New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add -skip-oidc-discovery option #41
Conversation
@tlawrie care to test this PR in your environment? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please see my comment about rewriting this using the suggestion from go-oidc.
Would you be able to add some documentation on manually configuring the OIDC provider to the ReadMe please? Also, please add a suitable note to the changelog
options.go
Outdated
@@ -70,6 +73,9 @@ type Options struct { | |||
// potential overrides. | |||
Provider string `flag:"provider" cfg:"provider"` | |||
OIDCIssuerURL string `flag:"oidc-issuer-url" cfg:"oidc_issuer_url"` | |||
SkipOidcDiscovery bool `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery"` | |||
OIDCUserInfoURL string `flag:"oidc-userinfo-url" cfg:"oidc_userinfo_url"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is needed? Is the userinfo URL actually used anywhere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agreed, have removed it
options.go
Outdated
@@ -70,6 +73,9 @@ type Options struct { | |||
// potential overrides. | |||
Provider string `flag:"provider" cfg:"provider"` | |||
OIDCIssuerURL string `flag:"oidc-issuer-url" cfg:"oidc_issuer_url"` | |||
SkipOidcDiscovery bool `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we capitalise OIDC to be consistent
SkipOidcDiscovery bool `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery"` | |
SkipOIDCDiscovery bool `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agreed, have changed it
rebased to master, using oidc.NewVerifier now (which was actually pretty simple and already documented with an example in go-oidc itself). @tlawrie care to test the new changes? |
Fantastic. Myself and my colleague @costelmoraru will test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One minor nit then good to go
options.go
Outdated
|
||
ctx := context.Background() | ||
|
||
// Override discoverable provider data with a custom http.Client that fakes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment is now out of date, could you update it please
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done :)
@tlawrie did you have any chance to test yet? |
Co-Authored-By: marratj <marrat@marrat.de>
Co-Authored-By: marratj <marrat@marrat.de>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, I think this looks good, I'm out of office all week so definitely won't have time to test it myself so if someone else could verify the changes that would be good!
Hey @marratj , we tested out the Thank you for your help and contribution. |
@JoelSpeed @costelmoraru @tlawrie I guess we are good to go then? |
@marratj Thanks for your work on this! 🎉 |
* added karrieretutor go-oidc fork for using an AAD B2C Policy * added karrieretutor go-oidc fork for using an AAD B2C Policy * added --skip-oidc-discovery option * added --skip-oidc-discovery option * add simple test for skip-oidc-discovery option * revert Dockerfile to pusher upstream * revert Dockerfile to pusher upstream * remove karrieretutor b2c option leftover * remove karrieretutor b2c option leftover * Fix typo (missing letters) Co-Authored-By: marratj <marrat@marrat.de> * Fix typo (missing letters) Co-Authored-By: marratj <marrat@marrat.de> * replace fake http client with NewProvider() from go-oidc * remove OIDC UserInfo URL option (not required) * add info about -skip-oidc-discovery to README * add note to changelog * Update outdated comment
This reverts commit 8816a2a.
@marratj does this mean oauth2_proxy fully supports Azure AD B2C now? Is there any documentation on how I can setup oauth2_proxy to work with B2C? Or should I just refer the documentation for the Azure AD provider at https://pusher.github.io/oauth2_proxy/auth-configuration#azure-auth-provider |
@harindaka yes, this fully works now, provider to use is the OIDC one, here is a config that we use:
For |
Description
This PR adds the option to skip OIDC discovery by go-oidc and instead manually configure Authorization, Token and JWKS URI endpoints.
Motivation and Context
Fixes #27
Some OIDC providers either do not have a discovery endpoint (non-standard Enterprise solutions) or require additional URL parameters for specific user journey policies to be supplied (Microsoft Azure AD B2C).
go-oidc calls the fixed
/.well-known/openid-configuration
endpoint of the configured OIDC issuer. When there is no issuer or when there are multiple policies defined via additional parameters, this method cannot be relied upon.Fortunately, go-oidc provides the possibility to use a custom HTTP client via a client context. With this, we supply go-oidc with a "fake" HTTP client that always returns the manually configured Auth,Token and JWKS endpoints in a JSON response when it calls the discovery endpoint.
How Has This Been Tested?
I tested this with Microsoft Azure AD B2C as OIDC Provider which uses an additional URL parameter for custom User Journeys. Manually setting the OIDC endpoints to a particular policy returns the proper user journey
Checklist: