diff --git a/go.mod b/go.mod index 671b458a6..e0418c1b3 100644 --- a/go.mod +++ b/go.mod @@ -7,6 +7,7 @@ require ( contrib.go.opencensus.io/exporter/jaeger v0.2.0 contrib.go.opencensus.io/exporter/prometheus v0.1.0 github.com/cespare/xxhash/v2 v2.1.1 + github.com/coreos/go-oidc v2.2.1+incompatible github.com/fsnotify/fsnotify v1.4.7 github.com/go-redis/redis/v7 v7.2.0 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e @@ -22,7 +23,6 @@ require ( github.com/pkg/errors v0.9.1 // indirect github.com/pomerium/autocache v0.0.0-20200214161708-6c66ed582edc github.com/pomerium/csrf v1.6.2-0.20190918035251-f3318380bad3 - github.com/pomerium/go-oidc v2.0.0+incompatible github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect github.com/prometheus/client_golang v1.5.0 github.com/rakyll/statik v0.1.7 diff --git a/go.sum b/go.sum index b2d02d26f..487e1b4c8 100644 --- a/go.sum +++ b/go.sum @@ -50,6 +50,8 @@ github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk= +github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= @@ -72,9 +74,6 @@ github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= -github.com/go-redis/redis v6.15.6+incompatible h1:H9evprGPLI8+ci7fxQx6WNZHJSb7be8FqJQRhdQZ5Sg= -github.com/go-redis/redis v6.15.6+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= -github.com/go-redis/redis v6.15.7+incompatible h1:3skhDh95XQMpnqeqNftPkQD9jL9e5e36z/1SUm6dy1U= github.com/go-redis/redis/v7 v7.2.0 h1:CrCexy/jYWZjW0AyVoHlcJUeZN19VWlbepTh1Vq6dJs= github.com/go-redis/redis/v7 v7.2.0/go.mod h1:JDNMw23GTyLNC4GZu9njt15ctBQVn7xjRfnwdHj/Dcg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= @@ -241,8 +240,6 @@ github.com/pomerium/autocache v0.0.0-20200214161708-6c66ed582edc h1:8eatzx+SFs0j github.com/pomerium/autocache v0.0.0-20200214161708-6c66ed582edc/go.mod h1:8YuqYfLW/ZIavspMvQvH0UrPusRuvdm/r338GoSu2/k= github.com/pomerium/csrf v1.6.2-0.20190918035251-f3318380bad3 h1:FmzFXnCAepHZwl6QPhTFqBHcbcGevdiEQjutK+M5bj4= github.com/pomerium/csrf v1.6.2-0.20190918035251-f3318380bad3/go.mod h1:UE2U4JOsjXNeq+MX/lqhZpUFsNAxbXERuYsWK2iULh0= -github.com/pomerium/go-oidc v2.0.0+incompatible h1:gVvG/ExWsHQqatV+uceROnGmbVYF44mDNx5nayBhC0o= -github.com/pomerium/go-oidc v2.0.0+incompatible/go.mod h1:DRsGVw6MOgxbfq4Y57jKOE8lbEfayxeiY0A8/4vxjBM= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 h1:J9b7z+QKAmPf4YLrFg6oQUotqHQeUNWwkvo7jZp1GLU= github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= @@ -252,8 +249,8 @@ github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4 github.com/prometheus/client_golang v0.9.3 h1:9iH4JKXLzFbOAdtqv/a+j8aewx2Y8lAjAydhbaScPF8= github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= -github.com/prometheus/client_golang v1.4.1 h1:FFSuS004yOQEtDdTq+TAOLP5xUq63KqAFYyOi8zA+Y8= -github.com/prometheus/client_golang v1.4.1/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= +github.com/prometheus/client_golang v1.5.0 h1:Ctq0iGpCmr3jeP77kbF2UxgvRwzWWz+4Bh9/vJTyg1A= +github.com/prometheus/client_golang v1.5.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90 h1:S/YWwWx/RA8rT8tKFRuGUZhuA90OyIBpPCXkcbwU8DE= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= @@ -441,6 +438,7 @@ golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200117145432-59e60aa80a0c h1:gUYreENmqtjZb2brVfUas1sC6UivSY8XwKwPo8tloLs= golang.org/x/sys v0.0.0-20200117145432-59e60aa80a0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200122134326-e047566fdf82 h1:ywK/j/KkyTHcdyYSZNXGjMwgmDSfjglYZ3vStQ/gSCU= diff --git a/internal/identity/google.go b/internal/identity/google.go index 8397c398e..eb20c7415 100644 --- a/internal/identity/google.go +++ b/internal/identity/google.go @@ -8,7 +8,7 @@ import ( "net/http" "net/url" - oidc "github.com/pomerium/go-oidc" + oidc "github.com/coreos/go-oidc" "golang.org/x/oauth2" "golang.org/x/oauth2/google" admin "google.golang.org/api/admin/directory/v1" diff --git a/internal/identity/microsoft.go b/internal/identity/microsoft.go index f6f8276b5..1d48e1e02 100644 --- a/internal/identity/microsoft.go +++ b/internal/identity/microsoft.go @@ -8,7 +8,7 @@ import ( "net/url" "time" - oidc "github.com/pomerium/go-oidc" + oidc "github.com/coreos/go-oidc" "golang.org/x/oauth2" "github.com/pomerium/pomerium/internal/httputil" diff --git a/internal/identity/oidc.go b/internal/identity/oidc.go index 8624ae8ab..53644218d 100644 --- a/internal/identity/oidc.go +++ b/internal/identity/oidc.go @@ -3,7 +3,7 @@ package identity // import "github.com/pomerium/pomerium/internal/identity" import ( "context" - oidc "github.com/pomerium/go-oidc" + oidc "github.com/coreos/go-oidc" "golang.org/x/oauth2" ) diff --git a/internal/identity/okta.go b/internal/identity/okta.go index 4e0feb068..adea07031 100644 --- a/internal/identity/okta.go +++ b/internal/identity/okta.go @@ -6,7 +6,7 @@ import ( "net/http" "net/url" - oidc "github.com/pomerium/go-oidc" + oidc "github.com/coreos/go-oidc" "golang.org/x/oauth2" "github.com/pomerium/pomerium/internal/httputil" diff --git a/internal/identity/onelogin.go b/internal/identity/onelogin.go index e246a7cf3..270ac3a57 100644 --- a/internal/identity/onelogin.go +++ b/internal/identity/onelogin.go @@ -8,7 +8,7 @@ import ( "net/url" "time" - oidc "github.com/pomerium/go-oidc" + oidc "github.com/coreos/go-oidc" "golang.org/x/oauth2" "github.com/pomerium/pomerium/internal/httputil" diff --git a/internal/identity/providers.go b/internal/identity/providers.go index aaca23ba5..cf41c09b4 100644 --- a/internal/identity/providers.go +++ b/internal/identity/providers.go @@ -10,7 +10,7 @@ import ( "github.com/pomerium/pomerium/internal/sessions" - oidc "github.com/pomerium/go-oidc" + oidc "github.com/coreos/go-oidc" "golang.org/x/oauth2" ) @@ -81,6 +81,8 @@ type Provider struct { UserGroupFn func(context.Context, *sessions.State) ([]string, error) + UserInfoEndpoint bool + // ServiceAccount can be set for those providers that require additional // credentials or tokens to do follow up API calls (e.g. Google) ServiceAccount string @@ -117,6 +119,24 @@ func (p *Provider) Authenticate(ctx context.Context, code string) (*sessions.Sta if err != nil { return nil, err } + + // check if provider has info endpoint, try to hit that and gather more info + // especially useful if initial request did not an contain email, or subject + // https://openid.net/specs/openid-connect-core-1_0.html#UserInfo + var claims struct { + UserInfoURL string `json:"userinfo_endpoint"` + } + + if err := p.provider.Claims(&claims); err == nil && claims.UserInfoURL != "" { + userInfo, err := p.provider.UserInfo(ctx, oauth2.StaticTokenSource(oauth2Token)) + if err != nil { + return nil, fmt.Errorf("internal/identity: could not retrieve user info %w", err) + } + if err := userInfo.Claims(&s); err != nil { + return nil, err + } + } + if p.UserGroupFn != nil { s.Groups, err = p.UserGroupFn(ctx, s) if err != nil { diff --git a/internal/sessions/state.go b/internal/sessions/state.go index 25bdde62a..3183f6e69 100644 --- a/internal/sessions/state.go +++ b/internal/sessions/state.go @@ -7,8 +7,8 @@ import ( "time" "github.com/cespare/xxhash/v2" + oidc "github.com/coreos/go-oidc" "github.com/mitchellh/hashstructure" - oidc "github.com/pomerium/go-oidc" "golang.org/x/oauth2" "gopkg.in/square/go-jose.v2/jwt" )