authenticator: support groups (#57)

- authenticate/providers: add group support to azure - authenticate/providers: add group support to google - authenticate/providers: add group support to okta - authenticate/providers: add group support to onelogin - {authenticate/proxy}: change default cookie lifetime timeout to 14 hours - proxy: sign group membership - proxy: add group header - deployment: add CHANGELOG - deployment: fix where make release wasn’t including version
2025-05-22 13:37:19 +02:00 · 2019-02-28 19:34:22 -08:00 · 2019-02-28 19:34:22 -08:00 · 1187be2bf3
commit 1187be2bf3
parent a2d647ee5b
54 changed files with 1757 additions and 1706 deletions
--- a/authenticate/grpc.go
+++ b/authenticate/grpc.go
@ -3,62 +3,54 @@ import (
 	"context"
 	"fmt"

-	"github.com/golang/protobuf/ptypes"
-
-	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/sessions"
 	pb "github.com/pomerium/pomerium/proto/authenticate"
 )

 // Authenticate takes an encrypted code, and returns the authentication result.
-func (p *Authenticate) Authenticate(ctx context.Context, in *pb.AuthenticateRequest) (*pb.AuthenticateReply, error) {
+func (p *Authenticate) Authenticate(ctx context.Context, in *pb.AuthenticateRequest) (*pb.Session, error) {
 	session, err := sessions.UnmarshalSession(in.Code, p.cipher)
 	if err != nil {
-		return nil, fmt.Errorf("authenticate/grpc: %v", err)
+		return nil, fmt.Errorf("authenticate/grpc: authenticate %v", err)
 	}
-	expiryTimestamp, err := ptypes.TimestampProto(session.RefreshDeadline)
+	newSessionProto, err := pb.ProtoFromSession(session)
 	if err != nil {
 		return nil, err
 	}
-
-	return &pb.AuthenticateReply{
-		AccessToken:  session.AccessToken,
-		RefreshToken: session.RefreshToken,
-		IdToken:      session.IDToken,
-		User:         session.User,
-		Email:        session.Email,
-		Expiry:       expiryTimestamp,
-	}, nil
+	return newSessionProto, nil
 }

 // Validate locally validates a JWT id token; does NOT do nonce or revokation validation.
 // https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
 func (p *Authenticate) Validate(ctx context.Context, in *pb.ValidateRequest) (*pb.ValidateReply, error) {
-	isValid, err := p.provider.Validate(in.IdToken)
+	isValid, err := p.provider.Validate(ctx, in.IdToken)
 	if err != nil {
-		return &pb.ValidateReply{IsValid: false}, err
+		return &pb.ValidateReply{IsValid: false}, fmt.Errorf("authenticate/grpc: validate %v", err)
 	}
 	return &pb.ValidateReply{IsValid: isValid}, nil
 }

 // Refresh renews a user's session checks if the session has been revoked using an access token
 // without reprompting the user.
-func (p *Authenticate) Refresh(ctx context.Context, in *pb.RefreshRequest) (*pb.RefreshReply, error) {
-	newToken, err := p.provider.Refresh(in.RefreshToken)
+func (p *Authenticate) Refresh(ctx context.Context, in *pb.Session) (*pb.Session, error) {
+	// todo(bdd): add request id from incoming context
+	// md, _ := metadata.FromIncomingContext(ctx)
+	// sublogger := log.With().Str("req_id", md.Get("req_id")[0]).WithContext(ctx)
+	// sublogger.Info().Msg("tracing sucks!")
+	if in == nil {
+		return nil, fmt.Errorf("authenticate/grpc: session cannot be nil")
+	}
+	oldSession, err := pb.SessionFromProto(in)
 	if err != nil {
 		return nil, err
 	}
-	expiryTimestamp, err := ptypes.TimestampProto(newToken.Expiry)
+	newSession, err := p.provider.Refresh(ctx, oldSession)
+	if err != nil {
+		return nil, fmt.Errorf("authenticate/grpc: refresh failed %v", err)
+	}
+	newSessionProto, err := pb.ProtoFromSession(newSession)
 	if err != nil {
 		return nil, err
 	}
-	log.Info().
-		Str("session.AccessToken", newToken.AccessToken).
-		Msg("authenticate: grpc: refresh: ok")
-
-	return &pb.RefreshReply{
-		AccessToken: newToken.AccessToken,
-		Expiry:      expiryTimestamp,
-	}, nil
-
+	return newSessionProto, nil
 }