Skip to content

Commit

Permalink
allow configuring CAs/skip verify for OIDC
Browse files Browse the repository at this point in the history
Co-authored-by: Rui Yang <ruiya@vmware.com>
Signed-off-by: Alex Suraci <suraci.alex@gmail.com>
  • Loading branch information
2 people authored and CI Bot committed Oct 16, 2020
1 parent 28b2350 commit bbbfd15
Showing 1 changed file with 57 additions and 1 deletion.
58 changes: 57 additions & 1 deletion connector/oidc/oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,13 @@ package oidc

import (
"context"
"crypto/tls"
"crypto/x509"
"encoding/json"
"errors"
"fmt"
"io/ioutil"
"net"
"net/http"
"net/url"
"strings"
Expand Down Expand Up @@ -38,12 +42,18 @@ type Config struct {
// If this field is nonempty, only users from a listed domain will be allowed to log in
HostedDomains []string `json:"hostedDomains"`

// Certificates for SSL validation
RootCAs []string `json:"rootCAs"`

// Override the value of email_verifed to true in the returned claims
InsecureSkipEmailVerified bool `json:"insecureSkipEmailVerified"`

// InsecureEnableGroups enables groups claims. This is disabled by default until https://github.com/dexidp/dex/issues/1065 is resolved
InsecureEnableGroups bool `json:"insecureEnableGroups"`

// Disable certificate verification
InsecureSkipVerify bool `json:"insecureSkipVerify"`

// GetUserInfo uses the userinfo endpoint to get additional claims for
// the token. This is especially useful where upstreams return "thin"
// id tokens
Expand Down Expand Up @@ -99,7 +109,13 @@ func knownBrokenAuthHeaderProvider(issuerURL string) bool {
// Open returns a connector which can be used to login users through an upstream
// OpenID Connect provider.
func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, err error) {
httpClient, err := newHTTPClient(c.RootCAs, c.InsecureSkipVerify)
if err != nil {
return nil, err
}

ctx, cancel := context.WithCancel(context.Background())
ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)

provider, err := oidc.NewProvider(ctx, c.Issuer)
if err != nil {
Expand Down Expand Up @@ -146,6 +162,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
),
logger: logger,
cancel: cancel,
httpClient: httpClient,
hostedDomains: c.HostedDomains,
insecureSkipEmailVerified: c.InsecureSkipEmailVerified,
insecureEnableGroups: c.InsecureEnableGroups,
Expand All @@ -159,6 +176,40 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
}, nil
}

func newHTTPClient(rootCAs []string, insecureSkipVerify bool) (*http.Client, error) {
pool, err := x509.SystemCertPool()
if err != nil {
return nil, err
}

tlsConfig := tls.Config{RootCAs: pool, InsecureSkipVerify: insecureSkipVerify}
for _, rootCA := range rootCAs {
rootCABytes, err := ioutil.ReadFile(rootCA)
if err != nil {
return nil, fmt.Errorf("failed to read root-ca: %v", err)
}
if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCABytes) {
return nil, fmt.Errorf("no certs found in root CA file %q", rootCA)
}
}

return &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tlsConfig,
Proxy: http.ProxyFromEnvironment,
DialContext: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
DualStack: true,
}).DialContext,
MaxIdleConns: 100,
IdleConnTimeout: 90 * time.Second,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
},
}, nil
}

var (
_ connector.CallbackConnector = (*oidcConnector)(nil)
_ connector.RefreshConnector = (*oidcConnector)(nil)
Expand All @@ -171,6 +222,7 @@ type oidcConnector struct {
verifier *oidc.IDTokenVerifier
cancel context.CancelFunc
logger log.Logger
httpClient *http.Client
hostedDomains []string
insecureSkipEmailVerified bool
insecureEnableGroups bool
Expand Down Expand Up @@ -225,7 +277,10 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
if errType := q.Get("error"); errType != "" {
return identity, &oauth2Error{errType, q.Get("error_description")}
}
token, err := c.oauth2Config.Exchange(r.Context(), q.Get("code"))

ctx := context.WithValue(r.Context(), oauth2.HTTPClient, c.httpClient)

token, err := c.oauth2Config.Exchange(ctx, q.Get("code"))
if err != nil {
return identity, fmt.Errorf("oidc: failed to get token: %v", err)
}
Expand Down Expand Up @@ -258,6 +313,7 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
if !ok {
return identity, errors.New("oidc: no id_token in token response")
}

idToken, err := c.verifier.Verify(ctx, rawIDToken)
if err != nil {
return identity, fmt.Errorf("oidc: failed to verify ID Token: %v", err)
Expand Down

0 comments on commit bbbfd15

Please sign in to comment.