providers/proxy: add initial header token auth (#4421)

* initial implementation Signed-off-by: Jens Langhammer <jens@goauthentik.io> * check for openid/profile claims Signed-off-by: Jens Langhammer <jens@goauthentik.io> * include jwks sources in proxy provider Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add web ui for jwks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only show sources with JWKS data configured Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix introspection tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start basic Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add basic auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add docs, update admonitions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add client_id to api, add tab for auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update locale Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-13 16:22:03 +01:00
parent 31c6ea9fda
commit cd12e177ea
54 changed files with 830 additions and 162 deletions
--- a/internal/outpost/proxyv2/application/auth_basic.go
+++ b/internal/outpost/proxyv2/application/auth_basic.go
@ -0,0 +1,59 @@
+package application
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+type TokenResponse struct {
+	AccessToken string `json:"access_token"`
+	IDToken     string `json:"id_token"`
+}
+
+func (a *Application) attemptBasicAuth(username, password string) *Claims {
+	values := url.Values{
+		"grant_type": []string{"client_credentials"},
+		"client_id":  []string{a.oauthConfig.ClientID},
+		"username":   []string{username},
+		"password":   []string{password},
+		"scope":      []string{strings.Join(a.oauthConfig.Scopes, " ")},
+	}
+	req, err := http.NewRequest("POST", a.endpoint.TokenURL, strings.NewReader(values.Encode()))
+	if err != nil {
+		a.log.WithError(err).Warning("failed to create token request")
+		return nil
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	res, err := a.httpClient.Do(req)
+	if err != nil || res.StatusCode > 200 {
+		a.log.WithError(err).Warning("failed to send token request")
+		return nil
+	}
+	var token TokenResponse
+	err = json.NewDecoder(res.Body).Decode(&token)
+	if err != nil {
+		a.log.WithError(err).Warning("failed to parse token response")
+		return nil
+	}
+	// Parse and verify ID Token payload.
+	idToken, err := a.tokenVerifier.Verify(context.Background(), token.IDToken)
+	if err != nil {
+		a.log.WithError(err).Warning("failed to verify token")
+		return nil
+	}
+
+	// Extract custom claims
+	var claims *Claims
+	if err := idToken.Claims(&claims); err != nil {
+		a.log.WithError(err).Warning("failed to convert token to claims")
+		return nil
+	}
+	if claims.Proxy == nil {
+		claims.Proxy = &ProxyClaims{}
+	}
+	claims.RawToken = token.IDToken
+	return claims
+}