authenticator: support groups (#57)

- authenticate/providers: add group support to azure - authenticate/providers: add group support to google - authenticate/providers: add group support to okta - authenticate/providers: add group support to onelogin - {authenticate/proxy}: change default cookie lifetime timeout to 14 hours - proxy: sign group membership - proxy: add group header - deployment: add CHANGELOG - deployment: fix where make release wasn’t including version
2025-06-05 20:32:57 +02:00 · 2019-02-28 19:34:22 -08:00 · 2019-02-28 19:34:22 -08:00 · 1187be2bf3
commit 1187be2bf3
parent a2d647ee5b
54 changed files with 1757 additions and 1706 deletions
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@ -83,34 +83,29 @@ func (a *Authenticate) authenticate(w http.ResponseWriter, r *http.Request) (*se

 	// check if session refresh period is up
 	if session.RefreshPeriodExpired() {
-		newToken, err := a.provider.Refresh(session.RefreshToken)
+		newSession, err := a.provider.Refresh(r.Context(), session)
 		if err != nil {
 			log.FromRequest(r).Error().Err(err).Msg("authenticate: failed to refresh session")
 			a.sessionStore.ClearSession(w, r)
 			return nil, err
 		}
-		session.AccessToken = newToken.AccessToken
-		session.RefreshDeadline = newToken.Expiry
-		err = a.sessionStore.SaveSession(w, r, session)
+		err = a.sessionStore.SaveSession(w, r, newSession)
 		if err != nil {
-			// We refreshed the session successfully, but failed to save it.
-			// This could be from failing to encode the session properly.
-			// But, we clear the session cookie and reject the request
-			log.FromRequest(r).Error().Err(err).Msg("could not save refreshed session")
+			log.FromRequest(r).Error().Err(err).Msg("authenticate: could not save refreshed session")
 			a.sessionStore.ClearSession(w, r)
 			return nil, err
 		}
 	} else {
 		// The session has not exceeded it's lifetime or requires refresh
-		ok, err := a.provider.Validate(session.IDToken)
+		ok, err := a.provider.Validate(r.Context(), session.IDToken)
 		if !ok || err != nil {
-			log.FromRequest(r).Error().Err(err).Msg("invalid session state")
+			log.FromRequest(r).Error().Err(err).Msg("authenticate: invalid session state")
 			a.sessionStore.ClearSession(w, r)
 			return nil, httputil.ErrUserNotAuthorized
 		}
 		err = a.sessionStore.SaveSession(w, r, session)
 		if err != nil {
-			log.FromRequest(r).Error().Err(err).Msg("failed to save valid session")
+			log.FromRequest(r).Error().Err(err).Msg("authenticate: failed to save valid session")
 			a.sessionStore.ClearSession(w, r)
 			return nil, err
 		}
@ -136,7 +131,6 @@ func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) {
 	}
 	log.FromRequest(r).Info().Msg("authenticate: user authenticated")
 	a.ProxyCallback(w, r, session)
-
 }

 // ProxyCallback redirects the user back to proxy service along with an encrypted payload, as
@ -310,7 +304,7 @@ func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request)
 	}
 	errorString := r.Form.Get("error")
 	if errorString != "" {
-		log.FromRequest(r).Error().Err(err).Msg("authenticate: provider returned error")
+		log.FromRequest(r).Error().Str("Error", errorString).Msg("authenticate: provider returned error")
 		return "", httputil.HTTPError{Code: http.StatusForbidden, Message: errorString}
 	}
 	code := r.Form.Get("code")