authelia/internal/handlers/oidc.go

package handlers

import (
	"github.com/ory/fosite"
	"github.com/ory/fosite/handler/openid"
	"github.com/ory/fosite/token/jwt"

	"github.com/authelia/authelia/v4/internal/oidc"
	"github.com/authelia/authelia/v4/internal/session"
	"github.com/authelia/authelia/v4/internal/utils"
)

// isConsentMissing compares the requestedScopes and requestedAudience to the workflows
// GrantedScopes and GrantedAudience and returns true if they do not match or the workflow is nil.
func isConsentMissing(workflow *session.OIDCWorkflowSession, requestedScopes, requestedAudience []string) (isMissing bool) {
	if workflow == nil {
		return true
	}

	return len(requestedScopes) > 0 && utils.IsStringSlicesDifferent(requestedScopes, workflow.GrantedScopes) ||
		len(requestedAudience) > 0 && utils.IsStringSlicesDifferentFold(requestedAudience, workflow.GrantedAudience)
}

func newOpenIDSession(subject string) *oidc.OpenIDSession {
	return &oidc.OpenIDSession{
		DefaultSession: &openid.DefaultSession{
			Claims:  new(jwt.IDTokenClaims),
			Headers: new(jwt.Headers),
			Subject: subject,
		},
		Extra: map[string]interface{}{},
	}
}

func oidcGrantRequests(ar fosite.AuthorizeRequester, scopes, audiences []string, userSession *session.UserSession) (extraClaims map[string]interface{}) {
	extraClaims = map[string]interface{}{}

	for _, scope := range scopes {
		if ar != nil {
			ar.GrantScope(scope)
		}

		switch scope {
		case oidc.ScopeGroups:
			extraClaims[oidc.ClaimGroups] = userSession.Groups
		case oidc.ScopeProfile:
			extraClaims[oidc.ClaimPreferredUsername] = userSession.Username
			extraClaims[oidc.ClaimDisplayName] = userSession.DisplayName
		case oidc.ScopeEmail:
			if len(userSession.Emails) != 0 {
				extraClaims[oidc.ClaimEmail] = userSession.Emails[0]
				if len(userSession.Emails) > 1 {
					extraClaims[oidc.ClaimEmailAlts] = userSession.Emails[1:]
				}
				// TODO (james-d-elliott): actually verify emails and record that information.
				extraClaims[oidc.ClaimEmailVerified] = true
			}
		}
	}

	if ar != nil {
		for _, audience := range audiences {
			ar.GrantAudience(audience)
		}

		if !utils.IsStringInSlice(ar.GetClient().GetID(), ar.GetGrantedAudience()) {
			ar.GrantAudience(ar.GetClient().GetID())
		}
	}

	return extraClaims
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`package handlers`

			`import (`
fix(oidc): add preferred username claim (#2801) This adds the missing preferred username claim to the ID Token for OIDC. Fixes #2798 2022-01-18 09:32:06 +00:00			`"github.com/ory/fosite"`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`"github.com/ory/fosite/handler/openid"`
			`"github.com/ory/fosite/token/jwt"`

fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/oidc"`
			`"github.com/authelia/authelia/v4/internal/session"`
			`"github.com/authelia/authelia/v4/internal/utils"`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`)`

			`// isConsentMissing compares the requestedScopes and requestedAudience to the workflows`
			`// GrantedScopes and GrantedAudience and returns true if they do not match or the workflow is nil.`
			`func isConsentMissing(workflow *session.OIDCWorkflowSession, requestedScopes, requestedAudience []string) (isMissing bool) {`
			`if workflow == nil {`
			`return true`
			`}`

			`return len(requestedScopes) > 0 && utils.IsStringSlicesDifferent(requestedScopes, workflow.GrantedScopes) \|\|`
			`len(requestedAudience) > 0 && utils.IsStringSlicesDifferentFold(requestedAudience, workflow.GrantedAudience)`
			`}`

feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-03 23:44:30 +00:00			`func newOpenIDSession(subject string) *oidc.OpenIDSession {`
			`return &oidc.OpenIDSession{`
			`DefaultSession: &openid.DefaultSession{`
			`Claims: new(jwt.IDTokenClaims),`
			`Headers: new(jwt.Headers),`
			`Subject: subject,`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`},`
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have. 2021-07-03 23:44:30 +00:00			`Extra: map[string]interface{}{},`
			`}`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`}`
fix(oidc): add preferred username claim (#2801) This adds the missing preferred username claim to the ID Token for OIDC. Fixes #2798 2022-01-18 09:32:06 +00:00
			`func oidcGrantRequests(ar fosite.AuthorizeRequester, scopes, audiences []string, userSession *session.UserSession) (extraClaims map[string]interface{}) {`
fix(oidc): make preferred_username a profile scope claim (#2930) This corrects an issue with the preferred_username which should be part of the profile scope as per https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims. Introduced in ddbb21a via #2829 2022-03-01 03:07:39 +00:00			`extraClaims = map[string]interface{}{}`
fix(oidc): add preferred username claim (#2801) This adds the missing preferred username claim to the ID Token for OIDC. Fixes #2798 2022-01-18 09:32:06 +00:00
			`for _, scope := range scopes {`
			`if ar != nil {`
			`ar.GrantScope(scope)`
			`}`

			`switch scope {`
			`case oidc.ScopeGroups:`
			`extraClaims[oidc.ClaimGroups] = userSession.Groups`
			`case oidc.ScopeProfile:`
fix(oidc): make preferred_username a profile scope claim (#2930) This corrects an issue with the preferred_username which should be part of the profile scope as per https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims. Introduced in ddbb21a via #2829 2022-03-01 03:07:39 +00:00			`extraClaims[oidc.ClaimPreferredUsername] = userSession.Username`
fix(oidc): add preferred username claim (#2801) This adds the missing preferred username claim to the ID Token for OIDC. Fixes #2798 2022-01-18 09:32:06 +00:00			`extraClaims[oidc.ClaimDisplayName] = userSession.DisplayName`
			`case oidc.ScopeEmail:`
			`if len(userSession.Emails) != 0 {`
			`extraClaims[oidc.ClaimEmail] = userSession.Emails[0]`
			`if len(userSession.Emails) > 1 {`
fix(handlers): include preferred_username claim in meta (#2829) This includes the preferred_username claim in the meta. Also uses the consts for all the applicable claims and scopes. 2022-02-09 22:55:28 +00:00			`extraClaims[oidc.ClaimEmailAlts] = userSession.Emails[1:]`
fix(oidc): add preferred username claim (#2801) This adds the missing preferred username claim to the ID Token for OIDC. Fixes #2798 2022-01-18 09:32:06 +00:00			`}`
			`// TODO (james-d-elliott): actually verify emails and record that information.`
			`extraClaims[oidc.ClaimEmailVerified] = true`
			`}`
			`}`
			`}`

			`if ar != nil {`
			`for _, audience := range audiences {`
			`ar.GrantAudience(audience)`
			`}`

			`if !utils.IsStringInSlice(ar.GetClient().GetID(), ar.GetGrantedAudience()) {`
			`ar.GrantAudience(ar.GetClient().GetID())`
			`}`
			`}`

			`return extraClaims`
			`}`