OAUTH Additional claims

temporalio · Apr 8, 2024 · 24f221f · 24f221f
1 parent 94cd0d4
commit 24f221f
Show file tree

Hide file tree

Showing 8 changed files with 109 additions and 29 deletions.
diff --git a/go.work b/go.work
@@ -1,3 +1,3 @@
-go 1.18
+go 1.22.2
 
 use ./server
diff --git a/go.work.sum b/go.work.sum
diff --git a/server/config/development.yaml b/server/config/development.yaml
@@ -19,23 +19,21 @@ workflowResetDisabled: false
 batchActionsDisabled: false
 hideWorkflowQueryErrors: false
 auth:
-  enabled: false
+  enabled: true
   providers:
-    - label: Auth0 oidc # for internal use; in future may expose as button text
+    - label: oidc # for internal use; in future may expose as button text
       type: oidc # for futureproofing; only oidc is supported today
-      providerUrl: https://myorg.us.auth0.com/
-      issuerUrl: "" # needed if the Issuer Url and the Provider Url are different
-      clientId: xxxxxxxxxxxxxxxxxxxx
-      clientSecret: xxxxxxxxxxxxxxxxxxxx
+      providerUrl: https://ostaprod.accounts.ondemand.com
+      clientId: "6f22f134-8ef5-4816-b3da-6b218048bc3f"
+      clientSecret: "7]OQVHZVY6lnM86GdDWrp9e:ueFJ/fe"
       scopes:
-        - openid
         - profile
         - email
-      callbackUrl: http://localhost:8080/auth/sso/callback
+      callbackUrl: http://127.0.0.1:8081/auth/sso/callback
       options: # added as URL query params when redirecting to auth provider
-        audience: myorg-dev
-        organization: org_xxxxxxxxxxxx
-        invitation:
+      additionalClaims:
+        group: "local"
+
 tls:
   caFile:
   certFile:

diff --git a/server/go.sum b/server/go.sum
@@ -18,12 +18,15 @@ github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 h1:/c3QmbOGMGTOumP2iT/rCwB7b0QDGLKzqOmktBjT+Is=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1/go.mod h1:5SN9VR2LTsRFsrEC6FHgRbTWrTHu6tqPeKxEQv15giM=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/labstack/echo/v4 v4.9.1 h1:GliPYSpzGKlyOhqIbG8nmHBo3i1saKWFOgh41AN3b+Y=
 github.com/labstack/echo/v4 v4.9.1/go.mod h1:Pop5HLc+xoc4qhTZ1ip6C0RtP7Z+4VzRLWZZFKqbbjo=
 github.com/labstack/gommon v0.4.0 h1:y7cvthEAEbU0yHOf4axH8ZG2NH8knB9iNSoTO8dyIk8=
@@ -37,6 +40,7 @@ github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -116,6 +120,7 @@ google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGm
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
 gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=

diff --git a/server/server/auth/oidc.go b/server/server/auth/oidc.go
@@ -58,7 +58,7 @@ type Claims struct {
 	Picture       string `json:"picture"`
 }
 
-func ExchangeCode(ctx context.Context, r *http.Request, config *oauth2.Config, provider *oidc.Provider) (*User, error) {
+func ExchangeCode(ctx context.Context, r *http.Request, config *oauth2.Config, provider *oidc.Provider, additionalClaimsConfig map[string]string) (*User, error) {
 	state, err := r.Cookie("state")
 	if err != nil {
 		return nil, echo.NewHTTPError(http.StatusBadRequest, "State cookie is not set in request")
@@ -98,6 +98,17 @@ func ExchangeCode(ctx context.Context, r *http.Request, config *oauth2.Config, p
 		return nil, echo.NewHTTPError(http.StatusInternalServerError, err.Error())
 	}
 
+	if additionalClaimsConfig != nil {
+		var claimTokenValues map[string]interface{}
+		if err := idToken.Claims(&claimTokenValues); err != nil {
+			return nil, echo.NewHTTPError(http.StatusInternalServerError, "Error parse claims")
+		}
+
+		if err := VerifyAdditionalClaims(additionalClaimsConfig, claimTokenValues); err != nil {
+			return nil, echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+		}
+	}
+
 	user := User{
 		OAuth2Token: oauth2Token,
 		IDToken: &IDToken{
@@ -108,3 +119,21 @@ func ExchangeCode(ctx context.Context, r *http.Request, config *oauth2.Config, p
 
 	return &user, nil
 }
+
+func VerifyAdditionalClaims(additionalClaims map[string]string, claimTokenValues map[string]interface{}) error {
+	var successClaimCheck = false
+	for configClaimKey, configClaimValue := range additionalClaims {
+		claimValues := claimTokenValues[configClaimKey]
+		for _, claimValue := range claimValues.([]interface{}) {
+			if claimValue == configClaimValue {
+				successClaimCheck = true
+				break
+			}
+		}
+
+	}
+	if !successClaimCheck {
+		return echo.NewHTTPError(http.StatusInternalServerError, "No additional Claims defined")
+	}
+	return nil
+}
diff --git a/server/server/auth/oidc_test.go b/server/server/auth/oidc_test.go
@@ -0,0 +1,30 @@
+package auth
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestAdditionalClaimsError(t *testing.T) {
+	additionalClaims := map[string]string{
+		"foo": "bar",
+	}
+	claimTokenValues := map[string]interface{}{
+		"foo":   []interface{}{"value1", "value2", "value3"},
+		"group": []interface{}{"value1", "value2", "bar"},
+	}
+	err := VerifyAdditionalClaims(additionalClaims, claimTokenValues)
+	assert.Error(t, err)
+}
+
+func TestAdditionalClaimsSuccess(t *testing.T) {
+	additionalClaims := map[string]string{
+		"group": "bar",
+	}
+	claimTokenValues := map[string]interface{}{
+		"foo":   []interface{}{"value1", "value2", "value3"},
+		"group": []interface{}{"value1", "value2", "bar"},
+	}
+	err := VerifyAdditionalClaims(additionalClaims, claimTokenValues)
+	assert.NoError(t, err)
+}
diff --git a/server/server/config/config.go b/server/server/config/config.go
@@ -108,7 +108,8 @@ type (
 		// CallbackURL - URL for the callback URL, ex. https://localhost:8080/sso/callback
 		CallbackURL string `yaml:"callbackUrl"`
 		// Options added as URL query params when redirecting to auth provider. Can be used to configure custom auth flows such as Auth0 invitation flow.
-		Options map[string]interface{} `yaml:"options"`
+		Options          map[string]interface{} `yaml:"options"`
+		AdditionalClaims map[string]string      `yaml:"additionalClaims"`
 	}
 
 	Codec struct {

diff --git a/server/server/route/auth.go b/server/server/route/auth.go
@@ -77,8 +77,8 @@ func SetAuthRoutes(e *echo.Echo, cfgProvider *config.ConfigProviderWithRefresh)
 
 	api := e.Group("/auth")
 	api.GET("/sso", authenticate(&oauthCfg, providerCfg.Options))
-	api.GET("/sso/callback", authenticateCb(ctx, &oauthCfg, provider))
-	api.GET("/sso_callback", authenticateCb(ctx, &oauthCfg, provider)) // compatibility with UI v1
+	api.GET("/sso/callback", authenticateCb(ctx, &oauthCfg, provider, providerCfg.AdditionalClaims))
+	api.GET("/sso_callback", authenticateCb(ctx, &oauthCfg, provider, providerCfg.AdditionalClaims)) // compatibility with UI v1
 }
 
 func authenticate(config *oauth2.Config, options map[string]interface{}) func(echo.Context) error {
@@ -119,9 +119,9 @@ func authenticate(config *oauth2.Config, options map[string]interface{}) func(ec
 	}
 }
 
-func authenticateCb(ctx context.Context, oauthCfg *oauth2.Config, provider *oidc.Provider) func(echo.Context) error {
+func authenticateCb(ctx context.Context, oauthCfg *oauth2.Config, provider *oidc.Provider, additionalClaims map[string]string) func(echo.Context) error {
 	return func(c echo.Context) error {
-		user, err := auth.ExchangeCode(ctx, c.Request(), oauthCfg, provider)
+		user, err := auth.ExchangeCode(ctx, c.Request(), oauthCfg, provider, additionalClaims)
 		if err != nil {
 			return err
 		}