support skipping issuer url verification in OIDC authentication
This commit is contained in:
MaysWind
@@ -316,9 +316,12 @@ oauth2_proxy = system
|
|||||||
# For "oauth2" authentication only, set to true to skip tls verification when request OAuth 2.0 api
|
# For "oauth2" authentication only, set to true to skip tls verification when request OAuth 2.0 api
|
||||||
oauth2_skip_tls_verify = false
|
oauth2_skip_tls_verify = false
|
||||||
|
|
||||||
# For "oauth2" authentication and "oidc" OAuth 2.0 provider only, OIDC provider base url. Make sure the ".well-known" directory is available under this path. For example, if it's set to "https://auth.example.com/", the discovery URL should be "https://auth.example.com/.well-known/openid-configuration".
|
# For "oauth2" authentication and "oidc" OAuth 2.0 provider only, OIDC provider issuer url. Make sure the ".well-known" directory is available under this path. For example, if it's set to "https://auth.example.com", the discovery URL should be "https://auth.example.com/.well-known/openid-configuration".
|
||||||
oidc_provider_base_url =
|
oidc_provider_base_url =
|
||||||
|
|
||||||
|
# For "oauth2" authentication and "oidc" OAuth 2.0 provider only, set to true to check whether the issuer url in the discovery response matches the above "oidc_provider_base_url"
|
||||||
|
oidc_provider_check_issuer_url = true
|
||||||
|
|
||||||
# For "oauth2" authentication and "oidc" OAuth 2.0 provider only, set to true to replace the text "Connect ID" in the "Log in with Connect ID" button with the below custom provider name
|
# For "oauth2" authentication and "oidc" OAuth 2.0 provider only, set to true to replace the text "Connect ID" in the "Log in with Connect ID" button with the below custom provider name
|
||||||
enable_oidc_display_name = false
|
enable_oidc_display_name = false
|
||||||
|
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
package oidc
|
package oidc
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"strings"
|
"context"
|
||||||
|
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
|
|
||||||
@@ -25,7 +25,8 @@ type OIDCClaims struct {
|
|||||||
// OIDCProvider represents OIDC provider
|
// OIDCProvider represents OIDC provider
|
||||||
type OIDCProvider struct {
|
type OIDCProvider struct {
|
||||||
provider.OAuth2Provider
|
provider.OAuth2Provider
|
||||||
oidcBaseUrl string
|
oidcIssuerURL string
|
||||||
|
oidcCheckIssuerURL bool
|
||||||
redirectUrl string
|
redirectUrl string
|
||||||
oauth2ClientID string
|
oauth2ClientID string
|
||||||
oauth2ClientSecret string
|
oauth2ClientSecret string
|
||||||
@@ -130,14 +131,23 @@ func (p *OIDCProvider) getOAuth2Config(c core.Context) (*oauth2.Config, error) {
|
|||||||
return p.oauth2Config, nil
|
return p.oauth2Config, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
oidcProvider, err := oidc.NewProvider(c, p.oidcBaseUrl)
|
var ctx context.Context = c
|
||||||
|
|
||||||
|
if !p.oidcCheckIssuerURL {
|
||||||
|
ctx = oidc.InsecureIssuerURLContext(c, p.oidcIssuerURL)
|
||||||
|
}
|
||||||
|
|
||||||
|
oidcProvider, err := oidc.NewProvider(ctx, p.oidcIssuerURL)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Errorf(c, "[oidc_provider.getOAuth2Config] failed to create oidc provider, because %s", err.Error())
|
log.Errorf(c, "[oidc_provider.getOAuth2Config] failed to create oidc provider, because %s", err.Error())
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
oidcVerifier := oidcProvider.Verifier(&oidc.Config{ClientID: p.oauth2ClientID})
|
oidcVerifier := oidcProvider.Verifier(&oidc.Config{
|
||||||
|
ClientID: p.oauth2ClientID,
|
||||||
|
SkipIssuerCheck: !p.oidcCheckIssuerURL,
|
||||||
|
})
|
||||||
|
|
||||||
oauth2Config := &oauth2.Config{
|
oauth2Config := &oauth2.Config{
|
||||||
ClientID: p.oauth2ClientID,
|
ClientID: p.oauth2ClientID,
|
||||||
@@ -155,14 +165,13 @@ func (p *OIDCProvider) getOAuth2Config(c core.Context) (*oauth2.Config, error) {
|
|||||||
|
|
||||||
// NewOIDCProvider returns a new OIDC provider
|
// NewOIDCProvider returns a new OIDC provider
|
||||||
func NewOIDCProvider(config *settings.Config, redirectUrl string) (*OIDCProvider, error) {
|
func NewOIDCProvider(config *settings.Config, redirectUrl string) (*OIDCProvider, error) {
|
||||||
if len(config.OAuth2OIDCProviderBaseUrl) < 1 {
|
if len(config.OAuth2OIDCProviderIssuerURL) < 1 {
|
||||||
return nil, errs.ErrInvalidOAuth2Config
|
return nil, errs.ErrInvalidOAuth2Config
|
||||||
}
|
}
|
||||||
|
|
||||||
baseUrl := strings.TrimSuffix(config.OAuth2OIDCProviderBaseUrl, "/")
|
|
||||||
|
|
||||||
return &OIDCProvider{
|
return &OIDCProvider{
|
||||||
oidcBaseUrl: baseUrl,
|
oidcIssuerURL: config.OAuth2OIDCProviderIssuerURL,
|
||||||
|
oidcCheckIssuerURL: config.OAuth2OIDCProviderCheckIssuerURL,
|
||||||
redirectUrl: redirectUrl,
|
redirectUrl: redirectUrl,
|
||||||
oauth2ClientID: config.OAuth2ClientID,
|
oauth2ClientID: config.OAuth2ClientID,
|
||||||
oauth2ClientSecret: config.OAuth2ClientSecret,
|
oauth2ClientSecret: config.OAuth2ClientSecret,
|
||||||
|
|||||||
@@ -377,7 +377,8 @@ type Config struct {
|
|||||||
OAuth2RequestTimeout uint32
|
OAuth2RequestTimeout uint32
|
||||||
OAuth2Proxy string
|
OAuth2Proxy string
|
||||||
OAuth2SkipTLSVerify bool
|
OAuth2SkipTLSVerify bool
|
||||||
OAuth2OIDCProviderBaseUrl string
|
OAuth2OIDCProviderIssuerURL string
|
||||||
|
OAuth2OIDCProviderCheckIssuerURL bool
|
||||||
OAuth2OIDCCustomDisplayNameConfig MultiLanguageContentConfig
|
OAuth2OIDCCustomDisplayNameConfig MultiLanguageContentConfig
|
||||||
OAuth2NextcloudBaseUrl string
|
OAuth2NextcloudBaseUrl string
|
||||||
OAuth2GiteaBaseUrl string
|
OAuth2GiteaBaseUrl string
|
||||||
@@ -1032,7 +1033,8 @@ func loadAuthConfiguration(config *Config, configFile *ini.File, sectionName str
|
|||||||
config.OAuth2RequestTimeout = getConfigItemUint32Value(configFile, sectionName, "oauth2_request_timeout", defaultOAuth2RequestTimeout)
|
config.OAuth2RequestTimeout = getConfigItemUint32Value(configFile, sectionName, "oauth2_request_timeout", defaultOAuth2RequestTimeout)
|
||||||
config.OAuth2SkipTLSVerify = getConfigItemBoolValue(configFile, sectionName, "oauth2_skip_tls_verify", false)
|
config.OAuth2SkipTLSVerify = getConfigItemBoolValue(configFile, sectionName, "oauth2_skip_tls_verify", false)
|
||||||
|
|
||||||
config.OAuth2OIDCProviderBaseUrl = getConfigItemStringValue(configFile, sectionName, "oidc_provider_base_url")
|
config.OAuth2OIDCProviderIssuerURL = getConfigItemStringValue(configFile, sectionName, "oidc_provider_base_url")
|
||||||
|
config.OAuth2OIDCProviderCheckIssuerURL = getConfigItemBoolValue(configFile, sectionName, "oidc_provider_check_issuer_url", true)
|
||||||
config.OAuth2OIDCCustomDisplayNameConfig = getMultiLanguageContentConfig(configFile, sectionName, "enable_oidc_display_name", "oidc_custom_display_name")
|
config.OAuth2OIDCCustomDisplayNameConfig = getMultiLanguageContentConfig(configFile, sectionName, "enable_oidc_display_name", "oidc_custom_display_name")
|
||||||
config.OAuth2NextcloudBaseUrl = getConfigItemStringValue(configFile, sectionName, "nextcloud_base_url")
|
config.OAuth2NextcloudBaseUrl = getConfigItemStringValue(configFile, sectionName, "nextcloud_base_url")
|
||||||
config.OAuth2GiteaBaseUrl = getConfigItemStringValue(configFile, sectionName, "gitea_base_url")
|
config.OAuth2GiteaBaseUrl = getConfigItemStringValue(configFile, sectionName, "gitea_base_url")
|
||||||
|
|||||||
Reference in New Issue
Block a user