mirror of
https://github.com/pomerium/pomerium.git
synced 2025-06-09 14:22:40 +02:00
databroker: add audience to session (#1557)
* add audience to session * update audience * parse next url and add it to audience
This commit is contained in:
parent
a85b3b04c1
commit
93c257259e
3 changed files with 44 additions and 29 deletions
|
@ -389,23 +389,6 @@ func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request)
|
|||
return nil, fmt.Errorf("error redeeming authenticate code: %w", err)
|
||||
}
|
||||
|
||||
s := sessions.State{ID: uuid.New().String()}
|
||||
err = claims.Claims.Claims(&s)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error unmarshaling session state: %w", err)
|
||||
}
|
||||
|
||||
// save the session and access token to the databroker
|
||||
err = a.saveSessionToDataBroker(ctx, &s, claims, accessToken)
|
||||
if err != nil {
|
||||
return nil, httputil.NewError(http.StatusInternalServerError, err)
|
||||
}
|
||||
|
||||
newState := sessions.NewSession(
|
||||
&s,
|
||||
state.redirectURL.Hostname(),
|
||||
[]string{state.redirectURL.Hostname()})
|
||||
|
||||
// state includes a csrf nonce (validated by middleware) and redirect uri
|
||||
bytes, err := base64.URLEncoding.DecodeString(r.FormValue("state"))
|
||||
if err != nil {
|
||||
|
@ -438,6 +421,27 @@ func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request)
|
|||
return nil, httputil.NewError(http.StatusBadRequest, err)
|
||||
}
|
||||
|
||||
s := sessions.State{ID: uuid.New().String()}
|
||||
err = claims.Claims.Claims(&s)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error unmarshaling session state: %w", err)
|
||||
}
|
||||
|
||||
newState := sessions.NewSession(
|
||||
&s,
|
||||
state.redirectURL.Hostname(),
|
||||
[]string{state.redirectURL.Hostname()})
|
||||
|
||||
if nextRedirectURL, err := urlutil.ParseAndValidateURL(redirectURL.Query().Get(urlutil.QueryRedirectURI)); err == nil {
|
||||
newState.Audience = append(newState.Audience, nextRedirectURL.Hostname())
|
||||
}
|
||||
|
||||
// save the session and access token to the databroker
|
||||
err = a.saveSessionToDataBroker(ctx, &newState, claims, accessToken)
|
||||
if err != nil {
|
||||
return nil, httputil.NewError(http.StatusInternalServerError, err)
|
||||
}
|
||||
|
||||
// ... and the user state to local storage.
|
||||
if err := state.sessionStore.SaveSession(w, r, &newState); err != nil {
|
||||
return nil, fmt.Errorf("failed saving new session: %w", err)
|
||||
|
@ -560,6 +564,7 @@ func (a *Authenticate) saveSessionToDataBroker(
|
|||
IssuedAt: idTokenIssuedAt,
|
||||
},
|
||||
OauthToken: manager.ToOAuthToken(accessToken),
|
||||
Audience: sessionState.Audience,
|
||||
}
|
||||
s.SetRawIDToken(claims.RawIDToken)
|
||||
s.AddClaims(claims.Flatten())
|
||||
|
|
|
@ -189,6 +189,7 @@ type Session struct {
|
|||
IdToken *IDToken `protobuf:"bytes,6,opt,name=id_token,json=idToken,proto3" json:"id_token,omitempty"`
|
||||
OauthToken *OAuthToken `protobuf:"bytes,7,opt,name=oauth_token,json=oauthToken,proto3" json:"oauth_token,omitempty"`
|
||||
Claims map[string]*_struct.ListValue `protobuf:"bytes,9,rep,name=claims,proto3" json:"claims,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
|
||||
Audience []string `protobuf:"bytes,10,rep,name=audience,proto3" json:"audience,omitempty"`
|
||||
}
|
||||
|
||||
func (x *Session) Reset() {
|
||||
|
@ -272,6 +273,13 @@ func (x *Session) GetClaims() map[string]*_struct.ListValue {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (x *Session) GetAudience() []string {
|
||||
if x != nil {
|
||||
return x.Audience
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
var File_session_proto protoreflect.FileDescriptor
|
||||
|
||||
var file_session_proto_rawDesc = []byte{
|
||||
|
@ -303,7 +311,7 @@ var file_session_proto_rawDesc = []byte{
|
|||
0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x65, 0x78,
|
||||
0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x66, 0x72, 0x65,
|
||||
0x73, 0x68, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c,
|
||||
0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0xf7, 0x02, 0x0a,
|
||||
0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0x93, 0x03, 0x0a,
|
||||
0x07, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73,
|
||||
0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69,
|
||||
0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02,
|
||||
|
@ -321,16 +329,18 @@ var file_session_proto_rawDesc = []byte{
|
|||
0x61, 0x75, 0x74, 0x68, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x34, 0x0a, 0x06, 0x63, 0x6c, 0x61,
|
||||
0x69, 0x6d, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x73, 0x65, 0x73, 0x73,
|
||||
0x69, 0x6f, 0x6e, 0x2e, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x43, 0x6c, 0x61, 0x69,
|
||||
0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x1a,
|
||||
0x55, 0x0a, 0x0b, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10,
|
||||
0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79,
|
||||
0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
|
||||
0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
|
||||
0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c,
|
||||
0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x2f, 0x5a, 0x2d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
|
||||
0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f,
|
||||
0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f,
|
||||
0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||
0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x12,
|
||||
0x1a, 0x0a, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x0a, 0x20, 0x03, 0x28,
|
||||
0x09, 0x52, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x1a, 0x55, 0x0a, 0x0b, 0x43,
|
||||
0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65,
|
||||
0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05,
|
||||
0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
|
||||
0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69,
|
||||
0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02,
|
||||
0x38, 0x01, 0x42, 0x2f, 0x5a, 0x2d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
|
||||
0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69,
|
||||
0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x73, 0x65, 0x73, 0x73,
|
||||
0x69, 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||
}
|
||||
|
||||
var (
|
||||
|
|
|
@ -6,7 +6,6 @@ option go_package = "github.com/pomerium/pomerium/pkg/grpc/session";
|
|||
import "google/protobuf/timestamp.proto";
|
||||
import "google/protobuf/struct.proto";
|
||||
|
||||
|
||||
message IDToken {
|
||||
string issuer = 1;
|
||||
string subject = 2;
|
||||
|
@ -30,4 +29,5 @@ message Session {
|
|||
IDToken id_token = 6;
|
||||
OAuthToken oauth_token = 7;
|
||||
map<string, google.protobuf.ListValue> claims = 9;
|
||||
repeated string audience = 10;
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue