Allow more configuration over the OIDC flow.
Adds knobs to configure three aspects of the OpenID Connect flow: * Custom scopes to override the default "openid profile email". * Custom parameters to be added to the Authorize Endpoint request. * Domain allowlisting for authenticated principals. * User allowlisting for authenticated principals.
This commit is contained in:
Antoine POPINEAU
parent
ddb87af5ce
commit
7cc58af932
6 changed files with 68 additions and 2 deletions
34
oidc.go
34
oidc.go
|
|
@ -53,7 +53,7 @@ func (h *Headscale) initOIDC() error {
|
|||
"%s/oidc/callback",
|
||||
strings.TrimSuffix(h.cfg.ServerURL, "/"),
|
||||
),
|
||||
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
|
||||
Scopes: h.cfg.OIDC.Scope,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -91,7 +91,14 @@ func (h *Headscale) RegisterOIDC(ctx *gin.Context) {
|
|||
// place the machine key into the state cache, so it can be retrieved later
|
||||
h.registrationCache.Set(stateStr, machineKeyStr, registerCacheExpiration)
|
||||
|
||||
authURL := h.oauth2Config.AuthCodeURL(stateStr)
|
||||
// Add any extra parameter provided in the configuration to the Authorize Endpoint request
|
||||
extras := make([]oauth2.AuthCodeOption, 0, len(h.cfg.OIDC.ExtraParams))
|
||||
|
||||
for k, v := range h.cfg.OIDC.ExtraParams {
|
||||
extras = append(extras, oauth2.SetAuthURLParam(k, v))
|
||||
}
|
||||
|
||||
authURL := h.oauth2Config.AuthCodeURL(stateStr, extras...)
|
||||
log.Debug().Msgf("Redirecting to %s for authentication", authURL)
|
||||
|
||||
ctx.Redirect(http.StatusFound, authURL)
|
||||
|
|
@ -187,6 +194,29 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) {
|
|||
return
|
||||
}
|
||||
|
||||
// If AllowedDomains is provided, check that the authenticated principal ends with @<alloweddomain>.
|
||||
if len(h.cfg.OIDC.AllowedDomains) > 0 {
|
||||
if at := strings.LastIndex(claims.Email, "@"); at < 0 ||
|
||||
!IsStringInSlice(h.cfg.OIDC.AllowedDomains, claims.Email[at+1:]) {
|
||||
log.Error().Msg("authenticated principal does not match any allowed domain")
|
||||
ctx.String(
|
||||
http.StatusBadRequest,
|
||||
"unauthorized principal (domain mismatch)",
|
||||
)
|
||||
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// If AllowedUsers is provided, check that the authenticated princial is part of that list.
|
||||
if len(h.cfg.OIDC.AllowedUsers) > 0 &&
|
||||
!IsStringInSlice(h.cfg.OIDC.AllowedUsers, claims.Email) {
|
||||
log.Error().Msg("authenticated principal does not match any allowed user")
|
||||
ctx.String(http.StatusBadRequest, "unauthorized principal (user mismatch)")
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// retrieve machinekey from state cache
|
||||
machineKeyIf, machineKeyFound := h.registrationCache.Get(state)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue