diff --git a/authenticate/providers/google.go b/authenticate/providers/google.go index 393900f22..729e2f67e 100644 --- a/authenticate/providers/google.go +++ b/authenticate/providers/google.go @@ -6,12 +6,13 @@ import ( "time" oidc "github.com/pomerium/go-oidc" + "golang.org/x/oauth2" + "github.com/pomerium/pomerium/authenticate/circuit" "github.com/pomerium/pomerium/internal/httputil" "github.com/pomerium/pomerium/internal/log" "github.com/pomerium/pomerium/internal/sessions" "github.com/pomerium/pomerium/internal/version" - "golang.org/x/oauth2" ) const defaultGoogleProviderURL = "https://accounts.google.com" diff --git a/authenticate/providers/microsoft.go b/authenticate/providers/microsoft.go new file mode 100644 index 000000000..0016d09e4 --- /dev/null +++ b/authenticate/providers/microsoft.go @@ -0,0 +1,110 @@ +package providers // import "github.com/pomerium/pomerium/internal/providers" + +import ( + "context" + "net/url" + "time" + + oidc "github.com/pomerium/go-oidc" + "golang.org/x/oauth2" + + "github.com/pomerium/pomerium/authenticate/circuit" + "github.com/pomerium/pomerium/internal/httputil" + "github.com/pomerium/pomerium/internal/log" + "github.com/pomerium/pomerium/internal/sessions" + "github.com/pomerium/pomerium/internal/version" +) + +// defaultAzureProviderURL Users with both a personal Microsoft +// account and a work or school account from Azure Active Directory (Azure AD) +// an sign in to the application. +const defaultAzureProviderURL = "https://login.microsoftonline.com/common" + +// AzureProvider is an implementation of the Provider interface +type AzureProvider struct { + *ProviderData + cb *circuit.Breaker + // non-standard oidc fields + RevokeURL *url.URL +} + +// NewAzureProvider returns a new AzureProvider and sets the provider url endpoints. +// If non-"common" tenant is desired, ProviderURL must be set. +// https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc +func NewAzureProvider(p *ProviderData) (*AzureProvider, error) { + ctx := context.Background() + + if p.ProviderURL == "" { + p.ProviderURL = defaultAzureProviderURL + } + log.Info().Msgf("provider url %s", p.ProviderURL) + provider, err := oidc.NewProvider(ctx, p.ProviderURL) + if err != nil { + return nil, err + } + + p.verifier = provider.Verifier(&oidc.Config{ClientID: p.ClientID}) + p.oauth = &oauth2.Config{ + ClientID: p.ClientID, + ClientSecret: p.ClientSecret, + Endpoint: provider.Endpoint(), + RedirectURL: p.RedirectURL.String(), + Scopes: []string{oidc.ScopeOpenID, "profile", "email"}, + } + + azureProvider := &AzureProvider{ + ProviderData: p, + } + // azure has a "end session endpoint" + var claims struct { + RevokeURL string `json:"end_session_endpoint"` + } + + if err := provider.Claims(&claims); err != nil { + return nil, err + } + + azureProvider.RevokeURL, err = url.Parse(claims.RevokeURL) + if err != nil { + return nil, err + } + + azureProvider.cb = circuit.NewBreaker(&circuit.Options{ + HalfOpenConcurrentRequests: 2, + OnStateChange: azureProvider.cbStateChange, + OnBackoff: azureProvider.cbBackoff, + ShouldTripFunc: func(c circuit.Counts) bool { return c.ConsecutiveFailures >= 3 }, + ShouldResetFunc: func(c circuit.Counts) bool { return c.ConsecutiveSuccesses >= 6 }, + BackoffDurationFunc: circuit.ExponentialBackoffDuration( + time.Duration(200)*time.Second, + time.Duration(500)*time.Millisecond), + }) + + return azureProvider, nil +} + +func (p *AzureProvider) cbBackoff(duration time.Duration, reset time.Time) { + log.Info().Dur("duration", duration).Msg("authenticate/providers/azure.cbBackoff") + +} + +func (p *AzureProvider) cbStateChange(from, to circuit.State) { + log.Info().Str("from", from.String()).Str("to", to.String()).Msg("authenticate/providers/azure.cbStateChange") +} + +// Revoke revokes the access token a given session state. +//https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-a-sign-out-request +func (p *AzureProvider) Revoke(s *sessions.SessionState) error { + params := url.Values{} + params.Add("token", s.AccessToken) + err := httputil.Client("POST", p.RevokeURL.String(), version.UserAgent(), params, nil) + if err != nil && err != httputil.ErrTokenRevoked { + return err + } + return nil +} + +// GetSignInURL returns the sign in url with typical oauth parameters +func (p *AzureProvider) GetSignInURL(state string) string { + return p.oauth.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.ApprovalForce) +} diff --git a/authenticate/providers/okta.go b/authenticate/providers/okta.go index c3e14867d..cead032a5 100644 --- a/authenticate/providers/okta.go +++ b/authenticate/providers/okta.go @@ -6,10 +6,11 @@ import ( "net/url" oidc "github.com/pomerium/go-oidc" + "golang.org/x/oauth2" + "github.com/pomerium/pomerium/internal/httputil" "github.com/pomerium/pomerium/internal/sessions" "github.com/pomerium/pomerium/internal/version" - "golang.org/x/oauth2" ) // OktaProvider provides a standard, OpenID Connect implementation diff --git a/authenticate/providers/providers.go b/authenticate/providers/providers.go index 932be1144..0edd043c2 100644 --- a/authenticate/providers/providers.go +++ b/authenticate/providers/providers.go @@ -8,12 +8,15 @@ import ( "time" oidc "github.com/pomerium/go-oidc" + "golang.org/x/oauth2" + "github.com/pomerium/pomerium/internal/log" "github.com/pomerium/pomerium/internal/sessions" - "golang.org/x/oauth2" ) const ( + // AzureProviderName identifies the Azure provider + AzureProviderName = "azure" // GoogleProviderName identifies the Google provider GoogleProviderName = "google" // OIDCProviderName identifes a generic OpenID connect provider @@ -44,6 +47,12 @@ func New(provider string, p *ProviderData) (Provider, error) { return nil, err } return p, nil + case AzureProviderName: + p, err := NewAzureProvider(p) + if err != nil { + return nil, err + } + return p, nil case OktaProviderName: p, err := NewOktaProvider(p) if err != nil { diff --git a/docs/guide/google/google-create-client-id-config.png b/docs/guide/google/google-create-client-id-config.png index 2821a5c34..87ef6da31 100644 Binary files a/docs/guide/google/google-create-client-id-config.png and b/docs/guide/google/google-create-client-id-config.png differ diff --git a/docs/guide/google/google-create-new-credentials.png b/docs/guide/google/google-create-new-credentials.png index a1dcff147..bf67de1ea 100644 Binary files a/docs/guide/google/google-create-new-credentials.png and b/docs/guide/google/google-create-new-credentials.png differ diff --git a/docs/guide/google/google-credentials.png b/docs/guide/google/google-credentials.png index 5ab4b946b..6e3a95d01 100644 Binary files a/docs/guide/google/google-credentials.png and b/docs/guide/google/google-credentials.png differ diff --git a/docs/guide/google/google-oauth-client-info.png b/docs/guide/google/google-oauth-client-info.png index 008acf598..d63993e99 100644 Binary files a/docs/guide/google/google-oauth-client-info.png and b/docs/guide/google/google-oauth-client-info.png differ diff --git a/docs/guide/identity-providers.md b/docs/guide/identity-providers.md index 7d78cabf0..c08affc5b 100644 --- a/docs/guide/identity-providers.md +++ b/docs/guide/identity-providers.md @@ -85,6 +85,80 @@ export IDP_CLIENT_ID="0oairksnr0C0fEJ7l0h7" export IDP_CLIENT_SECRET="xxxxxx" ``` +## Azure + +If you plan on allowing users to log in using a Microsoft Azure Active Directory account, either from your company or from external directories, you must register your application through the Microsoft Azure portal. If you don't have a Microsoft Azure account, you can [signup](https://azure.microsoft.com/en-us/free) for free. + +You can access the Azure management portal from your Microsoft service, or visit [https://portal.azure.com](https://portal.azure.com) and sign in to Azure using the global administrator account used to create the Office 365 organization. + +::: tip +There is no way to create an application that integrates with Microsoft Azure AD without having **your own** Microsoft Azure AD instance. +::: + +If you have an Office 365 account, you can use the account's Azure AD instance instead of creating a new one. To find your Office 365 account's Azure AD instance: + +1. [Sign in](https://portal.office.com) to Office 365. +2. Navigate to the [Office 365 Admin Center](https://portal.office.com/adminportal/home#/homepage). +3. Open the **Admin centers** menu drawer located in the left menu. +4. Click on **Azure AD**. + +This will bring you to the admin center of the Azure AD instance backing your Office 365 account. + +### Create a new application + +Login to Microsoft Azure and choose **Azure Active Directory** from the sidebar. + +![Select Active Directory](./microsoft/azure-dashboard.png) + +Then under **MANAGE**, select **App registrations**. + +![Select App registrations](./microsoft/azure-app-registrations.png) + +Then click on the **+ ADD** button to add a new application. + +Enter a name for the application, select **Web app/API** as the **Application Type**, and for **Sign-on URL** enter your application URL. + +![Create application form](./microsoft/azure-create-application.png) + +Next you will need to create a key which will be used as the **Client Secret** in Pomeriunm's configuration settings. Click on **Keys** from the **Settings** menu. + +Enter a name for the key and choose the desired duration. + +::: tip +If you choose an expiring key, make sure to record the expiration date in your calendar, as you will need to renew the key (get a new one) before that day in order to ensure users don't experience a service interruption. +::: + +Click on **Save** and the key will be displayed. **Make sure to copy the value of this key before leaving this screen**, otherwise you may need to create a new key. This value is used as the **Client Secret**. + +![Creating a Key](./microsoft/azure-create-key.png) + +Next you need to ensure that the Pomerium's Redirect URL is listed in allowed reply URLs for the created application. Navigate to **Azure Active Directory** -> **Apps registrations** and select your app. Then click **Settings** -> **Reply URLs** and add Pomerium's redirect URL. For example, +`https://sso-auth.corp.beyondperimeter.com/oauth2/callback`. + +![Add Reply URL](./microsoft/azure-redirect-url.png) + +The final, and most unique step to Azure AD provider, is to take note of your specific endpoint. Navigate to **Azure Active Directory** -> **Apps registrations** and select your app. +![Application dashboard](./microsoft/azure-application-dashbaord.png) +Click on **Endpoints** + +![Endpoint details](./microsoft/azure-endpoints.png) + +The **OpenID Connect Metadata Document** value will form the basis for Pomerium's **Provider URL** setting. For example, if your **Azure OpenID Connect** is `https://login.microsoftonline.com/0303f438-3c5c-4190-9854-08d3eb31bd9f/v2.0/.well-known/openid-configuration` your **Pomerium Identity Provider URL** would be `https://login.microsoftonline.com/0303f438-3c5c-4190-9854-08d3eb31bd9f/v2.0`. + +### Configure Pomerium + +At this point, you will configure the integration from the Pomerium side. Your [environmental variables] should look something like: + +```bash +# Azure +export REDIRECT_URL="https://sso-auth.corp.beyondperimeter.com/oauth2/callback" +export IDP_PROVIDER="azure" +export IDP_PROVIDER_URL="https://login.microsoftonline.com/{REPLACE-ME-SEE-ABOVE}/v2.0" +export IDP_CLIENT_ID="REPLACE-ME" +export IDP_CLIENT_SECRET="REPLACE-ME" + +``` + [environmental variables]: https://en.wikipedia.org/wiki/Environment_variable [oauth2]: https://oauth.net/2/ [openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect diff --git a/docs/guide/microsoft/azure-app-registrations.png b/docs/guide/microsoft/azure-app-registrations.png new file mode 100644 index 000000000..0f38b389d Binary files /dev/null and b/docs/guide/microsoft/azure-app-registrations.png differ diff --git a/docs/guide/microsoft/azure-application-dashbaord.png b/docs/guide/microsoft/azure-application-dashbaord.png new file mode 100644 index 000000000..f90e5dab5 Binary files /dev/null and b/docs/guide/microsoft/azure-application-dashbaord.png differ diff --git a/docs/guide/microsoft/azure-create-application.png b/docs/guide/microsoft/azure-create-application.png new file mode 100644 index 000000000..872a8ac64 Binary files /dev/null and b/docs/guide/microsoft/azure-create-application.png differ diff --git a/docs/guide/microsoft/azure-create-key.png b/docs/guide/microsoft/azure-create-key.png new file mode 100644 index 000000000..0e700754f Binary files /dev/null and b/docs/guide/microsoft/azure-create-key.png differ diff --git a/docs/guide/microsoft/azure-dashboard.png b/docs/guide/microsoft/azure-dashboard.png new file mode 100644 index 000000000..2ec07b471 Binary files /dev/null and b/docs/guide/microsoft/azure-dashboard.png differ diff --git a/docs/guide/microsoft/azure-endpoints.png b/docs/guide/microsoft/azure-endpoints.png new file mode 100644 index 000000000..97f84a6b8 Binary files /dev/null and b/docs/guide/microsoft/azure-endpoints.png differ diff --git a/docs/guide/microsoft/azure-redirect-url.png b/docs/guide/microsoft/azure-redirect-url.png new file mode 100644 index 000000000..8628d4978 Binary files /dev/null and b/docs/guide/microsoft/azure-redirect-url.png differ diff --git a/docs/guide/okta/okta-app-dashboard.png b/docs/guide/okta/okta-app-dashboard.png index 677a49bee..199f3439c 100644 Binary files a/docs/guide/okta/okta-app-dashboard.png and b/docs/guide/okta/okta-app-dashboard.png differ diff --git a/docs/guide/okta/okta-client-id-and-secret.png b/docs/guide/okta/okta-client-id-and-secret.png index b66c15915..617099edc 100644 Binary files a/docs/guide/okta/okta-client-id-and-secret.png and b/docs/guide/okta/okta-client-id-and-secret.png differ diff --git a/docs/guide/okta/okta-create-app-platform.png b/docs/guide/okta/okta-create-app-platform.png index 02de68506..e96683506 100644 Binary files a/docs/guide/okta/okta-create-app-platform.png and b/docs/guide/okta/okta-create-app-platform.png differ diff --git a/docs/guide/okta/okta-create-app-settings.png b/docs/guide/okta/okta-create-app-settings.png index c8b3abfb7..32a3d612e 100644 Binary files a/docs/guide/okta/okta-create-app-settings.png and b/docs/guide/okta/okta-create-app-settings.png differ diff --git a/env.example b/env.example index b47f863b0..63959d889 100644 --- a/env.example +++ b/env.example @@ -14,6 +14,12 @@ export COOKIE_SECRET=uPGHo1ujND/k3B9V6yr52Gweq3RRYfFho98jxDG5Br8= # export IDP_CLIENT_SECRET="REPLACEME" # export IDP_PROVIDER_URL="https://REPLACEME.oktapreview.com/oauth2/default" +# Azure +# export IDP_PROVIDER="azure" +# export IDP_PROVIDER_URL="https://login.microsoftonline.com/REPLACEME/v2.0" +# export IDP_CLIENT_ID="REPLACEME +# export IDP_CLIENT_SECRET="REPLACEME" + ## GOOGLE export IDP_PROVIDER="google" export IDP_PROVIDER_URL="https://accounts.google.com" # optional for google diff --git a/proxy/proxy.go b/proxy/proxy.go index 1d9844c2d..bfd37ee5f 100755 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -53,7 +53,7 @@ var defaultOptions = &Options{ CookieExpire: time.Duration(168) * time.Hour, DefaultUpstreamTimeout: time.Duration(10) * time.Second, SessionLifetimeTTL: time.Duration(720) * time.Hour, - SessionValidTTL: time.Duration(10) * time.Minute, + SessionValidTTL: time.Duration(1) * time.Minute, GracePeriodTTL: time.Duration(3) * time.Hour, PassAccessToken: false, }