NotificationsYou must be signed in to change notification settings
Fork907
Star10k

Commitd0a534e

authored

chore: prevent authentication of non-unique oidc subjects (#16498)

Any IdP returning an empty field here breaks the assumption of aunique subject id. This is defined in the OIDC spec.

1 parent695d552 commitd0a534eCopy full SHA for d0a534e

File tree

6 files changed

+92

-1

lines changed

coderd
- oauthpki
  - okidcpki_test.go
- userauth.go
- userauth_test.go
- users_test.go
enterprise/coderd
- scim_test.go
- userauth_test.go

6 files changed

+92

-1

lines changed

`‎coderd/oauthpki/okidcpki_test.go`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ import (`
`13`	`13`
`14`	`14`	`"github.com/coreos/go-oidc/v3/oidc"`
`15`	`15`	`"github.com/golang-jwt/jwt/v4"`
	`16`	`+"github.com/google/uuid"`
`16`	`17`	`"github.com/stretchr/testify/assert"`
`17`	`18`	`"github.com/stretchr/testify/require"`
`18`	`19`	`"golang.org/x/oauth2"`
`@@ -169,6 +170,7 @@ func TestAzureAKPKIWithCoderd(t *testing.T) {`
`169`	`170`	`constemail="alice@coder.com"`
`170`	`171`	`claims:= jwt.MapClaims{`
`171`	`172`	`"email":email,`
	`173`	`+"sub":uuid.NewString(),`
`172`	`174`	`}`
`173`	`175`	`helper:=oidctest.NewLoginHelper(owner,fake)`
`174`	`176`	`user,_:=helper.Login(t,claims)`

`‎coderd/userauth.go`

Lines changed: 14 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1112,6 +1112,20 @@ func (api API) userOIDC(rw http.ResponseWriter, r http.Request) {`
`1112`	`1112`	`return`
`1113`	`1113`	`}`
`1114`	`1114`
	`1115`	`+ifidToken.Subject=="" {`
	`1116`	`+logger.Error(ctx,"oauth2: missing 'sub' claim field in OIDC token",`
	`1117`	`+slog.F("source","id_token"),`
	`1118`	`+slog.F("claim_fields",claimFields(idtokenClaims)),`
	`1119`	`+slog.F("blank",blankFields(idtokenClaims)),`
	`1120`	`+)`
	`1121`	`+httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
	`1122`	`+Message:"OIDC token missing 'sub' claim field or 'sub' claim field is empty.",`
	`1123`	`+Detail:"'sub' claim field is required to be unique for all users by a given issue, "+`
	`1124`	`+"an empty field is invalid and this authentication attempt is rejected.",`
	`1125`	`+})`
	`1126`	`+return`
	`1127`	`+}`
	`1128`	`+`
`1115`	`1129`	`logger.Debug(ctx,"got oidc claims",`
`1116`	`1130`	`slog.F("source","id_token"),`
`1117`	`1131`	`slog.F("claim_fields",claimFields(idtokenClaims)),`

`‎coderd/userauth_test.go`

Lines changed: 41 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,7 @@ func TestOIDCOauthLoginWithExisting(t *testing.T) {`
`72`	`72`	`"email":"alice@coder.com",`
`73`	`73`	`"email_verified":true,`
`74`	`74`	`"preferred_username":username,`
	`75`	`+"sub":uuid.NewString(),`
`75`	`76`	`}`
`76`	`77`
`77`	`78`	`helper:=oidctest.NewLoginHelper(client,fake)`
`@@ -899,10 +900,19 @@ func TestUserOIDC(t *testing.T) {`
`899`	`900`	`IgnoreEmailVerifiedbool`
`900`	`901`	`IgnoreUserInfobool`
`901`	`902`	`}{`
	`903`	`+{`
	`904`	`+Name:"NoSub",`
	`905`	`+IDTokenClaims: jwt.MapClaims{`
	`906`	`+"email":"kyle@kwc.io",`
	`907`	`+},`
	`908`	`+AllowSignups:true,`
	`909`	`+StatusCode:http.StatusBadRequest,`
	`910`	`+},`
`902`	`911`	`{`
`903`	`912`	`Name:"EmailOnly",`
`904`	`913`	`IDTokenClaims: jwt.MapClaims{`
`905`	`914`	`"email":"kyle@kwc.io",`
	`915`	`+"sub":uuid.NewString(),`
`906`	`916`	`},`
`907`	`917`	`AllowSignups:true,`
`908`	`918`	`StatusCode:http.StatusOK,`
`@@ -915,6 +925,7 @@ func TestUserOIDC(t *testing.T) {`
`915`	`925`	`IDTokenClaims: jwt.MapClaims{`
`916`	`926`	`"email":"kyle@kwc.io",`
`917`	`927`	`"email_verified":false,`
	`928`	`+"sub":uuid.NewString(),`
`918`	`929`	`},`
`919`	`930`	`AllowSignups:true,`
`920`	`931`	`StatusCode:http.StatusForbidden,`
`@@ -924,6 +935,7 @@ func TestUserOIDC(t *testing.T) {`
`924`	`935`	`IDTokenClaims: jwt.MapClaims{`
`925`	`936`	`"email":3.14159,`
`926`	`937`	`"email_verified":false,`
	`938`	`+"sub":uuid.NewString(),`
`927`	`939`	`},`
`928`	`940`	`AllowSignups:true,`
`929`	`941`	`StatusCode:http.StatusBadRequest,`
`@@ -933,6 +945,7 @@ func TestUserOIDC(t *testing.T) {`
`933`	`945`	`IDTokenClaims: jwt.MapClaims{`
`934`	`946`	`"email":"kyle@kwc.io",`
`935`	`947`	`"email_verified":false,`
	`948`	`+"sub":uuid.NewString(),`
`936`	`949`	`},`
`937`	`950`	`AllowSignups:true,`
`938`	`951`	`StatusCode:http.StatusOK,`
`@@ -946,6 +959,7 @@ func TestUserOIDC(t *testing.T) {`
`946`	`959`	`IDTokenClaims: jwt.MapClaims{`
`947`	`960`	`"email":"kyle@kwc.io",`
`948`	`961`	`"email_verified":true,`
	`962`	`+"sub":uuid.NewString(),`
`949`	`963`	`},`
`950`	`964`	`AllowSignups:true,`
`951`	`965`	`EmailDomain: []string{`
`@@ -958,6 +972,7 @@ func TestUserOIDC(t *testing.T) {`
`958`	`972`	`IDTokenClaims: jwt.MapClaims{`
`959`	`973`	`"email":"cian@coder.com",`
`960`	`974`	`"email_verified":true,`
	`975`	`+"sub":uuid.NewString(),`
`961`	`976`	`},`
`962`	`977`	`AllowSignups:true,`
`963`	`978`	`EmailDomain: []string{`
`@@ -970,6 +985,7 @@ func TestUserOIDC(t *testing.T) {`
`970`	`985`	`IDTokenClaims: jwt.MapClaims{`
`971`	`986`	`"email":"kyle@kwc.io",`
`972`	`987`	`"email_verified":true,`
	`988`	`+"sub":uuid.NewString(),`
`973`	`989`	`},`
`974`	`990`	`AllowSignups:true,`
`975`	`991`	`EmailDomain: []string{`
`@@ -982,6 +998,7 @@ func TestUserOIDC(t *testing.T) {`
`982`	`998`	`IDTokenClaims: jwt.MapClaims{`
`983`	`999`	`"email":"kyle@KWC.io",`
`984`	`1000`	`"email_verified":true,`
	`1001`	`+"sub":uuid.NewString(),`
`985`	`1002`	`},`
`986`	`1003`	`AllowSignups:true,`
`987`	`1004`	`AssertUser:func(t testing.TB,u codersdk.User) {`
`@@ -997,6 +1014,7 @@ func TestUserOIDC(t *testing.T) {`
`997`	`1014`	`IDTokenClaims: jwt.MapClaims{`
`998`	`1015`	`"email":"colin@gmail.com",`
`999`	`1016`	`"email_verified":true,`
	`1017`	`+"sub":uuid.NewString(),`
`1000`	`1018`	`},`
`1001`	`1019`	`AllowSignups:true,`
`1002`	`1020`	`EmailDomain: []string{`
`@@ -1015,6 +1033,7 @@ func TestUserOIDC(t *testing.T) {`
`1015`	`1033`	`IDTokenClaims: jwt.MapClaims{`
`1016`	`1034`	`"email":"kyle@kwc.io",`
`1017`	`1035`	`"email_verified":true,`
	`1036`	`+"sub":uuid.NewString(),`
`1018`	`1037`	`},`
`1019`	`1038`	`StatusCode:http.StatusForbidden,`
`1020`	`1039`	`},`
`@@ -1023,6 +1042,7 @@ func TestUserOIDC(t *testing.T) {`
`1023`	`1042`	`IDTokenClaims: jwt.MapClaims{`
`1024`	`1043`	`"email":"kyle@kwc.io",`
`1025`	`1044`	`"email_verified":true,`
	`1045`	`+"sub":uuid.NewString(),`
`1026`	`1046`	`},`
`1027`	`1047`	`AssertUser:func(t testing.TB,u codersdk.User) {`
`1028`	`1048`	`assert.Equal(t,"kyle",u.Username)`
`@@ -1036,6 +1056,7 @@ func TestUserOIDC(t *testing.T) {`
`1036`	`1056`	`"email":"kyle@kwc.io",`
`1037`	`1057`	`"email_verified":true,`
`1038`	`1058`	`"preferred_username":"hotdog",`
	`1059`	`+"sub":uuid.NewString(),`
`1039`	`1060`	`},`
`1040`	`1061`	`AssertUser:func(t testing.TB,u codersdk.User) {`
`1041`	`1062`	`assert.Equal(t,"hotdog",u.Username)`
`@@ -1049,6 +1070,7 @@ func TestUserOIDC(t *testing.T) {`
`1049`	`1070`	`"email":"kyle@kwc.io",`
`1050`	`1071`	`"email_verified":true,`
`1051`	`1072`	`"name":"Hot Dog",`
	`1073`	`+"sub":uuid.NewString(),`
`1052`	`1074`	`},`
`1053`	`1075`	`AssertUser:func(t testing.TB,u codersdk.User) {`
`1054`	`1076`	`assert.Equal(t,"Hot Dog",u.Name)`
`@@ -1065,6 +1087,7 @@ func TestUserOIDC(t *testing.T) {`
`1065`	`1087`	`// However, we should not fail to log someone in if their name is too long.`
`1066`	`1088`	`// Just truncate it.`
`1067`	`1089`	`"name":strings.Repeat("a",129),`
	`1090`	`+"sub":uuid.NewString(),`
`1068`	`1091`	`},`
`1069`	`1092`	`AllowSignups:true,`
`1070`	`1093`	`StatusCode:http.StatusOK,`
`@@ -1080,6 +1103,7 @@ func TestUserOIDC(t *testing.T) {`
`1080`	`1103`	`// Full names must not have leading or trailing whitespace, but this is a`
`1081`	`1104`	`// daft reason to fail a login.`
`1082`	`1105`	`"name":" Bobby Whitespace ",`
	`1106`	`+"sub":uuid.NewString(),`
`1083`	`1107`	`},`
`1084`	`1108`	`AllowSignups:true,`
`1085`	`1109`	`StatusCode:http.StatusOK,`
`@@ -1096,6 +1120,7 @@ func TestUserOIDC(t *testing.T) {`
`1096`	`1120`	`"email_verified":true,`
`1097`	`1121`	`"name":"Kylium Carbonate",`
`1098`	`1122`	`"preferred_username":"kyle@kwc.io",`
	`1123`	`+"sub":uuid.NewString(),`
`1099`	`1124`	`},`
`1100`	`1125`	`AssertUser:func(t testing.TB,u codersdk.User) {`
`1101`	`1126`	`assert.Equal(t,"kyle",u.Username)`
`@@ -1108,6 +1133,7 @@ func TestUserOIDC(t *testing.T) {`
`1108`	`1133`	`Name:"UsernameIsEmail",`
`1109`	`1134`	`IDTokenClaims: jwt.MapClaims{`
`1110`	`1135`	`"preferred_username":"kyle@kwc.io",`
	`1136`	`+"sub":uuid.NewString(),`
`1111`	`1137`	`},`
`1112`	`1138`	`AssertUser:func(t testing.TB,u codersdk.User) {`
`1113`	`1139`	`assert.Equal(t,"kyle",u.Username)`
`@@ -1123,6 +1149,7 @@ func TestUserOIDC(t *testing.T) {`
`1123`	`1149`	`"email_verified":true,`
`1124`	`1150`	`"preferred_username":"kyle",`
`1125`	`1151`	`"picture":"/example.png",`
	`1152`	`+"sub":uuid.NewString(),`
`1126`	`1153`	`},`
`1127`	`1154`	`AssertUser:func(t testing.TB,u codersdk.User) {`
`1128`	`1155`	`assert.Equal(t,"/example.png",u.AvatarURL)`
`@@ -1136,6 +1163,7 @@ func TestUserOIDC(t *testing.T) {`
`1136`	`1163`	`IDTokenClaims: jwt.MapClaims{`
`1137`	`1164`	`"email":"kyle@kwc.io",`
`1138`	`1165`	`"email_verified":true,`
	`1166`	`+"sub":uuid.NewString(),`
`1139`	`1167`	`},`
`1140`	`1168`	`UserInfoClaims: jwt.MapClaims{`
`1141`	`1169`	`"preferred_username":"potato",`
`@@ -1155,6 +1183,7 @@ func TestUserOIDC(t *testing.T) {`
`1155`	`1183`	`IDTokenClaims: jwt.MapClaims{`
`1156`	`1184`	`"email":"coolin@coder.com",`
`1157`	`1185`	`"groups": []string{"pingpong"},`
	`1186`	`+"sub":uuid.NewString(),`
`1158`	`1187`	`},`
`1159`	`1188`	`AllowSignups:true,`
`1160`	`1189`	`StatusCode:http.StatusOK,`
`@@ -1164,6 +1193,7 @@ func TestUserOIDC(t *testing.T) {`
`1164`	`1193`	`IDTokenClaims: jwt.MapClaims{`
`1165`	`1194`	`"email":"internaluser@internal.domain",`
`1166`	`1195`	`"email_verified":false,`
	`1196`	`+"sub":uuid.NewString(),`
`1167`	`1197`	`},`
`1168`	`1198`	`UserInfoClaims: jwt.MapClaims{`
`1169`	`1199`	`"email":"externaluser@external.domain",`
`@@ -1182,6 +1212,7 @@ func TestUserOIDC(t *testing.T) {`
`1182`	`1212`	`IDTokenClaims: jwt.MapClaims{`
`1183`	`1213`	`"email":"internaluser@internal.domain",`
`1184`	`1214`	`"email_verified":false,`
	`1215`	`+"sub":uuid.NewString(),`
`1185`	`1216`	`},`
`1186`	`1217`	`UserInfoClaims: jwt.MapClaims{`
`1187`	`1218`	`"email":1,`
`@@ -1197,6 +1228,7 @@ func TestUserOIDC(t *testing.T) {`
`1197`	`1228`	`"email_verified":true,`
`1198`	`1229`	`"name":"User McName",`
`1199`	`1230`	`"preferred_username":"user",`
	`1231`	`+"sub":uuid.NewString(),`
`1200`	`1232`	`},`
`1201`	`1233`	`UserInfoClaims: jwt.MapClaims{`
`1202`	`1234`	`"email":"user.mcname@external.domain",`
`@@ -1216,6 +1248,7 @@ func TestUserOIDC(t *testing.T) {`
`1216`	`1248`	`IDTokenClaims:inflateClaims(t, jwt.MapClaims{`
`1217`	`1249`	`"email":"user@domain.tld",`
`1218`	`1250`	`"email_verified":true,`
	`1251`	`+"sub":uuid.NewString(),`
`1219`	`1252`	`},65536),`
`1220`	`1253`	`AssertUser:func(t testing.TB,u codersdk.User) {`
`1221`	`1254`	`assert.Equal(t,"user",u.Username)`
`@@ -1228,6 +1261,7 @@ func TestUserOIDC(t *testing.T) {`
`1228`	`1261`	`IDTokenClaims: jwt.MapClaims{`
`1229`	`1262`	`"email":"user@domain.tld",`
`1230`	`1263`	`"email_verified":true,`
	`1264`	`+"sub":uuid.NewString(),`
`1231`	`1265`	`},`
`1232`	`1266`	`UserInfoClaims:inflateClaims(t, jwt.MapClaims{},65536),`
`1233`	`1267`	`AssertUser:func(t testing.TB,u codersdk.User) {`
`@@ -1242,6 +1276,7 @@ func TestUserOIDC(t *testing.T) {`
`1242`	`1276`	`"iss":"https://mismatch.com",`
`1243`	`1277`	`"email":"user@domain.tld",`
`1244`	`1278`	`"email_verified":true,`
	`1279`	`+"sub":uuid.NewString(),`
`1245`	`1280`	`},`
`1246`	`1281`	`AllowSignups:true,`
`1247`	`1282`	`StatusCode:http.StatusBadRequest,`
`@@ -1331,6 +1366,7 @@ func TestUserOIDC(t *testing.T) {`
`1331`	`1366`
`1332`	`1367`	`client,resp:=fake.AttemptLogin(t,owner, jwt.MapClaims{`
`1333`	`1368`	`"email":user.Email,`
	`1369`	`+"sub":uuid.NewString(),`
`1334`	`1370`	`})`
`1335`	`1371`	`require.Equal(t,http.StatusOK,resp.StatusCode)`
`1336`	`1372`
`@@ -1369,6 +1405,7 @@ func TestUserOIDC(t *testing.T) {`
`1369`	`1405`
`1370`	`1406`	`claims:= jwt.MapClaims{`
`1371`	`1407`	`"email":userData.Email,`
	`1408`	`+"sub":uuid.NewString(),`
`1372`	`1409`	`}`
`1373`	`1410`	`varerrerror`
`1374`	`1411`	`user.HTTPClient.Jar,err=cookiejar.New(nil)`
`@@ -1439,6 +1476,7 @@ func TestUserOIDC(t *testing.T) {`
`1439`	`1476`
`1440`	`1477`	`claims:= jwt.MapClaims{`
`1441`	`1478`	`"email":userData.Email,`
	`1479`	`+"sub":uuid.NewString(),`
`1442`	`1480`	`}`
`1443`	`1481`	`user.HTTPClient.Jar,err=cookiejar.New(nil)`
`1444`	`1482`	`require.NoError(t,err)`
`@@ -1509,6 +1547,7 @@ func TestUserOIDC(t *testing.T) {`
`1509`	`1547`	`numLogs:=len(auditor.AuditLogs())`
`1510`	`1548`	`claims:= jwt.MapClaims{`
`1511`	`1549`	`"email":"jon@coder.com",`
	`1550`	`+"sub":uuid.NewString(),`
`1512`	`1551`	`}`
`1513`	`1552`
`1514`	`1553`	`userClient,_:=fake.Login(t,client,claims)`
`@@ -1629,6 +1668,7 @@ func TestUserOIDC(t *testing.T) {`
`1629`	`1668`	`claims:= jwt.MapClaims{`
`1630`	`1669`	`"email":"user@example.com",`
`1631`	`1670`	`"email_verified":true,`
	`1671`	`+"sub":uuid.NewString(),`
`1632`	`1672`	`}`
`1633`	`1673`
`1634`	`1674`	`// Perform the login`
`@@ -1794,6 +1834,7 @@ func TestOIDCSkipIssuer(t *testing.T) {`
`1794`	`1834`	`userClient,_:=fake.Login(t,owner, jwt.MapClaims{`
`1795`	`1835`	`"iss":secondaryURLString,`
`1796`	`1836`	`"email":"alice@coder.com",`
	`1837`	`+"sub":uuid.NewString(),`
`1797`	`1838`	`})`
`1798`	`1839`	`found,err:=userClient.User(ctx,"me")`
`1799`	`1840`	`require.NoError(t,err)`

`‎coderd/users_test.go`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -831,6 +831,7 @@ func TestPostUsers(t *testing.T) {`
`831`	`831`	`// Try to log in with OIDC.`
`832`	`832`	`userClient,_:=fake.Login(t,client, jwt.MapClaims{`
`833`	`833`	`"email":email,`
	`834`	`+"sub":uuid.NewString(),`
`834`	`835`	`})`
`835`	`836`
`836`	`837`	`found,err:=userClient.User(ctx,"me")`

`‎enterprise/coderd/scim_test.go`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ import (`
`10`	`10`	`"testing"`
`11`	`11`
`12`	`12`	`"github.com/golang-jwt/jwt/v4"`
	`13`	`+"github.com/google/uuid"`
`13`	`14`	`"github.com/imulab/go-scim/pkg/v2/handlerutil"`
`14`	`15`	`"github.com/imulab/go-scim/pkg/v2/spec"`
`15`	`16`	`"github.com/stretchr/testify/assert"`
`@@ -568,6 +569,7 @@ func TestScim(t *testing.T) {`
`568`	`569`	`//nolint:bodyclose`
`569`	`570`	`scimUserClient,_:=fake.Login(t,client, jwt.MapClaims{`
`570`	`571`	`"email":sUser.Emails[0].Value,`
	`572`	`+"sub":uuid.NewString(),`
`571`	`573`	`})`
`572`	`574`	`scimUser,err=scimUserClient.User(ctx,codersdk.Me)`
`573`	`575`	`require.NoError(t,err)`
`@@ -836,6 +838,7 @@ func TestScim(t *testing.T) {`
`836`	`838`	`//nolint:bodyclose`
`837`	`839`	`scimUserClient,_:=fake.Login(t,client, jwt.MapClaims{`
`838`	`840`	`"email":sUser.Emails[0].Value,`
	`841`	`+"sub":uuid.NewString(),`
`839`	`842`	`})`
`840`	`843`	`scimUser,err=scimUserClient.User(ctx,codersdk.Me)`
`841`	`844`	`require.NoError(t,err)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitd0a534e

File tree

6 files changed

6 files changed

`‎coderd/oauthpki/okidcpki_test.go`

`‎coderd/userauth.go`

`‎coderd/userauth_test.go`

`‎coderd/users_test.go`

`‎enterprise/coderd/scim_test.go`

0 commit comments