Set OpenID Connect Expiry
This commit adds a default OpenID Connect expiry to 180d to align with Tailscale SaaS (previously infinite or based on token expiry). In addition, it adds an option use the expiry time from the Token sent by the OpenID provider. This will typically cause really short expiry and you should only turn on this option if you know what you are desiring. This fixes #1176. Co-authored-by: Even Holthe <even.holthe@bekk.no> Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby
Kristoffer Dalby
parent
385fd93e73
commit
da48cf64b3
10 changed files with 88 additions and 22 deletions
24
oidc.go
24
oidc.go
|
|
@ -27,8 +27,10 @@ const (
|
|||
errOIDCAllowedDomains = Error("authenticated principal does not match any allowed domain")
|
||||
errOIDCAllowedGroups = Error("authenticated principal is not in any allowed group")
|
||||
errOIDCAllowedUsers = Error("authenticated principal does not match any allowed user")
|
||||
errOIDCInvalidMachineState = Error("requested machine state key expired before authorisation completed")
|
||||
errOIDCNodeKeyMissing = Error("could not get node key from cache")
|
||||
errOIDCInvalidMachineState = Error(
|
||||
"requested machine state key expired before authorisation completed",
|
||||
)
|
||||
errOIDCNodeKeyMissing = Error("could not get node key from cache")
|
||||
)
|
||||
|
||||
type IDTokenClaims struct {
|
||||
|
|
@ -68,6 +70,14 @@ func (h *Headscale) initOIDC() error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (h *Headscale) determineTokenExpiration(idTokenExpiration time.Time) time.Time {
|
||||
if h.cfg.OIDC.UseExpiryFromToken {
|
||||
return idTokenExpiration
|
||||
}
|
||||
|
||||
return time.Now().Add(h.cfg.OIDC.Expiry)
|
||||
}
|
||||
|
||||
// RegisterOIDC redirects to the OIDC provider for authentication
|
||||
// Puts NodeKey in cache so the callback can retrieve it using the oidc state param
|
||||
// Listens in /oidc/register/:nKey.
|
||||
|
|
@ -193,6 +203,7 @@ func (h *Headscale) OIDCCallback(
|
|||
if err != nil {
|
||||
return
|
||||
}
|
||||
idTokenExpiry := h.determineTokenExpiration(idToken.Expiry)
|
||||
|
||||
// TODO: we can use userinfo at some point to grab additional information about the user (groups membership, etc)
|
||||
// userInfo, err := oidcProvider.UserInfo(context.Background(), oauth2.StaticTokenSource(oauth2Token))
|
||||
|
|
@ -218,7 +229,12 @@ func (h *Headscale) OIDCCallback(
|
|||
return
|
||||
}
|
||||
|
||||
nodeKey, machineExists, err := h.validateMachineForOIDCCallback(writer, state, claims, idToken.Expiry)
|
||||
nodeKey, machineExists, err := h.validateMachineForOIDCCallback(
|
||||
writer,
|
||||
state,
|
||||
claims,
|
||||
idTokenExpiry,
|
||||
)
|
||||
if err != nil || machineExists {
|
||||
return
|
||||
}
|
||||
|
|
@ -236,7 +252,7 @@ func (h *Headscale) OIDCCallback(
|
|||
return
|
||||
}
|
||||
|
||||
if err := h.registerMachineForOIDCCallback(writer, user, nodeKey, idToken.Expiry); err != nil {
|
||||
if err := h.registerMachineForOIDCCallback(writer, user, nodeKey, idTokenExpiry); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue