Fixes #2 : Adds Microsoft Azure Active Directory provider support (#5)

authenticate/providers/google.go

@@ -6,12 +6,13 @@ import (
 	"time"
 
 	oidc "github.com/pomerium/go-oidc"
+	"golang.org/x/oauth2"
+
 	"github.com/pomerium/pomerium/authenticate/circuit"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/version"
-	"golang.org/x/oauth2"
 )
 
 const defaultGoogleProviderURL = "https://accounts.google.com"

authenticate/providers/microsoft.go

@@ -0,0 +1,110 @@
+package providers // import "github.com/pomerium/pomerium/internal/providers"
+
+import (
+	"context"
+	"net/url"
+	"time"
+
+	oidc "github.com/pomerium/go-oidc"
+	"golang.org/x/oauth2"
+
+	"github.com/pomerium/pomerium/authenticate/circuit"
+	"github.com/pomerium/pomerium/internal/httputil"
+	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/internal/sessions"
+	"github.com/pomerium/pomerium/internal/version"
+)
+
+// defaultAzureProviderURL Users with both a personal Microsoft
+// account and a work or school account from Azure Active Directory (Azure AD)
+// an sign in to the application.
+const defaultAzureProviderURL = "https://login.microsoftonline.com/common"
+
+// AzureProvider is an implementation of the Provider interface
+type AzureProvider struct {
+	*ProviderData
+	cb *circuit.Breaker
+	// non-standard oidc fields
+	RevokeURL *url.URL
+}
+
+// NewAzureProvider returns a new AzureProvider and sets the provider url endpoints.
+// If non-"common" tenant is desired, ProviderURL must be set.
+// https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
+func NewAzureProvider(p *ProviderData) (*AzureProvider, error) {
+	ctx := context.Background()
+
+	if p.ProviderURL == "" {
+		p.ProviderURL = defaultAzureProviderURL
+	}
+	log.Info().Msgf("provider url %s", p.ProviderURL)
+	provider, err := oidc.NewProvider(ctx, p.ProviderURL)
+	if err != nil {
+		return nil, err
+	}
+
+	p.verifier = provider.Verifier(&oidc.Config{ClientID: p.ClientID})
+	p.oauth = &oauth2.Config{
+		ClientID:     p.ClientID,
+		ClientSecret: p.ClientSecret,
+		Endpoint:     provider.Endpoint(),
+		RedirectURL:  p.RedirectURL.String(),
+		Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
+	}
+
+	azureProvider := &AzureProvider{
+		ProviderData: p,
+	}
+	// azure has a "end session endpoint"
+	var claims struct {
+		RevokeURL string `json:"end_session_endpoint"`
+	}
+
+	if err := provider.Claims(&claims); err != nil {
+		return nil, err
+	}
+
+	azureProvider.RevokeURL, err = url.Parse(claims.RevokeURL)
+	if err != nil {
+		return nil, err
+	}
+
+	azureProvider.cb = circuit.NewBreaker(&circuit.Options{
+		HalfOpenConcurrentRequests: 2,
+		OnStateChange:              azureProvider.cbStateChange,
+		OnBackoff:                  azureProvider.cbBackoff,
+		ShouldTripFunc:             func(c circuit.Counts) bool { return c.ConsecutiveFailures >= 3 },
+		ShouldResetFunc:            func(c circuit.Counts) bool { return c.ConsecutiveSuccesses >= 6 },
+		BackoffDurationFunc: circuit.ExponentialBackoffDuration(
+			time.Duration(200)*time.Second,
+			time.Duration(500)*time.Millisecond),
+	})
+
+	return azureProvider, nil
+}
+
+func (p *AzureProvider) cbBackoff(duration time.Duration, reset time.Time) {
+	log.Info().Dur("duration", duration).Msg("authenticate/providers/azure.cbBackoff")
+
+}
+
+func (p *AzureProvider) cbStateChange(from, to circuit.State) {
+	log.Info().Str("from", from.String()).Str("to", to.String()).Msg("authenticate/providers/azure.cbStateChange")
+}
+
+// Revoke revokes the access token a given session state.
+//https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-a-sign-out-request
+func (p *AzureProvider) Revoke(s *sessions.SessionState) error {
+	params := url.Values{}
+	params.Add("token", s.AccessToken)
+	err := httputil.Client("POST", p.RevokeURL.String(), version.UserAgent(), params, nil)
+	if err != nil && err != httputil.ErrTokenRevoked {
+		return err
+	}
+	return nil
+}
+
+// GetSignInURL returns the sign in url with typical oauth parameters
+func (p *AzureProvider) GetSignInURL(state string) string {
+	return p.oauth.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.ApprovalForce)
+}

authenticate/providers/okta.go

@@ -6,10 +6,11 @@ import (
 	"net/url"
 
 	oidc "github.com/pomerium/go-oidc"
+	"golang.org/x/oauth2"
+
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/version"
-	"golang.org/x/oauth2"
 )
 
 // OktaProvider provides a standard, OpenID Connect implementation

authenticate/providers/providers.go

@@ -8,12 +8,15 @@ import (
 	"time"
 
 	oidc "github.com/pomerium/go-oidc"
+	"golang.org/x/oauth2"
+
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/sessions"
-	"golang.org/x/oauth2"
 )
 
 const (
+	// AzureProviderName identifies the Azure provider
+	AzureProviderName = "azure"
 	// GoogleProviderName identifies the Google provider
 	GoogleProviderName = "google"
 	// OIDCProviderName identifes a generic OpenID connect provider
@@ -44,6 +47,12 @@ func New(provider string, p *ProviderData) (Provider, error) {
 			return nil, err
 		}
 		return p, nil
+	case AzureProviderName:
+		p, err := NewAzureProvider(p)
+		if err != nil {
+			return nil, err
+		}
+		return p, nil
 	case OktaProviderName:
 		p, err := NewOktaProvider(p)
 		if err != nil {

docs/guide/identity-providers.md

@@ -85,6 +85,80 @@ export IDP_CLIENT_ID="0oairksnr0C0fEJ7l0h7"
 export IDP_CLIENT_SECRET="xxxxxx"
 ```
 
+## Azure
+
+If you plan on allowing users to log in using a Microsoft Azure Active Directory account, either from your company or from external directories, you must register your application through the Microsoft Azure portal. If you don't have a Microsoft Azure account, you can [signup](https://azure.microsoft.com/en-us/free) for free.
+
+You can access the Azure management portal from your Microsoft service, or visit [https://portal.azure.com](https://portal.azure.com) and sign in to Azure using the global administrator account used to create the Office 365 organization.
+
+::: tip
+There is no way to create an application that integrates with Microsoft Azure AD without having **your own** Microsoft Azure AD instance.
+:::
+
+If you have an Office 365 account, you can use the account's Azure AD instance instead of creating a new one. To find your Office 365 account's Azure AD instance:
+
+1. [Sign in](https://portal.office.com) to Office 365.
+2. Navigate to the [Office 365 Admin Center](https://portal.office.com/adminportal/home#/homepage).
+3. Open the **Admin centers** menu drawer located in the left menu.
+4. Click on **Azure AD**.
+
+This will bring you to the admin center of the Azure AD instance backing your Office 365 account.
+
+### Create a new application
+
+Login to Microsoft Azure and choose **Azure Active Directory** from the sidebar.
+
+![Select Active Directory](./microsoft/azure-dashboard.png)
+
+Then under **MANAGE**, select **App registrations**.
+
+![Select App registrations](./microsoft/azure-app-registrations.png)
+
+Then click on the **+ ADD** button to add a new application.
+
+Enter a name for the application, select **Web app/API** as the **Application Type**, and for **Sign-on URL** enter your application URL.
+
+![Create application form](./microsoft/azure-create-application.png)
+
+Next you will need to create a key which will be used as the **Client Secret** in Pomeriunm's configuration settings. Click on **Keys** from the **Settings** menu.
+
+Enter a name for the key and choose the desired duration.
+
+::: tip
+If you choose an expiring key, make sure to record the expiration date in your calendar, as you will need to renew the key (get a new one) before that day in order to ensure users don't experience a service interruption.
+:::
+
+Click on **Save** and the key will be displayed. **Make sure to copy the value of this key before leaving this screen**, otherwise you may need to create a new key. This value is used as the **Client Secret**.
+
+![Creating a Key](./microsoft/azure-create-key.png)
+
+Next you need to ensure that the Pomerium's Redirect URL is listed in allowed reply URLs for the created application. Navigate to **Azure Active Directory** -> **Apps registrations** and select your app. Then click **Settings** -> **Reply URLs** and add Pomerium's redirect URL. For example,
+`https://sso-auth.corp.beyondperimeter.com/oauth2/callback`.
+
+![Add Reply URL](./microsoft/azure-redirect-url.png)
+
+The final, and most unique step to Azure AD provider, is to take note of your specific endpoint. Navigate to **Azure Active Directory** -> **Apps registrations** and select your app.
+![Application dashboard](./microsoft/azure-application-dashbaord.png)
+Click on **Endpoints**
+
+![Endpoint details](./microsoft/azure-endpoints.png)
+
+The **OpenID Connect Metadata Document** value will form the basis for Pomerium's **Provider URL** setting. For example, if your **Azure OpenID Connect** is `https://login.microsoftonline.com/0303f438-3c5c-4190-9854-08d3eb31bd9f/v2.0/.well-known/openid-configuration` your **Pomerium Identity Provider URL** would be `https://login.microsoftonline.com/0303f438-3c5c-4190-9854-08d3eb31bd9f/v2.0`.
+
+### Configure Pomerium
+
+At this point, you will configure the integration from the Pomerium side. Your [environmental variables] should look something like:
+
+```bash
+# Azure
+export REDIRECT_URL="https://sso-auth.corp.beyondperimeter.com/oauth2/callback"
+export IDP_PROVIDER="azure"
+export IDP_PROVIDER_URL="https://login.microsoftonline.com/{REPLACE-ME-SEE-ABOVE}/v2.0"
+export IDP_CLIENT_ID="REPLACE-ME"
+export IDP_CLIENT_SECRET="REPLACE-ME"
+
+```
+
 [environmental variables]: https://en.wikipedia.org/wiki/Environment_variable
 [oauth2]: https://oauth.net/2/
 [openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect

env.example

@@ -14,6 +14,12 @@ export COOKIE_SECRET=uPGHo1ujND/k3B9V6yr52Gweq3RRYfFho98jxDG5Br8=
 # export IDP_CLIENT_SECRET="REPLACEME"
 # export IDP_PROVIDER_URL="https://REPLACEME.oktapreview.com/oauth2/default"
 
+# Azure
+# export IDP_PROVIDER="azure"
+# export IDP_PROVIDER_URL="https://login.microsoftonline.com/REPLACEME/v2.0"
+# export IDP_CLIENT_ID="REPLACEME
+# export IDP_CLIENT_SECRET="REPLACEME"
+
 ## GOOGLE
 export IDP_PROVIDER="google"
 export IDP_PROVIDER_URL="https://accounts.google.com" # optional for google

proxy/proxy.go

@@ -53,7 +53,7 @@ var defaultOptions = &Options{
 	CookieExpire:           time.Duration(168) * time.Hour,
 	DefaultUpstreamTimeout: time.Duration(10) * time.Second,
 	SessionLifetimeTTL:     time.Duration(720) * time.Hour,
-	SessionValidTTL:        time.Duration(10) * time.Minute,
+	SessionValidTTL:        time.Duration(1) * time.Minute,
 	GracePeriodTTL:         time.Duration(3) * time.Hour,
 	PassAccessToken:        false,
 }