Add -skip-oidc-discovery option

[marratj]

Description

This PR adds the option to skip OIDC discovery by go-oidc and instead manually configure Authorization, Token and JWKS URI endpoints.

Motivation and Context

Fixes #27

Some OIDC providers either do not have a discovery endpoint (non-standard Enterprise solutions) or require additional URL parameters for specific user journey policies to be supplied (Microsoft Azure AD B2C).

go-oidc calls the fixed /.well-known/openid-configuration endpoint of the configured OIDC issuer. When there is no issuer or when there are multiple policies defined via additional parameters, this method cannot be relied upon.

Fortunately, go-oidc provides the possibility to use a custom HTTP client via a client context. With this, we supply go-oidc with a "fake" HTTP client that always returns the manually configured Auth,Token and JWKS endpoints in a JSON response when it calls the discovery endpoint.

How Has This Been Tested?

I tested this with Microsoft Azure AD B2C as OIDC Provider which uses an additional URL parameter for custom User Journeys. Manually setting the OIDC endpoints to a particular policy returns the proper user journey

Checklist:

• My change requires a change to the documentation or CHANGELOG.
• I have updated the documentation/CHANGELOG accordingly.
• I have created a feature (non-master) branch for my PR.

[marratj]

@tlawrie care to test this PR in your environment?

[JoelSpeed]

Please see my comment about rewriting this using the suggestion from go-oidc.

Would you be able to add some documentation on manually configuring the OIDC provider to the ReadMe please? Also, please add a suitable note to the changelog

[JoelSpeed]

I don't think this is needed? Is the userinfo URL actually used anywhere?

[marratj]

agreed, have removed it

[JoelSpeed]

Can we capitalise OIDC to be consistent

Suggested change

	SkipOidcDiscovery bool `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery"`
	SkipOIDCDiscovery bool `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery"`

[marratj]

agreed, have changed it

[marratj]

rebased to master, using oidc.NewVerifier now (which was actually pretty simple and already documented with an example in go-oidc itself).

@tlawrie care to test the new changes?

[tlawrie]

Fantastic. Myself and my colleague @costelmoraru will test

[JoelSpeed]

One minor nit then good to go

[JoelSpeed]

This comment is now out of date, could you update it please

[marratj]

done :)

[marratj]

@tlawrie did you have any chance to test yet?
@JoelSpeed when @tlawrie finished his tests, this should be good to merge?

[JoelSpeed]

Yep, I think this looks good, I'm out of office all week so definitely won't have time to test it myself so if someone else could verify the changes that would be good!

[costelmoraru]

Hey @marratj , we tested out the -skip-oidc-discovery option on a ICP 2.3.0.1 and ICP 3.1.1 and it works correctly.

Thank you for your help and contribution.

[marratj]

@JoelSpeed @costelmoraru @tlawrie

I guess we are good to go then?

[JoelSpeed]

@marratj Thanks for your work on this! 🎉

[harindaka]

@marratj does this mean oauth2_proxy fully supports Azure AD B2C now? Is there any documentation on how I can setup oauth2_proxy to work with B2C? Or should I just refer the documentation for the Azure AD provider at https://pusher.github.io/oauth2_proxy/auth-configuration#azure-auth-provider

[marratj]

@harindaka yes, this fully works now, provider to use is the OIDC one, here is a config that we use:

provider = "oidc"
oidc_issuer_url = "https://login.microsoftonline.com/{tenant-id}/v2.0/"
scope = "{B2C-app-id} openid offline_access"

skip_oidc_discovery = true
login_url = "https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?p=b2c_1a_policyname"
redeem_url = "https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token?p=b2c_1a_policyname"
oidc_jwks_url = "https://login.microsoftonline.com/{tenant-id}/discovery/v2.0/keys?p=b2c_1a_policyname"

For {tenant-id}, use the ID of the tenant (the long UUID one), not the tenant domain (although the latter should work, but we had some issues with that in the past).