Skip to content
This repository has been archived by the owner on Oct 9, 2023. It is now read-only.

Commit

Permalink
Add oauth http proxy for external server & Extract email from azure c…
Browse files Browse the repository at this point in the history
…laim

Signed-off-by: byhsu <[email protected]>
  • Loading branch information
ByronHsu committed Apr 27, 2023
1 parent 1026231 commit da3cbd3
Show file tree
Hide file tree
Showing 12 changed files with 65 additions and 20 deletions.
7 changes: 7 additions & 0 deletions auth/authzserver/claims_verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,13 @@ func verifyClaims(expectedAudience sets.String, claimsRaw map[string]interface{}
}
}

EmailKey := "email"
// In some cases, "user_info" field not exists in raw claim,
// but we can get email from "email" field
if emailClaim, found := claimsRaw[EmailKey]; found {
email := emailClaim.(string)
userInfo.Email = email
}
// If this is a user-only access token with no scopes defined then add `all` scope by default because it's equivalent
// to having a user's login cookie or an ID Token as means of accessing the service.
if len(clientID) == 0 && scopes.Len() == 0 {
Expand Down
2 changes: 2 additions & 0 deletions auth/authzserver/claims_verifier_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,15 @@ func Test_verifyClaims(t *testing.T) {
"sub": "123",
"client_id": "my-client",
"scp": []interface{}{"all", "offline"},
"email": "[email protected]",
})

assert.NoError(t, err)
assert.Equal(t, sets.NewString("all", "offline"), identityCtx.Scopes())
assert.Equal(t, "my-client", identityCtx.AppID())
assert.Equal(t, "123", identityCtx.UserID())
assert.Equal(t, "https://myserver", identityCtx.Audience())
assert.Equal(t, "[email protected]", identityCtx.UserInfo().Email)
})

t.Run("Multiple audience", func(t *testing.T) {
Expand Down
1 change: 1 addition & 0 deletions auth/authzserver/initialize.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import (

// RegisterHandlers registers http endpoints for handling OAuth2 flow (/authorize,
func RegisterHandlers(handler interfaces.HandlerRegisterer, authCtx interfaces.AuthenticationContext) {
// If using flyte self auth server, OAuth2Provider != nil
if authCtx.OAuth2Provider() != nil {
// Set up oauthserver endpoints. You could also use gorilla/mux or any other router.
handler.HandleFunc(authorizeRelativeURL.String(), getAuthEndpoint(authCtx))
Expand Down
12 changes: 11 additions & 1 deletion auth/authzserver/metadata_provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,17 @@ func (s OAuth2MetadataProvider) GetOAuth2Metadata(ctx context.Context, r *servic
externalMetadataURL = baseURL.ResolveReference(oauth2MetadataEndpoint)
}

response, err := http.Get(externalMetadataURL.String())
httpClient := &http.Client{}

if len(s.cfg.HTTPProxyURL.String()) > 0 {
// create a transport that uses the proxy
transport := &http.Transport{
Proxy: http.ProxyURL(&s.cfg.HTTPProxyURL.URL),
}
httpClient.Transport = transport
}

response, err := httpClient.Get(externalMetadataURL.String())
if err != nil {
return nil, err
}
Expand Down
22 changes: 18 additions & 4 deletions auth/authzserver/resource_server.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ import (
"golang.org/x/oauth2"
)

// External auth server implementation

// ResourceServer authorizes access requests issued by an external Authorization Server.
type ResourceServer struct {
signatureVerifier oidc.KeySet
Expand Down Expand Up @@ -68,7 +70,9 @@ func unmarshalResp(r *http.Response, body []byte, v interface{}) error {
return fmt.Errorf("expected Content-Type = application/json, got %q: %v", ct, err)
}

func getJwksForIssuer(ctx context.Context, issuerBaseURL url.URL, customMetadataURL url.URL) (keySet oidc.KeySet, err error) {
func getJwksForIssuer(ctx context.Context, issuerBaseURL url.URL, cfg authConfig.ExternalAuthorizationServer) (keySet oidc.KeySet, err error) {
customMetadataURL := cfg.MetadataEndpointURL.URL

issuerBaseURL.Path = strings.TrimSuffix(issuerBaseURL.Path, "/") + "/"
var wellKnown *url.URL
if len(customMetadataURL.String()) > 0 {
Expand All @@ -77,12 +81,22 @@ func getJwksForIssuer(ctx context.Context, issuerBaseURL url.URL, customMetadata
wellKnown = issuerBaseURL.ResolveReference(oauth2MetadataEndpoint)
}

httpClient := &http.Client{}

if len(cfg.HTTPProxyURL.String()) > 0 {
// create a transport that uses the proxy
transport := &http.Transport{
Proxy: http.ProxyURL(&cfg.HTTPProxyURL.URL),
}
httpClient.Transport = transport
}

req, err := http.NewRequest(http.MethodGet, wellKnown.String(), nil)
if err != nil {
return nil, err
}

resp, err := doRequest(ctx, req)
resp, err := httpClient.Do(req)
if err != nil {
return nil, err
}
Expand All @@ -104,7 +118,7 @@ func getJwksForIssuer(ctx context.Context, issuerBaseURL url.URL, customMetadata
return nil, fmt.Errorf("failed to decode provider discovery object: %v", err)
}

return oidc.NewRemoteKeySet(ctx, p.JwksUri), nil
return oidc.NewRemoteKeySet(oidc.ClientContext(ctx, httpClient), p.JwksUri), nil
}

// NewOAuth2ResourceServer initializes a new OAuth2ResourceServer.
Expand All @@ -114,7 +128,7 @@ func NewOAuth2ResourceServer(ctx context.Context, cfg authConfig.ExternalAuthori
u = fallbackBaseURL
}

verifier, err := getJwksForIssuer(ctx, u.URL, cfg.MetadataEndpointURL.URL)
verifier, err := getJwksForIssuer(ctx, u.URL, cfg)
if err != nil {
return ResourceServer{}, err
}
Expand Down
4 changes: 2 additions & 2 deletions auth/authzserver/resource_server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,7 @@ func Test_getJwksForIssuer(t *testing.T) {
type args struct {
ctx context.Context
issuerBaseURL url.URL
customMetaURL url.URL
cfg authConfig.ExternalAuthorizationServer
}
tests := []struct {
name string
Expand All @@ -234,7 +234,7 @@ func Test_getJwksForIssuer(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := getJwksForIssuer(tt.args.ctx, tt.args.issuerBaseURL, tt.args.customMetaURL)
got, err := getJwksForIssuer(tt.args.ctx, tt.args.issuerBaseURL, tt.args.cfg)
if (err != nil) != tt.wantErr {
t.Errorf("getJwksForIssuer() error = %v, wantErr %v", err, tt.wantErr)
return
Expand Down
5 changes: 5 additions & 0 deletions auth/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,9 @@ type Config struct {
// the `secure` setting.
AuthorizedURIs []config.URL `json:"authorizedUris" pflag:"-,Optional: Defines the set of URIs that clients are allowed to visit the service on. If set, the system will attempt to match the incoming host to the first authorized URIs and use that (including the scheme) when generating metadata endpoints and when validating audience and issuer claims. If not provided, the urls will be deduced based on the request url and the 'secure' setting."`

// HTTPProxyURL allows operators to access external OAuth2 servers using an external HTTP Proxy
HTTPProxyURL config.URL `json:"httpProxyURL" pflag:",OPTIONAL: HTTP Proxy to be used for OAuth requests."`

// UserAuth settings used to authenticate end users in web-browsers.
UserAuth UserAuthConfig `json:"userAuth" pflag:",Defines Auth options for users."`

Expand Down Expand Up @@ -187,6 +190,8 @@ type ExternalAuthorizationServer struct {
BaseURL config.URL `json:"baseUrl" pflag:",This should be the base url of the authorization server that you are trying to hit. With Okta for instance, it will look something like https://company.okta.com/oauth2/abcdef123456789/"`
AllowedAudience []string `json:"allowedAudience" pflag:",Optional: A list of allowed audiences. If not provided, the audience is expected to be the public Uri of the service."`
MetadataEndpointURL config.URL `json:"metadataUrl" pflag:",Optional: If the server doesn't support /.well-known/oauth-authorization-server, you can set a custom metadata url here.'"`
// HTTPProxyURL allows operators to access external OAuth2 servers using an external HTTP Proxy
HTTPProxyURL config.URL `json:"httpProxyURL" pflag:",OPTIONAL: HTTP Proxy to be used for OAuth requests."`
}

// OAuth2Options defines settings for app auth.
Expand Down
2 changes: 2 additions & 0 deletions auth/handlers.go
Original file line number Diff line number Diff line change
Expand Up @@ -309,6 +309,7 @@ func GetHTTPRequestCookieToMetadataHandler(authCtx interfaces.AuthenticationCont
return nil
}

// IDtoken is injected into grpc authorization metadata
meta := metadata.MD{
DefaultAuthorizationHeader: []string{fmt.Sprintf("%s %s", IDTokenScheme, idToken)},
}
Expand Down Expand Up @@ -396,6 +397,7 @@ func QueryUserInfo(ctx context.Context, identityContext interfaces.IdentityConte
return QueryUserInfoUsingAccessToken(ctx, request, authCtx, accessToken)
}

// Extract User info from access token for HTTP request
func QueryUserInfoUsingAccessToken(ctx context.Context, originalRequest *http.Request, authCtx interfaces.AuthenticationContext, accessToken string) (
*service.UserInfoResponse, error) {

Expand Down
2 changes: 2 additions & 0 deletions auth/interceptor.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package auth
import (
"context"

"github.com/flyteorg/flytestdlib/logger"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
Expand All @@ -17,6 +18,7 @@ func BlanketAuthorization(ctx context.Context, req interface{}, _ *grpc.UnarySer
}

if !identityContext.Scopes().Has(ScopeAll) {
logger.Debugf(ctx, "authenticated user doesn't have required scope")
return nil, status.Errorf(codes.Unauthenticated, "authenticated user doesn't have required scope")
}

Expand Down
2 changes: 2 additions & 0 deletions auth/token.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ func GRPCGetIdentityFromAccessToken(ctx context.Context, authCtx interfaces.Auth
interfaces.IdentityContext, error) {

tokenStr, err := grpcauth.AuthFromMD(ctx, BearerScheme)
logger.Debugf(ctx, "Access Token = %v", tokenStr)
if err != nil {
logger.Debugf(ctx, "Could not retrieve bearer token from metadata %v", err)
return nil, errors.Wrapf(ErrJwtValidation, err, "Could not retrieve bearer token from metadata")
Expand All @@ -99,6 +100,7 @@ func GRPCGetIdentityFromIDToken(ctx context.Context, clientID string, provider *
interfaces.IdentityContext, error) {

tokenStr, err := grpcauth.AuthFromMD(ctx, IDTokenScheme)
logger.Debugf(ctx, "ID Token = %v", tokenStr)
if err != nil {
logger.Debugf(ctx, "Could not retrieve id token from metadata %v", err)
return nil, errors.Wrapf(ErrJwtValidation, err, "Could not retrieve id token from metadata")
Expand Down
8 changes: 4 additions & 4 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ require (
github.com/coreos/go-oidc v2.2.1+incompatible
github.com/evanphx/json-patch v4.12.0+incompatible
github.com/flyteorg/flyteidl v1.3.14
github.com/flyteorg/flyteplugins v1.0.40
github.com/flyteorg/flyteplugins v1.0.49
github.com/flyteorg/flytepropeller v1.1.70
github.com/flyteorg/flytestdlib v1.0.15
github.com/flyteorg/stow v0.3.6
Expand Down Expand Up @@ -169,12 +169,12 @@ require (
golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect
golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
golang.org/x/net v0.7.0 // indirect
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
golang.org/x/sync v0.1.0 // indirect
golang.org/x/sys v0.5.0 // indirect
golang.org/x/term v0.5.0 // indirect
golang.org/x/text v0.7.0 // indirect
golang.org/x/tools v0.1.12 // indirect
golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
golang.org/x/tools v0.4.0 // indirect
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
google.golang.org/appengine v1.6.7 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.66.4 // indirect
Expand Down
18 changes: 9 additions & 9 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -314,8 +314,8 @@ github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8S
github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
github.com/flyteorg/flyteidl v1.3.14 h1:o5M0g/r6pXTPu5PEurbYxbQmuOu3hqqsaI2M6uvK0N8=
github.com/flyteorg/flyteidl v1.3.14/go.mod h1:Pkt2skI1LiHs/2ZoekBnyPhuGOFMiuul6HHcKGZBsbM=
github.com/flyteorg/flyteplugins v1.0.40 h1:RTsYingqmqr13qBbi4CB2ArXDHNHUOkAF+HTLJQiQ/s=
github.com/flyteorg/flyteplugins v1.0.40/go.mod h1:qyUPqVspLcLGJpKxVwHDWf+kBpOGuItOxCaF6zAmDio=
github.com/flyteorg/flyteplugins v1.0.49 h1:lUmT4kqYamkJY2tO6nCWRCnVv2M2QNLIap5bFYAol7s=
github.com/flyteorg/flyteplugins v1.0.49/go.mod h1:ztsonku5fKwyxcIg1k69PTiBVjRI6d3nK5DnC+iwx08=
github.com/flyteorg/flytepropeller v1.1.70 h1:/d1qqz13rdVADM85ST70eerAdBstJJz9UUB/mNSZi0w=
github.com/flyteorg/flytepropeller v1.1.70/go.mod h1:MezHUJmgPzm4Pu8nIy6LLiEkxNA6buTQ7hInSqCViTY=
github.com/flyteorg/flytestdlib v1.0.15 h1:kv9jDQmytbE84caY+pkZN8trJU2ouSAmESzpTEhfTt0=
Expand Down Expand Up @@ -1644,7 +1644,7 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA=
golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180816102801-aaf60122140d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
Expand Down Expand Up @@ -1751,8 +1751,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20180816055513-1c9583448a9c/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
Expand Down Expand Up @@ -1998,17 +1998,17 @@ golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.4.0 h1:7mTAgkunk3fr4GAloyyCasadO6h9zSsQZbwvcaIciV4=
golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f h1:uF6paiQQebLeSXkrTqHqz0MXhXXS1KgF41eUdBNvxK0=
golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk=
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY=
gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo=
gonum.org/v1/gonum v0.6.2/go.mod h1:9mxDZsDKxgMAuccQkewq682L+0eCu4dCN2yonUJTCLU=
Expand Down

0 comments on commit da3cbd3

Please sign in to comment.