NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commitbbc1a9a

authored

fix: useUserInfo endpoint with OIDC (#5735)

This resolves a user issue surfaced in Discord:https://discord.com/channels/747933592273027093/1064566338875576361/1064566338875576361Both methods of obtaining claims need to be used accordingto the OIDC specification.

1 parent592ce3b commitbbc1a9aCopy full SHA for bbc1a9a

File tree

4 files changed

+89

-24

lines changed

cli
- server.go
coderd
- coderdtest
  - coderdtest.go
- userauth.go
- userauth_test.go

4 files changed

+89

-24

lines changed

`‎cli/server.go`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -543,6 +543,7 @@ func Server(vip viper.Viper, newAPI func(context.Context, coderd.Options) (*co`
`543`	`543`	`Endpoint:oidcProvider.Endpoint(),`
`544`	`544`	`Scopes:cfg.OIDC.Scopes.Value,`
`545`	`545`	`},`
	`546`	`+Provider:oidcProvider,`
`546`	`547`	`Verifier:oidcProvider.Verifier(&oidc.Config{`
`547`	`548`	`ClientID:cfg.OIDC.ClientID.Value,`
`548`	`549`	`}),`

`‎coderd/coderdtest/coderdtest.go`

Lines changed: 18 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -887,14 +887,31 @@ func (o OIDCConfig) EncodeClaims(t testing.T, claims jwt.MapClaims) string {`
`887`	`887`	`returnbase64.StdEncoding.EncodeToString([]byte(signed))`
`888`	`888`	`}`
`889`	`889`
`890`		`-func (oOIDCConfig)OIDCConfig()coderd.OIDCConfig {`
	`890`	`+func (oOIDCConfig)OIDCConfig(ttesting.T,userInfoClaims jwt.MapClaims)*coderd.OIDCConfig {`
	`891`	`+// By default, the provider can be empty.`
	`892`	`+// This means it won't support any endpoints!`
	`893`	`+provider:=&oidc.Provider{}`
	`894`	`+ifuserInfoClaims!=nil {`
	`895`	`+resp,err:=json.Marshal(userInfoClaims)`
	`896`	`+require.NoError(t,err)`
	`897`	`+srv:=httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter,r*http.Request) {`
	`898`	`+w.WriteHeader(http.StatusOK)`
	`899`	`+_,_=w.Write(resp)`
	`900`	`+}))`
	`901`	`+t.Cleanup(srv.Close)`
	`902`	`+cfg:=&oidc.ProviderConfig{`
	`903`	`+UserInfoURL:srv.URL,`
	`904`	`+}`
	`905`	`+provider=cfg.NewProvider(context.Background())`
	`906`	`+}`
`891`	`907`	`return&coderd.OIDCConfig{`
`892`	`908`	`OAuth2Config:o,`
`893`	`909`	`Verifier:oidc.NewVerifier(o.issuer,&oidc.StaticKeySet{`
`894`	`910`	`PublicKeys: []crypto.PublicKey{o.key.Public()},`
`895`	`911`	`},&oidc.Config{`
`896`	`912`	`SkipClientIDCheck:true,`
`897`	`913`	`}),`
	`914`	`+Provider:provider,`
`898`	`915`	`UsernameField:"preferred_username",`
`899`	`916`	`}`
`900`	`917`	`}`

`‎coderd/userauth.go`

Lines changed: 30 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -204,6 +204,7 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`204`	`204`	`typeOIDCConfigstruct {`
`205`	`205`	`httpmw.OAuth2Config`
`206`	`206`
	`207`	`+Provider*oidc.Provider`
`207`	`208`	`Verifier*oidc.IDTokenVerifier`
`208`	`209`	`// EmailDomains are the domains to enforce when a user authenticates.`
`209`	`210`	`EmailDomain []string`
`@@ -258,6 +259,35 @@ func (api API) userOIDC(rw http.ResponseWriter, r http.Request) {`
`258`	`259`	`})`
`259`	`260`	`return`
`260`	`261`	`}`
	`262`	`+`
	`263`	+// Not all claims are necessarily embedded in the `id_token`.
	`264`	`+// In GitLab, the username is left empty and must be fetched in UserInfo.`
	`265`	`+//`
	`266`	`+// The OIDC specification says claims can be in either place, so we fetch`
	`267`	`+// user info and merge the two claim sets to be sure we have all of`
	`268`	`+// the correct data.`
	`269`	`+userInfo,err:=api.OIDCConfig.Provider.UserInfo(ctx,oauth2.StaticTokenSource(state.Token))`
	`270`	`+iferr==nil {`
	`271`	`+userInfoClaims:=map[string]interface{}{}`
	`272`	`+err=userInfo.Claims(&userInfoClaims)`
	`273`	`+iferr!=nil {`
	`274`	`+httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
	`275`	`+Message:"Failed to unmarshal user info claims.",`
	`276`	`+Detail:err.Error(),`
	`277`	`+})`
	`278`	`+return`
	`279`	`+}`
	`280`	`+fork,v:=rangeuserInfoClaims {`
	`281`	`+claims[k]=v`
	`282`	`+}`
	`283`	`+}elseif!strings.Contains(err.Error(),"user info endpoint is not supported by this provider") {`
	`284`	`+httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
	`285`	`+Message:"Failed to obtain user information claims.",`
	`286`	+Detail:"The OIDC provider returned no claims as part of the `id_token`. The attempt to fetch claims via the UserInfo endpoint failed: "+err.Error(),
	`287`	`+})`
	`288`	`+return`
	`289`	`+}`
	`290`	`+`
`261`	`291`	`usernameRaw,ok:=claims[api.OIDCConfig.UsernameField]`
`262`	`292`	`varusernamestring`
`263`	`293`	`ifok {`

`‎coderd/userauth_test.go`

Lines changed: 40 additions & 23 deletions

Original file line number	Diff line number	Diff line change
`@@ -480,7 +480,8 @@ func TestUserOIDC(t *testing.T) {`
`480`	`480`
`481`	`481`	`for_,tc:=range []struct {`
`482`	`482`	`Namestring`
`483`		`-Claims jwt.MapClaims`
	`483`	`+IDTokenClaims jwt.MapClaims`
	`484`	`+UserInfoClaims jwt.MapClaims`
`484`	`485`	`AllowSignupsbool`
`485`	`486`	`EmailDomain []string`
`486`	`487`	`Usernamestring`
`@@ -489,31 +490,31 @@ func TestUserOIDC(t *testing.T) {`
`489`	`490`	`IgnoreEmailVerifiedbool`
`490`	`491`	`}{{`
`491`	`492`	`Name:"EmailOnly",`
`492`		`-Claims: jwt.MapClaims{`
	`493`	`+IDTokenClaims: jwt.MapClaims{`
`493`	`494`	`"email":"kyle@kwc.io",`
`494`	`495`	`},`
`495`	`496`	`AllowSignups:true,`
`496`	`497`	`StatusCode:http.StatusTemporaryRedirect,`
`497`	`498`	`Username:"kyle",`
`498`	`499`	`}, {`
`499`	`500`	`Name:"EmailNotVerified",`
`500`		`-Claims: jwt.MapClaims{`
	`501`	`+IDTokenClaims: jwt.MapClaims{`
`501`	`502`	`"email":"kyle@kwc.io",`
`502`	`503`	`"email_verified":false,`
`503`	`504`	`},`
`504`	`505`	`AllowSignups:true,`
`505`	`506`	`StatusCode:http.StatusForbidden,`
`506`	`507`	`}, {`
`507`	`508`	`Name:"EmailNotAString",`
`508`		`-Claims: jwt.MapClaims{`
	`509`	`+IDTokenClaims: jwt.MapClaims{`
`509`	`510`	`"email":3.14159,`
`510`	`511`	`"email_verified":false,`
`511`	`512`	`},`
`512`	`513`	`AllowSignups:true,`
`513`	`514`	`StatusCode:http.StatusBadRequest,`
`514`	`515`	`}, {`
`515`	`516`	`Name:"EmailNotVerifiedIgnored",`
`516`		`-Claims: jwt.MapClaims{`
	`517`	`+IDTokenClaims: jwt.MapClaims{`
`517`	`518`	`"email":"kyle@kwc.io",`
`518`	`519`	`"email_verified":false,`
`519`	`520`	`},`
`@@ -523,7 +524,7 @@ func TestUserOIDC(t *testing.T) {`
`523`	`524`	`IgnoreEmailVerified:true,`
`524`	`525`	`}, {`
`525`	`526`	`Name:"NotInRequiredEmailDomain",`
`526`		`-Claims: jwt.MapClaims{`
	`527`	`+IDTokenClaims: jwt.MapClaims{`
`527`	`528`	`"email":"kyle@kwc.io",`
`528`	`529`	`"email_verified":true,`
`529`	`530`	`},`
`@@ -534,7 +535,7 @@ func TestUserOIDC(t *testing.T) {`
`534`	`535`	`StatusCode:http.StatusForbidden,`
`535`	`536`	`}, {`
`536`	`537`	`Name:"EmailDomainCaseInsensitive",`
`537`		`-Claims: jwt.MapClaims{`
	`538`	`+IDTokenClaims: jwt.MapClaims{`
`538`	`539`	`"email":"kyle@KWC.io",`
`539`	`540`	`"email_verified":true,`
`540`	`541`	`},`
`@@ -544,20 +545,20 @@ func TestUserOIDC(t *testing.T) {`
`544`	`545`	`},`
`545`	`546`	`StatusCode:http.StatusTemporaryRedirect,`
`546`	`547`	`}, {`
`547`		`-Name:"EmptyClaims",`
`548`		`-Claims: jwt.MapClaims{},`
`549`		`-AllowSignups:true,`
`550`		`-StatusCode:http.StatusBadRequest,`
	`548`	`+Name:"EmptyClaims",`
	`549`	`+IDTokenClaims: jwt.MapClaims{},`
	`550`	`+AllowSignups:true,`
	`551`	`+StatusCode:http.StatusBadRequest,`
`551`	`552`	`}, {`
`552`	`553`	`Name:"NoSignups",`
`553`		`-Claims: jwt.MapClaims{`
	`554`	`+IDTokenClaims: jwt.MapClaims{`
`554`	`555`	`"email":"kyle@kwc.io",`
`555`	`556`	`"email_verified":true,`
`556`	`557`	`},`
`557`	`558`	`StatusCode:http.StatusForbidden,`
`558`	`559`	`}, {`
`559`	`560`	`Name:"UsernameFromEmail",`
`560`		`-Claims: jwt.MapClaims{`
	`561`	`+IDTokenClaims: jwt.MapClaims{`
`561`	`562`	`"email":"kyle@kwc.io",`
`562`	`563`	`"email_verified":true,`
`563`	`564`	`},`
`@@ -566,7 +567,7 @@ func TestUserOIDC(t *testing.T) {`
`566`	`567`	`StatusCode:http.StatusTemporaryRedirect,`
`567`	`568`	`}, {`
`568`	`569`	`Name:"UsernameFromClaims",`
`569`		`-Claims: jwt.MapClaims{`
	`570`	`+IDTokenClaims: jwt.MapClaims{`
`570`	`571`	`"email":"kyle@kwc.io",`
`571`	`572`	`"email_verified":true,`
`572`	`573`	`"preferred_username":"hotdog",`
`@@ -578,7 +579,7 @@ func TestUserOIDC(t *testing.T) {`
`578`	`579`	`// Services like Okta return the email as the username:`
`579`	`580`	`// https://developer.okta.com/docs/reference/api/oidc/#base-claims-always-present`
`580`	`581`	`Name:"UsernameAsEmail",`
`581`		`-Claims: jwt.MapClaims{`
	`582`	`+IDTokenClaims: jwt.MapClaims{`
`582`	`583`	`"email":"kyle@kwc.io",`
`583`	`584`	`"email_verified":true,`
`584`	`585`	`"preferred_username":"kyle@kwc.io",`
`@@ -589,21 +590,35 @@ func TestUserOIDC(t *testing.T) {`
`589`	`590`	`}, {`
`590`	`591`	`// See: https://github.com/coder/coder/issues/4472`
`591`	`592`	`Name:"UsernameIsEmail",`
`592`		`-Claims: jwt.MapClaims{`
	`593`	`+IDTokenClaims: jwt.MapClaims{`
`593`	`594`	`"preferred_username":"kyle@kwc.io",`
`594`	`595`	`},`
`595`	`596`	`Username:"kyle",`
`596`	`597`	`AllowSignups:true,`
`597`	`598`	`StatusCode:http.StatusTemporaryRedirect,`
`598`	`599`	`}, {`
`599`	`600`	`Name:"WithPicture",`
`600`		`-Claims: jwt.MapClaims{`
	`601`	`+IDTokenClaims: jwt.MapClaims{`
	`602`	`+"email":"kyle@kwc.io",`
	`603`	`+"email_verified":true,`
	`604`	`+"preferred_username":"kyle",`
	`605`	`+"picture":"/example.png",`
	`606`	`+},`
	`607`	`+Username:"kyle",`
	`608`	`+AllowSignups:true,`
	`609`	`+AvatarURL:"/example.png",`
	`610`	`+StatusCode:http.StatusTemporaryRedirect,`
	`611`	`+}, {`
	`612`	`+Name:"WithUserInfoClaims",`
	`613`	`+IDTokenClaims: jwt.MapClaims{`
`601`	`614`	`"email":"kyle@kwc.io",`
`602`	`615`	`"email_verified":true,`
`603`		`-"username":"kyle",`
`604`		`-"picture":"/example.png",`
`605`	`616`	`},`
`606`		`-Username:"kyle",`
	`617`	`+UserInfoClaims: jwt.MapClaims{`
	`618`	`+"preferred_username":"potato",`
	`619`	`+"picture":"/example.png",`
	`620`	`+},`
	`621`	`+Username:"potato",`
`607`	`622`	`AllowSignups:true,`
`608`	`623`	`AvatarURL:"/example.png",`
`609`	`624`	`StatusCode:http.StatusTemporaryRedirect,`
`@@ -613,15 +628,15 @@ func TestUserOIDC(t *testing.T) {`
`613`	`628`	`t.Parallel()`
`614`	`629`	`conf:=coderdtest.NewOIDCConfig(t,"")`
`615`	`630`
`616`		`-config:=conf.OIDCConfig()`
	`631`	`+config:=conf.OIDCConfig(t,tc.UserInfoClaims)`
`617`	`632`	`config.AllowSignups=tc.AllowSignups`
`618`	`633`	`config.EmailDomain=tc.EmailDomain`
`619`	`634`	`config.IgnoreEmailVerified=tc.IgnoreEmailVerified`
`620`	`635`
`621`	`636`	`client:=coderdtest.New(t,&coderdtest.Options{`
`622`	`637`	`OIDCConfig:config,`
`623`	`638`	`})`
`624`		`-resp:=oidcCallback(t,client,conf.EncodeClaims(t,tc.Claims))`
	`639`	`+resp:=oidcCallback(t,client,conf.EncodeClaims(t,tc.IDTokenClaims))`
`625`	`640`	`assert.Equal(t,tc.StatusCode,resp.StatusCode)`
`626`	`641`
`627`	`642`	`ctx,_:=testutil.Context(t)`
`@@ -647,7 +662,7 @@ func TestUserOIDC(t *testing.T) {`
`647`	`662`
`648`	`663`	`conf:=coderdtest.NewOIDCConfig(t,"")`
`649`	`664`
`650`		`-config:=conf.OIDCConfig()`
	`665`	`+config:=conf.OIDCConfig(t,nil)`
`651`	`666`	`config.AllowSignups=true`
`652`	`667`
`653`	`668`	`client:=coderdtest.New(t,&coderdtest.Options{`
`@@ -705,6 +720,7 @@ func TestUserOIDC(t *testing.T) {`
`705`	`720`	`verifier:=oidc.NewVerifier("",&oidc.StaticKeySet{`
`706`	`721`	`PublicKeys: []crypto.PublicKey{},`
`707`	`722`	`},&oidc.Config{})`
	`723`	`+provider:=&oidc.Provider{}`
`708`	`724`
`709`	`725`	`client:=coderdtest.New(t,&coderdtest.Options{`
`710`	`726`	`OIDCConfig:&coderd.OIDCConfig{`
`@@ -715,6 +731,7 @@ func TestUserOIDC(t *testing.T) {`
`715`	`731`	`"id_token":"invalid",`
`716`	`732`	`}),`
`717`	`733`	`},`
	`734`	`+Provider:provider,`
`718`	`735`	`Verifier:verifier,`
`719`	`736`	`},`
`720`	`737`	`})`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitbbc1a9a

File tree

4 files changed

4 files changed

`‎cli/server.go`

`‎coderd/coderdtest/coderdtest.go`

`‎coderd/userauth.go`

`‎coderd/userauth_test.go`

0 commit comments