = uri.Query()
expectedQs = url.Values{
"client_id": []string{"idtest"},
"redirect_uri": []string{"http://example.com/_oauth"},
"response_type": []string{"code"},
"scope": []string{"openid profile email"},
"state": []string{"state"},
"resource": []string{"resourcetest"},
}
assert.Equal(expectedQs, qs)
// Calling the method should not modify the underlying config
assert.Equal("", provider.Config.RedirectURL)
}
func TestOIDCExchangeCode(t *testing.T) {

7
internal/provider/providers.go
View File

@ -36,6 +36,8 @@ type User struct {
// OAuthProvider is a provider using the oauth2 library
type OAuthProvider struct {
Resource string `long:"resource" env:"RESOURCE" description:"Optional resource indicator"`
Config *oauth2.Config
ctx context.Context
}
@ -51,6 +53,11 @@ func (p *OAuthProvider) ConfigCopy(redirectURI string) oauth2.Config {
// OAuthGetLoginURL provides a base "GetLoginURL" for proiders using OAauth2
func (p *OAuthProvider) OAuthGetLoginURL(redirectURI, state string) string {
config := p.ConfigCopy(redirectURI)
if p.Resource != "" {
return config.AuthCodeURL(state, oauth2.SetAuthURLParam("resource", p.Resource))
}
return config.AuthCodeURL(state)
}