cherry-pick OIDC changes from gitea (#4724)
These are the three conflicted changes from #4716: * https://github.com/go-gitea/gitea/pull/31632 * https://github.com/go-gitea/gitea/pull/31688 * https://github.com/go-gitea/gitea/pull/31706 cc @earl-warren; as per discussion on https://github.com/go-gitea/gitea/pull/31632 this involves a small compatibility break (OIDC introspection requests now require a valid client ID and secret, instead of a valid OIDC token) ## Checklist The [developer guide](https://forgejo.org/docs/next/developer/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [ ] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Draft release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Breaking features - [PR](https://codeberg.org/forgejo/forgejo/pulls/4724): <!--number 4724 --><!--line 0 --><!--description T0lEQyBpbnRlZ3JhdGlvbnMgdGhhdCBQT1NUIHRvIGAvbG9naW4vb2F1dGgvaW50cm9zcGVjdGAgd2l0aG91dCBzZW5kaW5nIEhUVFAgYmFzaWMgYXV0aGVudGljYXRpb24gd2lsbCBub3cgZmFpbCB3aXRoIGEgNDAxIEhUVFAgVW5hdXRob3JpemVkIGVycm9yLiBUbyBmaXggdGhlIGVycm9yLCB0aGUgY2xpZW50IG11c3QgYmVnaW4gc2VuZGluZyBIVFRQIGJhc2ljIGF1dGhlbnRpY2F0aW9uIHdpdGggYSB2YWxpZCBjbGllbnQgSUQgYW5kIHNlY3JldC4gVGhpcyBlbmRwb2ludCB3YXMgcHJldmlvdXNseSBhdXRoZW50aWNhdGVkIHZpYSB0aGUgaW50cm9zcGVjdGlvbiB0b2tlbiBpdHNlbGYsIHdoaWNoIGlzIGxlc3Mgc2VjdXJlLg==-->OIDC integrations that POST to `/login/oauth/introspect` without sending HTTP basic authentication will now fail with a 401 HTTP Unauthorized error. To fix the error, the client must begin sending HTTP basic authentication with a valid client ID and secret. This endpoint was previously authenticated via the introspection token itself, which is less secure.<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4724 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Shivaram Lingamneni <slingamn@cs.stanford.edu> Co-committed-by: Shivaram Lingamneni <slingamn@cs.stanford.edu>
This commit is contained in:
parent
633406704c
commit
878c236f49
5 changed files with 107 additions and 25 deletions
|
@ -48,13 +48,10 @@ func BasicAuthDecode(encoded string) (string, string, error) {
|
|||
return "", "", err
|
||||
}
|
||||
|
||||
auth := strings.SplitN(string(s), ":", 2)
|
||||
|
||||
if len(auth) != 2 {
|
||||
return "", "", errors.New("invalid basic authentication")
|
||||
if username, password, ok := strings.Cut(string(s), ":"); ok {
|
||||
return username, password, nil
|
||||
}
|
||||
|
||||
return auth[0], auth[1], nil
|
||||
return "", "", errors.New("invalid basic authentication")
|
||||
}
|
||||
|
||||
// VerifyTimeLimitCode verify time limit code
|
||||
|
|
|
@ -41,6 +41,9 @@ func TestBasicAuthDecode(t *testing.T) {
|
|||
|
||||
_, _, err = BasicAuthDecode("invalid")
|
||||
require.Error(t, err)
|
||||
|
||||
_, _, err = BasicAuthDecode("YWxpY2U=") // "alice", no colon
|
||||
require.Error(t, err)
|
||||
}
|
||||
|
||||
func TestVerifyTimeLimitCode(t *testing.T) {
|
||||
|
|
1
release-notes/4724.md
Normal file
1
release-notes/4724.md
Normal file
|
@ -0,0 +1 @@
|
|||
OIDC integrations that POST to `/login/oauth/introspect` without sending HTTP basic authentication will now fail with a 401 HTTP Unauthorized error. To fix the error, the client must begin sending HTTP basic authentication with a valid client ID and secret. This endpoint was previously authenticated via the introspection token itself, which is less secure.
|
|
@ -332,10 +332,29 @@ func getOAuthGroupsForUser(ctx go_context.Context, user *user_model.User) ([]str
|
|||
return groups, nil
|
||||
}
|
||||
|
||||
func parseBasicAuth(ctx *context.Context) (username, password string, err error) {
|
||||
authHeader := ctx.Req.Header.Get("Authorization")
|
||||
if authType, authData, ok := strings.Cut(authHeader, " "); ok && strings.EqualFold(authType, "Basic") {
|
||||
return base.BasicAuthDecode(authData)
|
||||
}
|
||||
return "", "", errors.New("invalid basic authentication")
|
||||
}
|
||||
|
||||
// IntrospectOAuth introspects an oauth token
|
||||
func IntrospectOAuth(ctx *context.Context) {
|
||||
if ctx.Doer == nil {
|
||||
ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm=""`)
|
||||
clientIDValid := false
|
||||
if clientID, clientSecret, err := parseBasicAuth(ctx); err == nil {
|
||||
app, err := auth.GetOAuth2ApplicationByClientID(ctx, clientID)
|
||||
if err != nil && !auth.IsErrOauthClientIDInvalid(err) {
|
||||
// this is likely a database error; log it and respond without details
|
||||
log.Error("Error retrieving client_id: %v", err)
|
||||
ctx.Error(http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
clientIDValid = err == nil && app.ValidateClientSecret([]byte(clientSecret))
|
||||
}
|
||||
if !clientIDValid {
|
||||
ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm=""`)
|
||||
ctx.PlainText(http.StatusUnauthorized, "no valid authorization")
|
||||
return
|
||||
}
|
||||
|
@ -343,6 +362,7 @@ func IntrospectOAuth(ctx *context.Context) {
|
|||
var response struct {
|
||||
Active bool `json:"active"`
|
||||
Scope string `json:"scope,omitempty"`
|
||||
Username string `json:"username,omitempty"`
|
||||
jwt.RegisteredClaims
|
||||
}
|
||||
|
||||
|
@ -359,6 +379,9 @@ func IntrospectOAuth(ctx *context.Context) {
|
|||
response.Audience = []string{app.ClientID}
|
||||
response.Subject = fmt.Sprint(grant.UserID)
|
||||
}
|
||||
if user, err := user_model.GetUserByID(ctx, grant.UserID); err == nil {
|
||||
response.Username = user.Name
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -645,9 +668,8 @@ func AccessTokenOAuth(ctx *context.Context) {
|
|||
// if there is no ClientID or ClientSecret in the request body, fill these fields by the Authorization header and ensure the provided field matches the Authorization header
|
||||
if form.ClientID == "" || form.ClientSecret == "" {
|
||||
authHeader := ctx.Req.Header.Get("Authorization")
|
||||
authContent := strings.SplitN(authHeader, " ", 2)
|
||||
if len(authContent) == 2 && authContent[0] == "Basic" {
|
||||
payload, err := base64.StdEncoding.DecodeString(authContent[1])
|
||||
if authType, authData, ok := strings.Cut(authHeader, " "); ok && strings.EqualFold(authType, "Basic") {
|
||||
clientID, clientSecret, err := base.BasicAuthDecode(authData)
|
||||
if err != nil {
|
||||
handleAccessTokenError(ctx, AccessTokenError{
|
||||
ErrorCode: AccessTokenErrorCodeInvalidRequest,
|
||||
|
@ -655,30 +677,23 @@ func AccessTokenOAuth(ctx *context.Context) {
|
|||
})
|
||||
return
|
||||
}
|
||||
pair := strings.SplitN(string(payload), ":", 2)
|
||||
if len(pair) != 2 {
|
||||
handleAccessTokenError(ctx, AccessTokenError{
|
||||
ErrorCode: AccessTokenErrorCodeInvalidRequest,
|
||||
ErrorDescription: "cannot parse basic auth header",
|
||||
})
|
||||
return
|
||||
}
|
||||
if form.ClientID != "" && form.ClientID != pair[0] {
|
||||
// validate that any fields present in the form match the Basic auth header
|
||||
if form.ClientID != "" && form.ClientID != clientID {
|
||||
handleAccessTokenError(ctx, AccessTokenError{
|
||||
ErrorCode: AccessTokenErrorCodeInvalidRequest,
|
||||
ErrorDescription: "client_id in request body inconsistent with Authorization header",
|
||||
})
|
||||
return
|
||||
}
|
||||
form.ClientID = pair[0]
|
||||
if form.ClientSecret != "" && form.ClientSecret != pair[1] {
|
||||
form.ClientID = clientID
|
||||
if form.ClientSecret != "" && form.ClientSecret != clientSecret {
|
||||
handleAccessTokenError(ctx, AccessTokenError{
|
||||
ErrorCode: AccessTokenErrorCodeInvalidRequest,
|
||||
ErrorDescription: "client_secret in request body inconsistent with Authorization header",
|
||||
})
|
||||
return
|
||||
}
|
||||
form.ClientSecret = pair[1]
|
||||
form.ClientSecret = clientSecret
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -733,3 +733,69 @@ func TestOAuth_GrantApplicationOAuth(t *testing.T) {
|
|||
resp = ctx.MakeRequest(t, req, http.StatusSeeOther)
|
||||
assert.Contains(t, test.RedirectURL(resp), "error=access_denied&error_description=the+request+is+denied")
|
||||
}
|
||||
|
||||
func TestOAuthIntrospection(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
|
||||
"grant_type": "authorization_code",
|
||||
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
|
||||
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
|
||||
"redirect_uri": "a",
|
||||
"code": "authcode",
|
||||
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
|
||||
})
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
type response struct {
|
||||
AccessToken string `json:"access_token"`
|
||||
TokenType string `json:"token_type"`
|
||||
ExpiresIn int64 `json:"expires_in"`
|
||||
RefreshToken string `json:"refresh_token"`
|
||||
}
|
||||
parsed := new(response)
|
||||
|
||||
DecodeJSON(t, resp, parsed)
|
||||
assert.Greater(t, len(parsed.AccessToken), 10)
|
||||
assert.Greater(t, len(parsed.RefreshToken), 10)
|
||||
|
||||
type introspectResponse struct {
|
||||
Active bool `json:"active"`
|
||||
Scope string `json:"scope,omitempty"`
|
||||
Username string `json:"username"`
|
||||
}
|
||||
|
||||
// successful request with a valid client_id/client_secret and a valid token
|
||||
t.Run("successful request with valid token", func(t *testing.T) {
|
||||
req := NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{
|
||||
"token": parsed.AccessToken,
|
||||
})
|
||||
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
|
||||
introspectParsed := new(introspectResponse)
|
||||
DecodeJSON(t, resp, introspectParsed)
|
||||
assert.True(t, introspectParsed.Active)
|
||||
assert.Equal(t, "user1", introspectParsed.Username)
|
||||
})
|
||||
|
||||
// successful request with a valid client_id/client_secret, but an invalid token
|
||||
t.Run("successful request with invalid token", func(t *testing.T) {
|
||||
req := NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{
|
||||
"token": "xyzzy",
|
||||
})
|
||||
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
introspectParsed := new(introspectResponse)
|
||||
DecodeJSON(t, resp, introspectParsed)
|
||||
assert.False(t, introspectParsed.Active)
|
||||
})
|
||||
|
||||
// unsuccessful request with an invalid client_id/client_secret
|
||||
t.Run("unsuccessful request due to invalid basic auth", func(t *testing.T) {
|
||||
req := NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{
|
||||
"token": parsed.AccessToken,
|
||||
})
|
||||
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpK")
|
||||
resp := MakeRequest(t, req, http.StatusUnauthorized)
|
||||
assert.Contains(t, resp.Body.String(), "no valid authorization")
|
||||
})
|
||||
}
|
||||
|
|
Loading…
Add table
Reference in a new issue