Display errors during IDP authentication (#685)

This commit is contained in:
Lenin Alevski
2021-04-06 00:38:11 -07:00
committed by GitHub
parent 68ea3b5d05
commit 7b4254f525
12 changed files with 87 additions and 42 deletions

View File

@@ -66,3 +66,13 @@ var defaultSaltForIdpHmac = utils.RandomCharString(64)
func getSaltForIdpHmac() string {
return env.Get(ConsoleIdpHmacSalt, defaultSaltForIdpHmac)
}
// getIdpScopes return default scopes during the IDP login request
func getIdpScopes() string {
return env.Get(ConsoleIDPScopes, "openid,profile,app_metadata,user_metadata,email")
}
// getIdpTokenExpiration return default token expiration for access token (in seconds)
func getIdpTokenExpiration() string {
return env.Get(ConsoleIDPTokenExpiration, "3600")
}

View File

@@ -18,11 +18,13 @@ package oauth2
const (
// const for idp configuration
ConsoleMinIOServer = "CONSOLE_MINIO_SERVER"
ConsoleIdpURL = "CONSOLE_IDP_URL"
ConsoleIdpClientID = "CONSOLE_IDP_CLIENT_ID"
ConsoleIdpSecret = "CONSOLE_IDP_SECRET"
ConsoleIdpCallbackURL = "CONSOLE_IDP_CALLBACK"
ConsoleIdpHmacPassphrase = "CONSOLE_IDP_HMAC_PASSPHRASE"
ConsoleIdpHmacSalt = "CONSOLE_IDP_HMAC_SALT"
ConsoleMinIOServer = "CONSOLE_MINIO_SERVER"
ConsoleIdpURL = "CONSOLE_IDP_URL"
ConsoleIdpClientID = "CONSOLE_IDP_CLIENT_ID"
ConsoleIdpSecret = "CONSOLE_IDP_SECRET"
ConsoleIdpCallbackURL = "CONSOLE_IDP_CALLBACK"
ConsoleIdpHmacPassphrase = "CONSOLE_IDP_HMAC_PASSPHRASE"
ConsoleIdpHmacSalt = "CONSOLE_IDP_HMAC_SALT"
ConsoleIDPScopes = "CONSOLE_IDP_SCOPES"
ConsoleIDPTokenExpiration = "CONSOLE_IDP_TOKEN_EXPIRATION"
)

View File

@@ -25,6 +25,7 @@ import (
"log"
"net/http"
"net/url"
"strconv"
"strings"
"time"
@@ -115,12 +116,14 @@ func NewOauth2ProviderClient(ctx context.Context, scopes []string, httpClient *h
if err != nil {
return nil, err
}
// below verification should not be necessary if the user configure exactly the
// scopes he need, will be removed on a future release
if u.Host == "google.com" {
scopes = []string{oidc.ScopeOpenID}
}
// If provided scopes are empty we use a default list
// If provided scopes are empty we use a default list or the user configured list
if len(scopes) == 0 {
scopes = []string{oidc.ScopeOpenID, "profile", "app_metadata", "user_metadata", "email"}
scopes = strings.Split(getIdpScopes(), ",")
}
client := new(Provider)
client.oauth2Config = &xoauth2.Config{
@@ -177,9 +180,22 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state string)
return nil, errors.New("invalid token")
}
// expiration configured in the token itself
expiration := int(oauth2Token.Expiry.Sub(time.Now().UTC()).Seconds())
// check if user configured a hardcoded expiration for console via env variables
// and override the incoming expiration
userConfiguredExpiration := getIdpTokenExpiration()
if userConfiguredExpiration != "" {
expiration, _ = strconv.Atoi(userConfiguredExpiration)
}
idToken := oauth2Token.Extra("id_token")
if idToken == nil {
return nil, errors.New("returned token is missing id_token claim")
}
return &credentials.WebIdentityToken{
Token: oauth2Token.Extra("id_token").(string),
Expiry: int(oauth2Token.Expiry.Sub(time.Now().UTC()).Seconds()),
Token: idToken.(string),
Expiry: expiration,
}, nil
}
stsEndpoint := GetSTSEndpoint()