frp/pkg/auth/oidc.go

// Copyright 2020 guylewin, guy@lewin.co.il
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package auth

import (
	"context"
	"fmt"
	"slices"

	"github.com/coreos/go-oidc/v3/oidc"
	"golang.org/x/oauth2/clientcredentials"

	v1 "github.com/fatedier/frp/pkg/config/v1"
	"github.com/fatedier/frp/pkg/msg"
)

type OidcAuthProvider struct {
	additionalAuthScopes []v1.AuthScope

	tokenGenerator *clientcredentials.Config
}

func NewOidcAuthSetter(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCClientConfig) *OidcAuthProvider {
	eps := make(map[string][]string)
	for k, v := range cfg.AdditionalEndpointParams {
		eps[k] = []string{v}
	}

	if cfg.Audience != "" {
		eps["audience"] = []string{cfg.Audience}
	}

	tokenGenerator := &clientcredentials.Config{
		ClientID:       cfg.ClientID,
		ClientSecret:   cfg.ClientSecret,
		Scopes:         []string{cfg.Scope},
		TokenURL:       cfg.TokenEndpointURL,
		EndpointParams: eps,
	}

	return &OidcAuthProvider{
		additionalAuthScopes: additionalAuthScopes,
		tokenGenerator:       tokenGenerator,
	}
}

func (auth *OidcAuthProvider) generateAccessToken() (accessToken string, err error) {
	tokenObj, err := auth.tokenGenerator.Token(context.Background())
	if err != nil {
		return "", fmt.Errorf("couldn't generate OIDC token for login: %v", err)
	}
	return tokenObj.AccessToken, nil
}

func (auth *OidcAuthProvider) SetLogin(loginMsg *msg.Login) (err error) {
	loginMsg.PrivilegeKey, err = auth.generateAccessToken()
	return err
}

func (auth *OidcAuthProvider) SetPing(pingMsg *msg.Ping) (err error) {
	if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeHeartBeats) {
		return nil
	}

	pingMsg.PrivilegeKey, err = auth.generateAccessToken()
	return err
}

func (auth *OidcAuthProvider) SetNewWorkConn(newWorkConnMsg *msg.NewWorkConn) (err error) {
	if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeNewWorkConns) {
		return nil
	}

	newWorkConnMsg.PrivilegeKey, err = auth.generateAccessToken()
	return err
}

type OidcAuthConsumer struct {
	additionalAuthScopes []v1.AuthScope

	verifier         *oidc.IDTokenVerifier
	subjectFromLogin string
}

func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCServerConfig) *OidcAuthConsumer {
	provider, err := oidc.NewProvider(context.Background(), cfg.Issuer)
	if err != nil {
		panic(err)
	}
	verifierConf := oidc.Config{
		ClientID:          cfg.Audience,
		SkipClientIDCheck: cfg.Audience == "",
		SkipExpiryCheck:   cfg.SkipExpiryCheck,
		SkipIssuerCheck:   cfg.SkipIssuerCheck,
	}
	return &OidcAuthConsumer{
		additionalAuthScopes: additionalAuthScopes,
		verifier:             provider.Verifier(&verifierConf),
	}
}

func (auth *OidcAuthConsumer) VerifyLogin(loginMsg *msg.Login) (err error) {
	token, err := auth.verifier.Verify(context.Background(), loginMsg.PrivilegeKey)
	if err != nil {
		return fmt.Errorf("invalid OIDC token in login: %v", err)
	}
	auth.subjectFromLogin = token.Subject
	return nil
}

func (auth *OidcAuthConsumer) verifyPostLoginToken(privilegeKey string) (err error) {
	token, err := auth.verifier.Verify(context.Background(), privilegeKey)
	if err != nil {
		return fmt.Errorf("invalid OIDC token in ping: %v", err)
	}
	if token.Subject != auth.subjectFromLogin {
		return fmt.Errorf("received different OIDC subject in login and ping. "+
			"original subject: %s, "+
			"new subject: %s",
			auth.subjectFromLogin, token.Subject)
	}
	return nil
}

func (auth *OidcAuthConsumer) VerifyPing(pingMsg *msg.Ping) (err error) {
	if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeHeartBeats) {
		return nil
	}

	return auth.verifyPostLoginToken(pingMsg.PrivilegeKey)
}

func (auth *OidcAuthConsumer) VerifyNewWorkConn(newWorkConnMsg *msg.NewWorkConn) (err error) {
	if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeNewWorkConns) {
		return nil
	}

	return auth.verifyPostLoginToken(newWorkConnMsg.PrivilegeKey)
}
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`// Copyright 2020 guylewin, guy@lewin.co.il`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package auth`

			`import (`
			`"context"`
			`"fmt"`
use std slices package (#4008) 2024-02-20 12:01:41 +08:00			`"slices"`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00
feat: odic refine (#3202) Co-authored-by: Matt Feury <mattfeury@gmail.com> 2022-12-12 15:10:38 +08:00			`"github.com/coreos/go-oidc/v3/oidc"`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`"golang.org/x/oauth2/clientcredentials"`
lint by golangci-lint (#3080) 2022-08-29 01:02:53 +08:00
support yaml/json/toml configuration format, make ini deprecated (#3599) 2023-09-06 10:18:02 +08:00			`v1 "github.com/fatedier/frp/pkg/config/v1"`
lint by golangci-lint (#3080) 2022-08-29 01:02:53 +08:00			`"github.com/fatedier/frp/pkg/msg"`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`)`

			`type OidcAuthProvider struct {`
support yaml/json/toml configuration format, make ini deprecated (#3599) 2023-09-06 10:18:02 +08:00			`additionalAuthScopes []v1.AuthScope`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00
			`tokenGenerator *clientcredentials.Config`
			`}`

support yaml/json/toml configuration format, make ini deprecated (#3599) 2023-09-06 10:18:02 +08:00			`func NewOidcAuthSetter(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCClientConfig) *OidcAuthProvider {`
feat: support add additional params for OIDC (#2814) * feat: support add additional params and test access by auth0 * fix: config name Co-authored-by: blizard863 <760076784@qq.com> 2022-03-07 14:23:49 +08:00			`eps := make(map[string][]string)`
support yaml/json/toml configuration format, make ini deprecated (#3599) 2023-09-06 10:18:02 +08:00			`for k, v := range cfg.AdditionalEndpointParams {`
feat: support add additional params for OIDC (#2814) * feat: support add additional params and test access by auth0 * fix: config name Co-authored-by: blizard863 <760076784@qq.com> 2022-03-07 14:23:49 +08:00			`eps[k] = []string{v}`
			`}`

support yaml/json/toml configuration format, make ini deprecated (#3599) 2023-09-06 10:18:02 +08:00			`if cfg.Audience != "" {`
			`eps["audience"] = []string{cfg.Audience}`
feat: Support OIDC scope parameter (#3192) 2022-12-09 11:46:34 +08:00			`}`

feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`tokenGenerator := &clientcredentials.Config{`
support yaml/json/toml configuration format, make ini deprecated (#3599) 2023-09-06 10:18:02 +08:00			`ClientID: cfg.ClientID,`
			`ClientSecret: cfg.ClientSecret,`
			`Scopes: []string{cfg.Scope},`
			`TokenURL: cfg.TokenEndpointURL,`
feat: support add additional params for OIDC (#2814) * feat: support add additional params and test access by auth0 * fix: config name Co-authored-by: blizard863 <760076784@qq.com> 2022-03-07 14:23:49 +08:00			`EndpointParams: eps,`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`}`

			`return &OidcAuthProvider{`
support yaml/json/toml configuration format, make ini deprecated (#3599) 2023-09-06 10:18:02 +08:00			`additionalAuthScopes: additionalAuthScopes,`
			`tokenGenerator: tokenGenerator,`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`}`
			`}`

			`func (auth *OidcAuthProvider) generateAccessToken() (accessToken string, err error) {`
			`tokenObj, err := auth.tokenGenerator.Token(context.Background())`
			`if err != nil {`
			`return "", fmt.Errorf("couldn't generate OIDC token for login: %v", err)`
			`}`
			`return tokenObj.AccessToken, nil`
			`}`

			`func (auth OidcAuthProvider) SetLogin(loginMsg msg.Login) (err error) {`
			`loginMsg.PrivilegeKey, err = auth.generateAccessToken()`
			`return err`
			`}`

			`func (auth OidcAuthProvider) SetPing(pingMsg msg.Ping) (err error) {`
use std slices package (#4008) 2024-02-20 12:01:41 +08:00			`if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeHeartBeats) {`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`return nil`
			`}`

			`pingMsg.PrivilegeKey, err = auth.generateAccessToken()`
			`return err`
			`}`

			`func (auth OidcAuthProvider) SetNewWorkConn(newWorkConnMsg msg.NewWorkConn) (err error) {`
use std slices package (#4008) 2024-02-20 12:01:41 +08:00			`if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeNewWorkConns) {`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`return nil`
			`}`

			`newWorkConnMsg.PrivilegeKey, err = auth.generateAccessToken()`
			`return err`
			`}`

			`type OidcAuthConsumer struct {`
support yaml/json/toml configuration format, make ini deprecated (#3599) 2023-09-06 10:18:02 +08:00			`additionalAuthScopes []v1.AuthScope`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00
			`verifier *oidc.IDTokenVerifier`
			`subjectFromLogin string`
			`}`

support yaml/json/toml configuration format, make ini deprecated (#3599) 2023-09-06 10:18:02 +08:00			`func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCServerConfig) *OidcAuthConsumer {`
			`provider, err := oidc.NewProvider(context.Background(), cfg.Issuer)`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`if err != nil {`
			`panic(err)`
			`}`
			`verifierConf := oidc.Config{`
support yaml/json/toml configuration format, make ini deprecated (#3599) 2023-09-06 10:18:02 +08:00			`ClientID: cfg.Audience,`
			`SkipClientIDCheck: cfg.Audience == "",`
			`SkipExpiryCheck: cfg.SkipExpiryCheck,`
			`SkipIssuerCheck: cfg.SkipIssuerCheck,`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`}`
			`return &OidcAuthConsumer{`
support yaml/json/toml configuration format, make ini deprecated (#3599) 2023-09-06 10:18:02 +08:00			`additionalAuthScopes: additionalAuthScopes,`
			`verifier: provider.Verifier(&verifierConf),`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`}`
			`}`

			`func (auth OidcAuthConsumer) VerifyLogin(loginMsg msg.Login) (err error) {`
			`token, err := auth.verifier.Verify(context.Background(), loginMsg.PrivilegeKey)`
			`if err != nil {`
			`return fmt.Errorf("invalid OIDC token in login: %v", err)`
			`}`
			`auth.subjectFromLogin = token.Subject`
			`return nil`
			`}`

			`func (auth *OidcAuthConsumer) verifyPostLoginToken(privilegeKey string) (err error) {`
			`token, err := auth.verifier.Verify(context.Background(), privilegeKey)`
			`if err != nil {`
			`return fmt.Errorf("invalid OIDC token in ping: %v", err)`
			`}`
			`if token.Subject != auth.subjectFromLogin {`
			`return fmt.Errorf("received different OIDC subject in login and ping. "+`
			`"original subject: %s, "+`
			`"new subject: %s",`
			`auth.subjectFromLogin, token.Subject)`
			`}`
			`return nil`
			`}`

			`func (auth OidcAuthConsumer) VerifyPing(pingMsg msg.Ping) (err error) {`
use std slices package (#4008) 2024-02-20 12:01:41 +08:00			`if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeHeartBeats) {`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`return nil`
			`}`

			`return auth.verifyPostLoginToken(pingMsg.PrivilegeKey)`
			`}`

			`func (auth OidcAuthConsumer) VerifyNewWorkConn(newWorkConnMsg msg.NewWorkConn) (err error) {`
use std slices package (#4008) 2024-02-20 12:01:41 +08:00			`if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeNewWorkConns) {`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`return nil`
			`}`

			`return auth.verifyPostLoginToken(newWorkConnMsg.PrivilegeKey)`
			`}`