mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
ddea31193b
OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
125 lines
3.9 KiB
Go
125 lines
3.9 KiB
Go
package handlers
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
|
|
"github.com/authelia/authelia/internal/middlewares"
|
|
)
|
|
|
|
func oidcConsent(ctx *middlewares.AutheliaCtx) {
|
|
userSession := ctx.GetSession()
|
|
|
|
if userSession.OIDCWorkflowSession == nil {
|
|
ctx.Logger.Debugf("Cannot consent for user %s when OIDC workflow has not been initiated", userSession.Username)
|
|
ctx.ReplyForbidden()
|
|
|
|
return
|
|
}
|
|
|
|
clientID := userSession.OIDCWorkflowSession.ClientID
|
|
client, err := ctx.Providers.OpenIDConnect.Store.GetInternalClient(clientID)
|
|
|
|
if err != nil {
|
|
ctx.Logger.Debugf("Unable to find related client configuration with name '%s': %v", clientID, err)
|
|
ctx.ReplyForbidden()
|
|
|
|
return
|
|
}
|
|
|
|
if !client.IsAuthenticationLevelSufficient(userSession.AuthenticationLevel) {
|
|
ctx.Logger.Debugf("Insufficient permissions to give consent v2 %d -> %d", userSession.AuthenticationLevel, userSession.OIDCWorkflowSession.RequiredAuthorizationLevel)
|
|
ctx.ReplyForbidden()
|
|
|
|
return
|
|
}
|
|
|
|
var body ConsentGetResponseBody
|
|
body.Scopes = scopeNamesToScopes(userSession.OIDCWorkflowSession.RequestedScopes)
|
|
body.Audience = audienceNamesToAudience(userSession.OIDCWorkflowSession.RequestedAudience)
|
|
body.ClientID = client.ID
|
|
body.ClientDescription = client.Description
|
|
|
|
if err := ctx.SetJSONBody(body); err != nil {
|
|
ctx.Error(fmt.Errorf("Unable to set JSON body: %v", err), "Operation failed")
|
|
}
|
|
}
|
|
|
|
func oidcConsentPOST(ctx *middlewares.AutheliaCtx) {
|
|
userSession := ctx.GetSession()
|
|
|
|
if userSession.OIDCWorkflowSession == nil {
|
|
ctx.Logger.Debugf("Cannot consent for user %s when OIDC workflow has not been initiated", userSession.Username)
|
|
ctx.ReplyForbidden()
|
|
|
|
return
|
|
}
|
|
|
|
client, err := ctx.Providers.OpenIDConnect.Store.GetInternalClient(userSession.OIDCWorkflowSession.ClientID)
|
|
|
|
if err != nil {
|
|
ctx.Logger.Debugf("Unable to find related client configuration with name '%s': %v", userSession.OIDCWorkflowSession.ClientID, err)
|
|
ctx.ReplyForbidden()
|
|
|
|
return
|
|
}
|
|
|
|
if !client.IsAuthenticationLevelSufficient(userSession.AuthenticationLevel) {
|
|
ctx.Logger.Debugf("Insufficient permissions to give consent v1 %d -> %d", userSession.AuthenticationLevel, userSession.OIDCWorkflowSession.RequiredAuthorizationLevel)
|
|
ctx.ReplyForbidden()
|
|
|
|
return
|
|
}
|
|
|
|
var body ConsentPostRequestBody
|
|
err = json.Unmarshal(ctx.Request.Body(), &body)
|
|
|
|
if err != nil {
|
|
ctx.Error(fmt.Errorf("Unable to unmarshal body: %v", err), "Operation failed")
|
|
return
|
|
}
|
|
|
|
if body.AcceptOrReject != accept && body.AcceptOrReject != reject {
|
|
ctx.Logger.Infof("User %s tried to reply to consent with an unexpected verb", userSession.Username)
|
|
ctx.ReplyBadRequest()
|
|
|
|
return
|
|
}
|
|
|
|
if userSession.OIDCWorkflowSession.ClientID != body.ClientID {
|
|
ctx.Logger.Infof("User %s consented to scopes of another client (%s) than expected (%s). Beware this can be a sign of attack",
|
|
userSession.Username, body.ClientID, userSession.OIDCWorkflowSession.ClientID)
|
|
ctx.ReplyBadRequest()
|
|
|
|
return
|
|
}
|
|
|
|
var redirectionURL string
|
|
|
|
if body.AcceptOrReject == accept {
|
|
redirectionURL = userSession.OIDCWorkflowSession.AuthURI
|
|
userSession.OIDCWorkflowSession.GrantedScopes = userSession.OIDCWorkflowSession.RequestedScopes
|
|
userSession.OIDCWorkflowSession.GrantedAudience = userSession.OIDCWorkflowSession.RequestedAudience
|
|
|
|
if err := ctx.SaveSession(userSession); err != nil {
|
|
ctx.Error(fmt.Errorf("Unable to write session: %v", err), "Operation failed")
|
|
return
|
|
}
|
|
} else if body.AcceptOrReject == reject {
|
|
redirectionURL = fmt.Sprintf("%s?error=access_denied&error_description=%s",
|
|
userSession.OIDCWorkflowSession.TargetURI, "User has rejected the scopes")
|
|
userSession.OIDCWorkflowSession = nil
|
|
|
|
if err := ctx.SaveSession(userSession); err != nil {
|
|
ctx.Error(fmt.Errorf("Unable to write session: %v", err), "Operation failed")
|
|
return
|
|
}
|
|
}
|
|
|
|
response := ConsentPostResponseBody{RedirectURI: redirectionURL}
|
|
|
|
if err := ctx.SetJSONBody(response); err != nil {
|
|
ctx.Error(fmt.Errorf("Unable to set JSON body in response"), "Operation failed")
|
|
}
|
|
}
|