2021-05-04 22:06:05 +00:00
|
|
|
package oidc
|
|
|
|
|
|
|
|
import (
|
2022-03-04 03:09:27 +00:00
|
|
|
"fmt"
|
2021-07-10 04:56:33 +00:00
|
|
|
"net/http"
|
|
|
|
|
2021-05-04 22:06:05 +00:00
|
|
|
"github.com/ory/fosite/compose"
|
2021-07-10 04:56:33 +00:00
|
|
|
"github.com/ory/herodot"
|
2021-05-04 22:06:05 +00:00
|
|
|
|
2021-08-11 01:04:35 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
2022-04-07 05:33:53 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/storage"
|
2021-08-11 01:04:35 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/utils"
|
2021-05-04 22:06:05 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// NewOpenIDConnectProvider new-ups a OpenIDConnectProvider.
|
2022-04-07 05:33:53 +00:00
|
|
|
func NewOpenIDConnectProvider(config *schema.OpenIDConnectConfiguration, storageProvider storage.Provider) (provider OpenIDConnectProvider, err error) {
|
|
|
|
if config == nil {
|
2021-05-04 22:06:05 +00:00
|
|
|
return provider, nil
|
|
|
|
}
|
|
|
|
|
2022-10-02 02:07:40 +00:00
|
|
|
provider = OpenIDConnectProvider{
|
|
|
|
Fosite: nil,
|
|
|
|
Store: NewOpenIDConnectStore(config, storageProvider),
|
|
|
|
}
|
2021-05-04 22:06:05 +00:00
|
|
|
|
2022-10-02 02:07:40 +00:00
|
|
|
cconfig := &compose.Config{
|
2022-04-07 05:33:53 +00:00
|
|
|
AccessTokenLifespan: config.AccessTokenLifespan,
|
|
|
|
AuthorizeCodeLifespan: config.AuthorizeCodeLifespan,
|
|
|
|
IDTokenLifespan: config.IDTokenLifespan,
|
|
|
|
RefreshTokenLifespan: config.RefreshTokenLifespan,
|
|
|
|
SendDebugMessagesToClients: config.EnableClientDebugMessages,
|
|
|
|
MinParameterEntropy: config.MinimumParameterEntropy,
|
|
|
|
EnforcePKCE: config.EnforcePKCE == "always",
|
|
|
|
EnforcePKCEForPublicClients: config.EnforcePKCE != "never",
|
|
|
|
EnablePKCEPlainChallengeMethod: config.EnablePKCEPlainChallenge,
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
}
|
2021-05-04 22:06:05 +00:00
|
|
|
|
2022-04-07 05:33:53 +00:00
|
|
|
keyManager, err := NewKeyManagerWithConfiguration(config)
|
2021-05-04 22:06:05 +00:00
|
|
|
if err != nil {
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
return provider, err
|
2021-05-04 22:06:05 +00:00
|
|
|
}
|
|
|
|
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
provider.KeyManager = keyManager
|
2021-05-04 22:06:05 +00:00
|
|
|
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
key, err := provider.KeyManager.GetActivePrivateKey()
|
|
|
|
if err != nil {
|
|
|
|
return provider, err
|
|
|
|
}
|
2021-05-04 22:06:05 +00:00
|
|
|
|
|
|
|
strategy := &compose.CommonStrategy{
|
|
|
|
CoreStrategy: compose.NewOAuth2HMACStrategy(
|
2022-10-02 02:07:40 +00:00
|
|
|
cconfig,
|
2022-04-07 05:33:53 +00:00
|
|
|
[]byte(utils.HashSHA256FromString(config.HMACSecret)),
|
2021-05-04 22:06:05 +00:00
|
|
|
nil,
|
|
|
|
),
|
|
|
|
OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(
|
2022-10-02 02:07:40 +00:00
|
|
|
cconfig,
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
key,
|
2021-05-04 22:06:05 +00:00
|
|
|
),
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
JWTStrategy: provider.KeyManager.Strategy(),
|
2021-05-04 22:06:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
provider.Fosite = compose.Compose(
|
2022-10-02 02:07:40 +00:00
|
|
|
cconfig,
|
2021-05-04 22:06:05 +00:00
|
|
|
provider.Store,
|
|
|
|
strategy,
|
2022-04-07 05:33:53 +00:00
|
|
|
PlainTextHasher{},
|
2021-05-04 22:06:05 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
These are the OAuth2 and OpenIDConnect factories. Order is important (the OAuth2 factories at the top must
|
|
|
|
be before the OpenIDConnect factories) and taken directly from fosite.compose.ComposeAllEnabled. The
|
|
|
|
commented factories are not enabled as we don't yet use them but are still here for reference purposes.
|
|
|
|
*/
|
|
|
|
compose.OAuth2AuthorizeExplicitFactory,
|
|
|
|
compose.OAuth2AuthorizeImplicitFactory,
|
|
|
|
compose.OAuth2ClientCredentialsGrantFactory,
|
|
|
|
compose.OAuth2RefreshTokenGrantFactory,
|
2022-04-07 05:33:53 +00:00
|
|
|
// compose.OAuth2ResourceOwnerPasswordCredentialsFactory,
|
2022-01-31 05:25:15 +00:00
|
|
|
// compose.RFC7523AssertionGrantFactory,.
|
2021-05-04 22:06:05 +00:00
|
|
|
|
|
|
|
compose.OpenIDConnectExplicitFactory,
|
|
|
|
compose.OpenIDConnectImplicitFactory,
|
|
|
|
compose.OpenIDConnectHybridFactory,
|
|
|
|
compose.OpenIDConnectRefreshFactory,
|
|
|
|
|
|
|
|
compose.OAuth2TokenIntrospectionFactory,
|
|
|
|
compose.OAuth2TokenRevocationFactory,
|
|
|
|
|
2022-03-02 04:44:05 +00:00
|
|
|
compose.OAuth2PKCEFactory,
|
2021-05-04 22:06:05 +00:00
|
|
|
)
|
|
|
|
|
2022-04-07 05:33:53 +00:00
|
|
|
provider.discovery = NewOpenIDConnectWellKnownConfiguration(config.EnablePKCEPlainChallenge, provider.Pairwise())
|
2022-03-04 03:09:27 +00:00
|
|
|
|
2021-07-10 04:56:33 +00:00
|
|
|
provider.herodot = herodot.NewJSONWriter(nil)
|
|
|
|
|
2021-05-04 22:06:05 +00:00
|
|
|
return provider, nil
|
|
|
|
}
|
2021-07-10 04:56:33 +00:00
|
|
|
|
2022-04-07 05:33:53 +00:00
|
|
|
// Pairwise returns true if this provider is configured with clients that require pairwise.
|
|
|
|
func (p OpenIDConnectProvider) Pairwise() bool {
|
|
|
|
for _, c := range p.Store.clients {
|
|
|
|
if c.SectorIdentifier != "" {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2021-07-10 04:56:33 +00:00
|
|
|
// Write writes data with herodot.JSONWriter.
|
2022-10-02 02:07:40 +00:00
|
|
|
func (p OpenIDConnectProvider) Write(w http.ResponseWriter, r *http.Request, e any, opts ...herodot.EncoderOptions) {
|
2021-07-10 04:56:33 +00:00
|
|
|
p.herodot.Write(w, r, e, opts...)
|
|
|
|
}
|
|
|
|
|
|
|
|
// WriteError writes an error with herodot.JSONWriter.
|
|
|
|
func (p OpenIDConnectProvider) WriteError(w http.ResponseWriter, r *http.Request, err error, opts ...herodot.Option) {
|
|
|
|
p.herodot.WriteError(w, r, err, opts...)
|
|
|
|
}
|
|
|
|
|
|
|
|
// WriteErrorCode writes an error with an error code with herodot.JSONWriter.
|
|
|
|
func (p OpenIDConnectProvider) WriteErrorCode(w http.ResponseWriter, r *http.Request, code int, err error, opts ...herodot.Option) {
|
|
|
|
p.herodot.WriteErrorCode(w, r, code, err, opts...)
|
|
|
|
}
|
2022-03-04 03:09:27 +00:00
|
|
|
|
|
|
|
// GetOAuth2WellKnownConfiguration returns the discovery document for the OAuth Configuration.
|
|
|
|
func (p OpenIDConnectProvider) GetOAuth2WellKnownConfiguration(issuer string) OAuth2WellKnownConfiguration {
|
|
|
|
options := OAuth2WellKnownConfiguration{
|
|
|
|
CommonDiscoveryOptions: p.discovery.CommonDiscoveryOptions,
|
|
|
|
OAuth2DiscoveryOptions: p.discovery.OAuth2DiscoveryOptions,
|
|
|
|
}
|
|
|
|
|
|
|
|
options.Issuer = issuer
|
|
|
|
options.JWKSURI = fmt.Sprintf("%s%s", issuer, JWKsPath)
|
|
|
|
|
|
|
|
options.IntrospectionEndpoint = fmt.Sprintf("%s%s", issuer, IntrospectionPath)
|
|
|
|
options.TokenEndpoint = fmt.Sprintf("%s%s", issuer, TokenPath)
|
|
|
|
|
|
|
|
options.AuthorizationEndpoint = fmt.Sprintf("%s%s", issuer, AuthorizationPath)
|
|
|
|
options.RevocationEndpoint = fmt.Sprintf("%s%s", issuer, RevocationPath)
|
|
|
|
|
|
|
|
return options
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetOpenIDConnectWellKnownConfiguration returns the discovery document for the OpenID Configuration.
|
|
|
|
func (p OpenIDConnectProvider) GetOpenIDConnectWellKnownConfiguration(issuer string) OpenIDConnectWellKnownConfiguration {
|
|
|
|
options := OpenIDConnectWellKnownConfiguration{
|
|
|
|
CommonDiscoveryOptions: p.discovery.CommonDiscoveryOptions,
|
|
|
|
OAuth2DiscoveryOptions: p.discovery.OAuth2DiscoveryOptions,
|
|
|
|
OpenIDConnectDiscoveryOptions: p.discovery.OpenIDConnectDiscoveryOptions,
|
|
|
|
OpenIDConnectFrontChannelLogoutDiscoveryOptions: p.discovery.OpenIDConnectFrontChannelLogoutDiscoveryOptions,
|
|
|
|
OpenIDConnectBackChannelLogoutDiscoveryOptions: p.discovery.OpenIDConnectBackChannelLogoutDiscoveryOptions,
|
|
|
|
}
|
|
|
|
|
|
|
|
options.Issuer = issuer
|
|
|
|
options.JWKSURI = fmt.Sprintf("%s%s", issuer, JWKsPath)
|
|
|
|
|
|
|
|
options.IntrospectionEndpoint = fmt.Sprintf("%s%s", issuer, IntrospectionPath)
|
|
|
|
options.TokenEndpoint = fmt.Sprintf("%s%s", issuer, TokenPath)
|
|
|
|
|
|
|
|
options.AuthorizationEndpoint = fmt.Sprintf("%s%s", issuer, AuthorizationPath)
|
|
|
|
options.RevocationEndpoint = fmt.Sprintf("%s%s", issuer, RevocationPath)
|
|
|
|
options.UserinfoEndpoint = fmt.Sprintf("%s%s", issuer, UserinfoPath)
|
|
|
|
|
|
|
|
return options
|
|
|
|
}
|