RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/oidc/provider.go

109 lines
3.0 KiB
Go
Raw Normal View History

feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
package oidc
import (
"crypto/rsa"
"fmt"
"github.com/ory/fosite"
"github.com/ory/fosite/compose"
"github.com/ory/fosite/token/jwt"
"gopkg.in/square/go-jose.v2"
"github.com/authelia/authelia/internal/configuration/schema"
"github.com/authelia/authelia/internal/utils"
)
// OpenIDConnectProvider for OpenID Connect.
type OpenIDConnectProvider struct {
privateKeys map[string]*rsa.PrivateKey
Fosite fosite.OAuth2Provider
Store *OpenIDConnectStore
}
// NewOpenIDConnectProvider new-ups a OpenIDConnectProvider.
func NewOpenIDConnectProvider(configuration *schema.OpenIDConnectConfiguration) (provider OpenIDConnectProvider, err error) {
provider = OpenIDConnectProvider{
Fosite: nil,
}
if configuration == nil {
return provider, nil
}
provider.Store = NewOpenIDConnectStore(configuration)
composeConfiguration := new(compose.Config)
key, err := utils.ParseRsaPrivateKeyFromPemStr(configuration.IssuerPrivateKey)
if err != nil {
return provider, fmt.Errorf("unable to parse the private key of the OpenID issuer: %w", err)
}
provider.privateKeys = make(map[string]*rsa.PrivateKey)
provider.privateKeys["main-key"] = key
// TODO: Consider implementing RS512 as well.
jwtStrategy := &jwt.RS256JWTStrategy{PrivateKey: key}
strategy := &compose.CommonStrategy{
CoreStrategy: compose.NewOAuth2HMACStrategy(
composeConfiguration,
[]byte(utils.HashSHA256FromString(configuration.HMACSecret)),
nil,
),
OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(
composeConfiguration,
provider.privateKeys["main-key"],
),
JWTStrategy: jwtStrategy,
}
provider.Fosite = compose.Compose(
composeConfiguration,
provider.Store,
strategy,
AutheliaHasher{},
/*
These are the OAuth2 and OpenIDConnect factories. Order is important (the OAuth2 factories at the top must
be before the OpenIDConnect factories) and taken directly from fosite.compose.ComposeAllEnabled. The
commented factories are not enabled as we don't yet use them but are still here for reference purposes.
*/
compose.OAuth2AuthorizeExplicitFactory,
compose.OAuth2AuthorizeImplicitFactory,
compose.OAuth2ClientCredentialsGrantFactory,
compose.OAuth2RefreshTokenGrantFactory,
compose.OAuth2ResourceOwnerPasswordCredentialsFactory,
// compose.RFC7523AssertionGrantFactory,
compose.OpenIDConnectExplicitFactory,
compose.OpenIDConnectImplicitFactory,
compose.OpenIDConnectHybridFactory,
compose.OpenIDConnectRefreshFactory,
compose.OAuth2TokenIntrospectionFactory,
compose.OAuth2TokenRevocationFactory,
// compose.OAuth2PKCEFactory,
)
return provider, nil
}
// GetKeySet returns the jose.JSONWebKeySet for the OpenIDConnectProvider.
func (p OpenIDConnectProvider) GetKeySet() (webKeySet jose.JSONWebKeySet) {
for keyID, key := range p.privateKeys {
webKey := jose.JSONWebKey{
Key: &key.PublicKey,
KeyID: keyID,
Algorithm: "RS256",
Use: "sig",
}
webKeySet.Keys = append(webKeySet.Keys, webKey)
}
return webKeySet
}