jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-06-09 04:37:31 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: OIDC wasm plugin (#1049)

Browse Source
This commit is contained in:
Jingze
2024-08-27 17:16:59 +08:00
committed by GitHub
parent c42275ba9a
commit e4a7807230
25 changed files with 488 additions and 2428 deletions
Download Patch File Download Diff File Expand all files Collapse all files

413
plugins/wasm-go/extensions/oidc/README.md
View File

@@ -1,58 +1,222 @@
# 功能说明
`oidc` 本插件实现了 OIDC 认证能力, 插件目前存在的 CSRF 攻击问题,不建议用于生产环境
# OIDC Wasm 插件
# 配置字段
| 字段 | 数据类型 | 填写要求 | 默认值 | 描述 |
|-------------------|--------|------|------------|------------------------------------------------------------------|
| issuer | string | 必填 | - | 设置认证服务的 issuer ,即签发人。 |
| client_id | string | 必填 | - | 输入服务注册的应用 ID 。 |
| client_secret | string | 必填 | - | 输入服务注册的应用 Secret 。 |
| redirect_url | string | 必填 | - | 输入授权成功后的重定向地址,需要与 OIDC 中配置的重定向地址保持一致。该地址的后缀需为 (oauth2/callback)。 |
| client_url | string | 必填 | - | 登陆成功跳转后的地址,如果未跳转成功,请检查设置的 cookiename 是否重复。 |
| scopes | Array | 必填 | - | 输入授权作用域的数组。 |
| skip_expiry_check | bool | 选填 | false | 控制是否检测 IDToken 的过期状态。 |
| skip_nonce_check | bool | 选填 | true | 控制是否检测 Nonce 值。 |
| timeout_millis | int | 选填 | 500 | 设置请求与认证服务连接的超时时长。如果频繁遇到超时错误,建议增加该时长。 |
| cookie_name | string | 选填 | "_oidc_wasm" | 设置 cookie 的名称, 如果一个域名下多个路由设置不同的认证服务,建议设置不同名称。 |
| cookie_domain | string | 必填 | - | 设置 cookie 的域名。 |
| cookie_path | string | 选填 | "/" | 设置 cookie 的存储路径。 |
| cookie_secure | bool | 选填 | false | 控制 cookie 是否只在 HTTPS 下传输。 |
| cookie_httponly | bool | 选填 | true | 控制 cookie 是否仅限于 HTTP 传输禁止JavaScript访问。 |
| cookie_samesite | string | 选填 | "Lax" | 设置 cookie 的 SameSite 属性,如:"Lax", "none"。第三方跳转一般建议默认设置为Lax |
| service_source | string | 必填 | - | 类型为固定 ip 或者 DNS ,输入认证 oidc 服务的注册来源。 |
| service_name | string | 必填 | - | 输入认证 oidc 服务的注册名称。 |
| service_port | int | 必填 | - | 输入认证 oidc 服务的服务端口。 |
| service_host | string | 必填 | - | 当类型为固定ip时必须填写,输入认证 oidc 服务的主机名。 |
| service_domain | string | 必填 | - | 当类型为DNS时必须填写输入认证 oidc 服务的domain。 |
## 简介
这是一个用于OIDC认证配置的表格确保在提供所有必要的信息时遵循上述指导
# 配置示例
- 固定ip
```yaml
issuer: "http://127.0.0.1:9090/realms/myrealm"
redirect_url: "http://foo.bar.com/bar/oauth2/callback"
client_url: "http://foo.bar.com/"
scopes:
- "openid"
- "email"
cookie_name: "_oauth2_wasm_keyclocak"
cookie_domain: "foo.bar.com"
client_id: "xxxxxxxxxxxx"
client_secret: "xxxxxxxxxxxxxx"
service_host: "127.0.0.1:9090"
service_name: "keyclocak"
service_port: 80
service_source: "ip"
本仓库提供了一个高度可集成的Wasm插件支持OpenID ConnectOIDC身份认证同时强化了对跨站请求伪造CSRF攻击的防御能力支持OpenID Connect协议中的Logout Endpoint。在通过Wasm插件OIDC验证后的请求会携带 `Authorization`的标头对应Access Token
### OIDC 流程图
<p align="center">
<img src="https://gw.alicdn.com/imgextra/i4/O1CN01TlwBDY280yPxwr4Di_!!6000000007871-2-tps-1807-1828.png" alt="oidc_process" style="zoom: 33%;" />
</p>
### OIDC 流程解析
1. 模拟用户访问对应服务api
```shell
curl --url "foo.bar.com/headers"
```
2. Higress重定向到OIDC Provider登录页同时携带client_id、response_type、scope等OIDC认证的参数并设置csrf cookie防御CSRF攻击
```shell
curl --url "https://dev-o43xb1mz7ya7ach4.us.auth0.com/authorize"\
--url-query "approval_prompt=force" \
--url-query "client_id=YagFqRD9tfNIaac5BamjhsSatjrAnsnZ" \
--url-query "redirect_uri=http%3A%2F%2Ffoo.bar.com%2Foauth2%2Fcallback" \
--url-query "response_type=code" \
--url-query "scope=openid+email+offline_access" \
--url-query "state=nT06xdCqn4IqemzBRV5hmO73U_hCjskrH_VupPqdcdw%3A%2Ffoo" \
--header "Set-Cookie: _oauth2_proxy_csrf=LPruATEDgcdmelr8zScD_ObhsbP4zSzvcgmPlcNDcJpFJ0OvhxP2hFotsU-kZnYxd5KsIjzeIXGTOjf8TKcbTHbDIt-aQoZORXI_0id3qeY0Jt78223DPeJ1xBqa8VO0UiEOUFOR53FGxirJOdKFxaAvxDFb1Ok=|1718962455|V1QGWyjQ4hMNOQ4Jtf17HeQJdVqHdt5d65uraFduMIU=; Path=/; Expires=Fri, 21 Jun 2024 08:06:20 GMT; HttpOnly"
```
3. 用户在登录页进行登录
![keycloak_login](https://gw.alicdn.com/imgextra/i4/O1CN01HLcl7r1boXwwnzGqA_!!6000000003512-0-tps-3840-2160.jpg)
4. 携带授权重定向到Higress并携带了state参数用于验证CSRF Cookie授权code用于交换Token
```shell
curl --url "http://foo.bar.com/oauth2/callback" \
--url-query "state=nT06xdCqn4IqemzBRV5hmO73U_hCjskrH_VupPqdcdw%3A%2Ffoo" \
--url-query "code=0bdopoS2c2lx95u7iO0OH9kY1TvaEdJHo4lB6CT2_qVFm"
```
5. 利用授权交换id_token和access_token
```shell
curl -X POST \
--url "https://dev-o43xb1mz7ya7ach4.us.auth0.com/oauth/token" \
--data "grant_type=authorization_code" \
--data "client_id=YagFqRD9tfNIaac5BamjhsSatjrAnsnZ" \
--data "client_secret=ekqv5XoZuMFtYms1NszEqRx03qct6BPvGeJUeptNG4y09PrY16BKT9IWezTrrhJJ" \
--data "redirect_uri=http%3A%2F%2Ffoo.bar.com%2Foauth2%2Fcallback" \
--data "code=0bdopoS2c2lx95u7iO0OH9kY1TvaEdJHo4lB6CT2_qVFm" \
```
返回的请求里包含了id_token, access_tokenrefresh_token用于后续刷新access_token
```json
{
"access_token": "eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaXNzIjoiaHR0cHM6Ly9kZXYtbzQzeGIxbXo3eWE3YWNoNC51cy5hdXRoMC5jb20vIn0..WP_WRVM-y3fM1sN4.fAQqtKoKZNG9Wj0OhtrMgtsjTJ2J72M2klDRd9SvUKGbiYsZNPmIl_qJUf81D3VIjD59o9xrOOJIzXTgsfFVA2x15g-jBlNh68N7dyhXu9237Tbplweu1jA25IZDSnjitQ3pbf7xJVIfPnWcrzl6uT8G1EP-omFcl6AQprV2FoKFMCGFCgeafuttppKe1a8mpJDj7AFLPs-344tT9mvCWmI4DuoLFh0PiqMMJBByoijRSxcSdXLPxZng84j8JVF7H6mFa-dj-icP-KLy6yvzEaRKz_uwBzQCzgYK434LIpqw_PRuN3ClEsenwRgIsNdVjvKcoAysfoZhmRy9BQaE0I7qTohSBFNX6A.mgGGeeWgugfXcUcsX4T5dQ",
"refresh_token": "GrZ1f2JvzjAZQzSXmyr1ScWbv8aMFBvzAXHBUSiILcDEG",
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Imc1Z1ExSF9ZbTY0WUlvVkQwSVpXTCJ9.eyJlbWFpbCI6IjE2MDExNTYyNjhAcXEuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJpc3MiOiJodHRwczovL2Rldi1vNDN4YjFtejd5YTdhY2g0LnVzLmF1dGgwLmNvbS8iLCJhdWQiOiJZYWdGcVJEOXRmTklhYWM1QmFtamhzU2F0anJBbnNuWiIsImlhdCI6MTcxOTE5ODYzOCwiZXhwIjoxNzE5MjM0NjM4LCJzdWIiOiJhdXRoMHw2NjVkNzFlNzRjMTMxMTc3YmU2NmU2MDciLCJzaWQiOiJjdDJVOF9ZUS16VDdFOGkwRTNNeUstejc5ZGlWUWhhVSJ9.gfzXKJ0FeqzYqOUDLQHWcUG19IOLqkpLN09xTmIat0umrlGV5VNSumgWH3XJmmwnhdb8AThH3Jf-7kbRJzu4rM-BbGbFTRBTzNHeUajFOFrIgld5VENQ_M_sXHkTp0psWKSr9vF24kmilCfSbvC5lBKjt878ljZ7-xteWuaUYOMUdcJb4DSv0-zjX01sonJxYamTlhji3M4TAW7VwhwqyZt8dBhVSNaRw1wUKj-M1JrBDLyx65sroZtSqVA0udIrqMHEbWYb2de7JjzlqG003HRMzwOm7OXgEd5ZVFqgmBLosgixOU5DJ4A26nlqK92Sp6VqDMRvA-3ym8W_m-wJ_A",
"scope": "openid email offline_access",
"expires_in": 86400,
"token_type": "Bearer"
}
```
6. 将获得的id_token和access_token加密存储在Cookie _oauth2_proxy中用于后续用户登录状态的验证同时清除Cookie _oauth2_proxy_csrf
```json
"Set-Cookie": [
"_oauth2_proxy_csrf=; Path=/; Expires=Mon, 24 Jun 2024 02:17:39 GMT; HttpOnly",
"_oauth2_proxy=8zM_Pcfpp_gesKFe4SMg08o5Iv0A8WAOQOmG1-vZBbQ56UggYVC0Cu-gFMEoxJZU5q1O5vqRlVBizlLetgVjRCksGVbttwl8tQ7h5YiyIubbbtvF1T4JzLh3QfzUUrwbB-VznOkh8qLbjAhddocecjBt4rMiDyceKXqMr4eO5TUEMx4vHtJYnTYalMeTYhGXk5MNSyrdZX9NnQnkdrCjiOQM13ggwob2nYwhGWaAlgzFSWkgkdtBy2Cl_YMWZ8_gKk9rDX289-JrJyGpr5k9O9RzRhZoY2iE3Mcr8-Q37RTji1Ga22QO-XkAcSaGqY1Qo7jLdmgZTYKC5JvtdLc4rj3vcbveYxU7R3Pt2vEribQjKTh4Sqb0aA03p4cxXyZN4SUfBW1NAOm4JLPUhKJy8frqC9_E0nVqPvpvnacaoQs8WkX2zp75xHoMa3SD6KZhQ5JUiPEiNkOaUsyafLvht6lLkNDhgzW3BP2czoe0DCDBLnsot0jH-qQpMZYkaGr-ZnRKI1OPl1vHls3mao5juOAW1VB2A9aughgc8SJ55IFZpMfFMdHdTDdMqPODkItX2PK44GX-pHeLxkOqrzp3GHtMInpL5QIQlTuux3erm3CG-ntlUE7JBtN2T9LEb8XfIFu58X9_vzMun4JQlje2Thi9_taI_z1DSaTtvNNb54wJfSPwYCCl4OsH-BacVmPQhH6TTZ6gP2Qsm5TR2o1U2D9fuVkSM-OPCG9l3tILambIQwC3vofMW6X8SIFSmhJUDvN7NbwxowBiZ6Y7GJRZlAk_GKDkpsdrdIvC67QqczZFphRVnm6qi-gPO41APCbcO6fgTwyOhbP3RrZZKWSIqWJYhNE3_Sfkf0565H7sC7Hc8XUUjJvP3WnjKS9x7KwzWa-dsUjV3-Q-VNl-rXTguVNAIirYK-qrMNMZGCRcJqcLnUF0V_J2lVmFyVsSlE3t0sDw2xmbkOwDptXFOjQL5Rb4esUMYdCBWFajBfvUtcZEFtYhD0kb6VcbjXO3NCVW5qKh_l9C9SRCc7TG1vcRAqUQlRXHacTGWfcWsuQkCJ3Mp_oWaDxs1GRDykQYxAn5sTICovThWEU2C6o75grWaNrkj5NU-0eHh3ryvxLmGLBOXZV9OQhtKShWmUgywSWMxOHOuZAqdAPULc8KheuGFjXYp-RnCbFYWePJmwzfQw89kSkj1KUZgMYwKEjSz62z2qc9KLczomv76ortQzvo4Hv9kaW6xVuQj5R5Oq6_WMBOqsmUMzcXpxCIOGjcdcZRBc0Fm09Uy9oV1PRqvAE4PGtfyrCaoqILBix8UIww63B07YGwzQ-hAXDysBK-Vca2x7GmGdXsNXXcTgu00bdsjtHZPDBBWGfL3g_rMAXr2vWyvK4CwNjcaPAmrlF3geHPwbIePT0hskBboX1v1bsuhzsai7rGM4r53pnb1ZEoTQDa1B-HyokFgo14XiwME0zE1ifpNzefjpkz1YY2krJlqfCydNwoKaTit4tD2yHlnxAeFF9iIrxzSKErNUFpmyLa7ge7V33vhEH-6k5oBTLE2Q2BrC6aAkLCcPwU9xv_SzBDQPRY0MEYv3kGF03Swo1crRbGh-aifYX9NiHDsmG6r1vAnx0MAOw2Jzuz2x6SSdfBrzlcoWBlrwiZzd9kAKq75n1Uy9uzZ8SRnkBrEZySHBwEbu196VklkRE0jqwC-e3wWNNuviSOfwkVeX-7QdOoO10yw9VK2sW52lFvIEf4chv_ta7bGfAZOWBjpktG6ZLD81SE6A88zpqG2SysSyNMp9hl-umG-5sFsjCn_c9E8bDvwkUOUVb9bNqhBDsZgR0BNPawiOZjmyfhzmwmWf-zgFzfFSV6BvOwNRi3sCOHTsWcuk9NBQ_YK8CpNkVl3WeIBSDfidimuC_QV9UWKs1GPk35ZRkM4zKtLY2JsBFWKaDy_P80TcOzcMBoP8gIBClXZ-WUqfE8s1yyc4jrq-qL1_wJ24ef1O9FktsbyZiDKXw2vnqsT8-g_hCeG-unrT1ZFscf8oNdqczARHX-K4vKH2k3uIqEx1M=|1719199056|2rsgdUIClHNEpxBLlHOVRYup6e4oKensQfljtmn4B80=; Path=/; Expires=Mon, 01 Jul 2024 03:17:36 GMT; HttpOnly"
]
```
7. 携带 Authorization的标头对应access_token访问对应api
```shell
curl --url "foo.bar.com/headers"
--header "Authorization: Bearer eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaXNzIjoiaHR0cHM6Ly9kZXYtbzQzeGIxbXo3eWE3YWNoNC51cy5hdXRoMC5jb20vIn0..WP_WRVM-y3fM1sN4.fAQqtKoKZNG9Wj0OhtrMgtsjTJ2J72M2klDRd9SvUKGbiYsZNPmIl_qJUf81D3VIjD59o9xrOOJIzXTgsfFVA2x15g-jBlNh68N7dyhXu9237Tbplweu1jA25IZDSnjitQ3pbf7xJVIfPnWcrzl6uT8G1EP-omFcl6AQprV2FoKFMCGFCgeafuttppKe1a8mpJDj7AFLPs-344tT9mvCWmI4DuoLFh0PiqMMJBByoijRSxcSdXLPxZng84j8JVF7H6mFa-dj-icP-KLy6yvzEaRKz_uwBzQCzgYK434LIpqw_PRuN3ClEsenwRgIsNdVjvKcoAysfoZhmRy9BQaE0I7qTohSBFNX6A.mgGGeeWgugfXcUcsX4T5dQ"
```
8. 后端服务根据access_token获取用户信息并返回对应的Http响应
```json
{
"email": "******",
"email_verified": false,
"iss": "https://dev-o43xb1mz7ya7ach4.us.auth0.com/",
"aud": "YagFqRD9tfNIaac5BamjhsSatjrAnsnZ",
"iat": 1719198638,
"exp": 1719234638,
"sub": "auth0|665d71e74c131177be66e607",
"sid": "ct2U8_YQ-zT7E8i0E3MyK-z79diVQhaU"
}
```
## 配置
### 配置项
| Option | Type | Description | Default |
| ----------------------------- | ------------ | ------------------------------------------------------------ | ----------------- |
| cookie_name | string | the name of the cookie that the oauth_proxy creates. Should be changed to use a [cookie prefix](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#cookie_prefixes) (`__Host-` or `__Secure-`) if `--cookie-secure` is set. | `"_oauth2_proxy"` |
| cookie_secret | string | the seed string for secure cookies (optionally base64 encoded) | |
| cookie_domains | string\|list | Optional cookie domains to force cookies to (e.g. `.yourcompany.com`). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match). | |
| cookie_path | string | an optional cookie path to force cookies to (e.g. `/poc/`) | `"/"` |
| cookie_expire | duration | expire timeframe for cookie. If set to 0, cookie becomes a session-cookie which will expire when the browser is closed. | 168h0m0s |
| cookie_refresh | duration | refresh the cookie after this duration; `0` to disable | |
| cookie_secure | bool | set [secure (HTTPS only) cookie flag](https://owasp.org/www-community/controls/SecureFlag) | true |
| cookie_httponly | bool | set HttpOnly cookie flag | true |
| cookie_samesite | string | set SameSite cookie attribute (`"lax"`, `"strict"`, `"none"`, or `""`). | `""` |
| cookie_csrf_per_request | bool | Enable having different CSRF cookies per request, making it possible to have parallel requests. | false |
| cookie_csrf_expire | duration | expire timeframe for CSRF cookie | 15m |
| client_id | string | the OAuth Client ID | |
| client_secret | string | the OAuth Client Secret | |
| provider | string | OAuth provider | oidc |
| pass_authorization_header | bool | pass OIDC IDToken to upstream via Authorization Bearer header | true |
| oidc_issuer_url | string | the OpenID Connect issuer URL, e.g. `"https://dev-o43xb1mz7ya7ach4.us.auth0.com"` | |
| oidc_verifier_request_timeout | uint32 | OIDC verifier discovery request timeout | 2000(ms) |
| scope | string | OAuth scope specification | |
| redirect_url | string | the OAuth Redirect URL, e.g. `"https://internalapp.yourcompany.com/oauth2/callback"` | |
| service_name | string | registered name of the OIDC service, e.g. `auth.dns`, `keycloak.static` | |
| service_port | int64 | service port of the OIDC service | |
| service_host | string | host of the OIDC service when type is static ip | |
| match_type | string | match type (`whitelist` or `blacklist`) | `"whitelist"` |
| match_list | rule\|list | a list of (match_rule_domain, match_rule_path, and match_rule_type). | |
| match_rule_domain | string | match rule domain, support wildcard pattern such as `*.bar.com` | |
| match_rule_path | string | match rule path such as `/headers` | |
| match_rule_type | string | match rule type can be `exact` or `prefix` or `regex` | |
### 生成 Cookie 密钥
``` python
python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'
```
- DNS域名
- 在服务来源中注册好服务后创建对应的ingress
参考:[Oauth2-proxy Generating a Cookie Secret](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#generating-a-cookie-secret)
### 黑白名单模式
支持黑白名单模式配置,默认为白名单模式,白名单为空,即所有请求都需要经过验证,匹配域名支持泛域名例如`*.bar.com`,匹配规则支持精确匹配`exact`,前缀匹配`prefix`,正则匹配`regex`
* **白名单模式**
```yaml
match_type: 'whitelist'
match_list:
- match_rule_domain: '*.bar.com'
match_rule_path: '/foo'
match_rule_type: 'prefix'
```
泛域名`*.bar.com`下前缀匹配`/foo`的请求无需验证
* **黑名单模式**
```yaml
match_type: 'blacklist'
match_list:
- match_rule_domain: '*.bar.com'
match_rule_path: '/headers'
match_rule_type: 'prefix'
```
只有泛域名`*.bar.com`下前缀匹配`/header`的请求需要验证
### 注销用户
注销用户需重定向到`/oauth2/sign_out`这个端点。这个端点仅移除oauth2-proxy自己设置的cookie也就是说用户仍然在OIDC Provider处保持登录状态并且在再次访问应用时可能会自动重新登录。因此还需要使用`rd`查询参数将用户重定向到认证提供商的注销页面即重定向用户到类似如下地址注意URL编码
```
/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page
```
或者,可以在`X-Auth-Request-Redirect`头部中包含重定向URL
```
GET /oauth2/sign_out HTTP/1.1
X-Auth-Request-Redirect: https://my-oidc-provider.example.com/sign_out_page
...
```
重定向URL中可以包含`post_logout_redirect_uri`参数指定OIDC Provider登出后跳转到的页面例如后端服务的登出页面不携带该参数则默认跳转到OIDC Provider的登出页面详情见下方auth0和keycloak的示例如果OIDC Provider支持会话管理和发现那么"sign_out_page"应该是从[metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig)中获取的`end_session_endpoint`
### OIDC 服务 HTTPS 协议
如果 OIDC Provider 为 HTTPS 协议参考Higress中[配置后端服务协议HTTPS](https://higress.io/docs/latest/user/annotation-use-case/#%E9%85%8D%E7%BD%AE%E5%90%8E%E7%AB%AF%E6%9C%8D%E5%8A%A1%E5%8D%8F%E8%AE%AEhttps%E6%88%96grpc)的说明需要通过使用注解`higress.io/backend-protocol: "HTTPS"`配置请求转发至后端服务使用HTTPS协议参考Auth0示例中Ingress配置
## 配置示例
### Auth0 配置示例
#### Step 1: 配置 Auth0 账户
- 登录到开发人员 Okta 网站 [Developer Auth0 site](https://auth0.com/)
- 注册测试 web 应用程序
**注**需填写Allowed Callback URLs, Allowed Logout URLs, Allowed Web Origins等配置项否则 OIDC Provider 会认为用户跳转的重定向 URL 或登出 URL 无效
#### Step 2: Higress 配置服务来源
* 在Higress服务来源中创建auth0 DNS来源
![auth0 create](https://gw.alicdn.com/imgextra/i1/O1CN01p9y0jF1tfzdXTzNYm_!!6000000005930-0-tps-3362-670.jpg)
#### Step 3: OIDC 服务 HTTPS 配置
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
name: auth0-ingress
annotations:
higress.io/destination: okta.dns
higress.io/destination: auth.dns
higress.io/backend-protocol: "HTTPS"
higress.io/ignore-path-case: "false"
spec:
@@ -68,29 +232,152 @@ spec:
apiGroup: networking.higress.io
kind: McpBridge
name: default
```
- 创建wasm插件
#### Step 4: Wasm 插件配置
```yaml
issuer: "https://dev-65874123.okta.com"
redirect_url: "http://foo.bar.com/a/oauth2/callback"
scopes:
- "openid"
- "email"
client_url: "http://foo.bar.com/a"
cookie_domain: "foo.bar.com"
client_id: "xxxxxxxxxxxxxxx"
client_secret: "xxxxxxx"
service_domain: "dev-65874123.okta.com"
service_name: "okta"
redirect_url: 'http://foo.bar.com/oauth2/callback'
oidc_issuer_url: 'https://dev-o43xb1mz7ya7ach4.us.auth0.com/'
client_id: 'XXXXXXXXXXXXXXXX'
client_secret: 'XXXXXXXXXXXXXXXX'
scope: 'openid email offline_access'
cookie_secret: 'nqavJrGvRmQxWwGNptLdyUVKcBNZ2b18Guc1n_8DCfY='
service_name: 'auth.dns'
service_port: 443
service_source: "dns"
timeout_millis: 2000
match_type: 'whitelist'
match_list:
- match_rule_domain: '*.bar.com'
match_rule_path: '/foo'
match_rule_type: 'prefix'
```
在通过插件验证后会携带 `Authorization`的标头携带令牌
**注**必须先配置服务来源wasm插件在初始化时需要访问配置的服务获取openid-configuration
#### 访问服务页面,未登陆的话进行跳转
![auth0_login](https://gw.alicdn.com/imgextra/i3/O1CN01hVNk0C1gkUWLwuC0N_!!6000000004180-0-tps-3840-2160.jpg)
#### 登陆成功跳转到服务页面
headers中可以看到携带了_oauth2_proxy 的cookie用于下次登陆访问Authorization对应IDToken用于后端服务获得用户信息
![auth0 service](https://gw.alicdn.com/imgextra/i1/O1CN01vyrB6u1xPHep1RRqb_!!6000000006435-2-tps-3840-2160.png)
#### 访问登出跳转到登出页面
```
http://foo.bar.com/oauth2/sign_out?rd=https%3A%2F%2Fdev-o43xb1mz7ya7ach4.us.auth0.com%2Foidc%2Flogout
```
![auth0 logout](https://gw.alicdn.com/imgextra/i3/O1CN01UntF4x1UqC4StMqtT_!!6000000002568-0-tps-3840-2160.jpg)
#### 访问登出跳转到登出页面(携带post_logout_redirect_uri参数跳转指定uri)
```
http://foo.bar.com/oauth2/sign_out?rd=https%3A%2F%2Fdev-o43xb1mz7ya7ach4.us.auth0.com%2Foidc%2Flogout%3Fpost_logout_redirect_uri%3Dhttp%3A%2F%2Ffoo.bar.com%2Ffoo
```
post_logout_redirect_uri跳转的uri需要在OIDC Provider Allowed URLs处配置才可以正常跳转
![auth0 logout redirect](https://gw.alicdn.com/imgextra/i1/O1CN01AtZ2cd1JlBxsgyCjG_!!6000000001068-0-tps-3840-2160.jpg)
### keycloak 配置示例
#### Step 1: Get started with keycloak on docker
<https://www.keycloak.org/getting-started/getting-started-docker>
**注**需填写Valid redirect URIs, Valid post logout URIs, Web origins配置项否则 OIDC Provider 会认为用户跳转的重定向 URL 或登出 URL 无效
#### Step 2: Higress 配置服务来源
* 在Higress服务来源中创建Keycloak固定地址服务
![keycloak create](https://gw.alicdn.com/imgextra/i1/O1CN01p9y0jF1tfzdXTzNYm_!!6000000005930-0-tps-3362-670.jpg)
#### Step 3: Wasm 插件配置
```yaml
redirect_url: 'http://foo.bar.com/oauth2/callback'
oidc_issuer_url: 'http://127.0.0.1:9090/realms/myrealm'
client_id: 'XXXXXXXXXXXXXXXX'
client_secret: 'XXXXXXXXXXXXXXXX'
scope: 'openid email'
cookie_secret: 'nqavJrGvRmQxWwGNptLdyUVKcBNZ2b18Guc1n_8DCfY='
service_name: 'keycloak.static'
service_port: 80
service_host: '127.0.0.1:9090'
match_type: 'blacklist'
match_list:
- match_rule_domain: '*.bar.com'
match_rule_path: '/headers'
match_rule_type: 'prefix'
```
#### 访问服务页面,未登陆的话进行跳转
![keycloak_login](https://gw.alicdn.com/imgextra/i4/O1CN01HLcl7r1boXwwnzGqA_!!6000000003512-0-tps-3840-2160.jpg)
#### 登陆成功跳转到服务页面
![keycloak service](https://gw.alicdn.com/imgextra/i1/O1CN01vyrB6u1xPHep1RRqb_!!6000000006435-2-tps-3840-2160.png)
#### 访问登出跳转到登出页面
```
http://foo.bar.com/oauth2/sign_out?rd=http%3A%2F%2F127.0.0.1:9090%2Frealms%2Fmyrealm%2Fprotocol%2Fopenid-connect%2Flogout
```
![keycloak logout](https://gw.alicdn.com/imgextra/i4/O1CN01kQwqB523OiroOWMgM_!!6000000007246-0-tps-3840-2160.jpg)
#### 访问登出跳转到登出页面(携带post_logout_redirect_uri参数跳转指定uri)
```
http://foo.bar.com/oauth2/sign_out?rd=http%3A%2F%2F127.0.0.1:9090%2Frealms%2Fmyrealm%2Fprotocol%2Fopenid-connect%2Flogout%3Fpost_logout_redirect_uri%3Dhttp%3A%2F%2Ffoo.bar.com%2Ffoo
```
![keycloak logout redirect](https://gw.alicdn.com/imgextra/i1/O1CN01AtZ2cd1JlBxsgyCjG_!!6000000001068-0-tps-3840-2160.jpg)
### Aliyun 配置示例
#### Step 1: 配置 Aliyun OAuth应用
参考[Web应用登录阿里云](https://help.aliyun.com/zh/ram/user-guide/access-alibaba-cloud-apis-from-a-web-application)流程配置 OAuth 应用
#### Step 2: Higress 配置服务来源
* 在Higress服务来源中创建Aliyun DNS服务
![Aliyun service](https://gw.alicdn.com/imgextra/i3/O1CN01PMNGFS1mHXBtsEvEq_!!6000000004929-0-tps-3312-718.jpg)
#### Step 3: Wasm 插件配置
```yaml
redirect_url: 'http://foo.bar.com/oauth2/callback'
provider: aliyun
oidc_issuer_url: 'https://oauth.aliyun.com/'
client_id: 'XXXXXXXXXXXXXXXX'
client_secret: 'XXXXXXXXXXXXXXXX'
scope: 'openid'
cookie_secret: 'nqavJrGvRmQxWwGNptLdyUVKcBNZ2b18Guc1n_8DCfY='
service_name: 'aliyun.dns'
service_port: 443
match_type: whitelist
match_list:
- match_rule_domain: 'foo.bar.com'
match_rule_path: /foo
match_rule_type: prefix
```
#### 访问服务页面,未登陆的话进行跳转
![aliyun_login_1](https://gw.alicdn.com/imgextra/i1/O1CN01L379Uk1b2umAraylT_!!6000000003408-0-tps-3840-2160.jpg)
直接使用RAM用户登录或者点击主账户登录
![aliyun_login_2](https://gw.alicdn.com/imgextra/i1/O1CN01pfdA3l27Dy2TL83NA_!!6000000007764-0-tps-3840-2160.jpg)
#### 登陆成功跳转到服务页面
![aliyun_result](https://gw.alicdn.com/imgextra/i3/O1CN015pGvi51eakt3pFS8Y_!!6000000003888-0-tps-3840-2160.jpg)

1
plugins/wasm-go/extensions/oidc/VERSION
View File

@@ -1 +0,0 @@
1.0.0

199
plugins/wasm-go/extensions/oidc/doc/Oidc.md
View File

@@ -1,199 +0,0 @@
# OpenID Connect
本文介绍了一个示例 OpenID Connect 插件配置,用于使用与 Okta , Auth0 , keycloak 身份提供程序对浏览器客户端进行身份验证。
## OpenID Connect with Okta
### 配置 okta 账户
* 登录到开发人员 Okta 网站 [Developer Okta site](https://developer.okta.com/)
* 注册测试 web 应用程序
### 将测试 okta 应用程序与 Higress 关联
* 创建服务来源
![okta_1.png](okta_1.png)
* 查看服务列表,有即成功
![okta_2.png](okta_2.png)
### 将测试 okta 应用程序与您的 Oidc-Wasm 插件关联
* 创建访问 okta 的 ingress
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
higress.io/destination: okta.dns
higress.io/backend-protocol: "HTTPS"
higress.io/ignore-path-case: "false"
spec:
ingressClassName: higress
rules:
- host: foo.bar.com
http:
paths:
- path: /
pathType: Prefix
backend:
resource:
apiGroup: networking.higress.io
kind: McpBridge
name: default
```
* 配置 oidc 插件
```yaml
issuer: "https://dev-65874123.okta.com"
redirect_url: "http://foo.bar.com/a/oauth2/callback"
scopes:
- "openid"
- "email"
client_url: "http://foo.bar.com/a"
cookie_domain: "foo.bar.com"
client_id: "xxxx"
client_secret: "xxxxx"
service_domain: "dev-65874123.okta.com"
service_name: "okta"
service_port: 443
service_source: "dns"
timeout_millis: 2000
```
### 访问服务页面,未登陆的话进行跳转
![okta_3.png](okta_3.png)
### 登陆成功跳转到服务页面
![okta_4.png](okta_4.png)
---
## OpenID Connect with auth0
### 配置 auth0 账户
* 登录到开发人员 Okta 网站 [Developer Auth0 site](https://auth0.com/)
* 注册测试 web 应用程序
### 将测试 auth0 应用程序与 Higress 关联
* 创建服务来源
![auth0_0.png](auth0_0.png)
### 将测试 auth0 应用程序与您的 Oidc-Wasm 插件关联
* 创建访问 auth0 的 ingress
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
higress.io/destination: auth.dns
higress.io/backend-protocol: "HTTPS"
higress.io/ignore-path-case: "false"
spec:
ingressClassName: higress
rules:
- host: foo.bar.com
http:
paths:
- path: /
pathType: Prefix
backend:
resource:
apiGroup: networking.higress.io
kind: McpBridge
name: default
```
* 配置 oidc 插件
```yaml
CookieName: "_oauth2_wasm_c"
client_id: "xxxxx"
client_secret: "xxxxxx"
cookie_domain: "foo.bar.com"
cookie_path: "/b"
client_url: "http://foo.bar.com/b"
service_domain: "dev-650jsqsvuyrk4ahg.us.auth0.com"
issuer: "https://dev-650jsqsvuyrk4ahg.us.auth0.com/"
redirect_url: "http://foo.bar.com/b/oauth2/callback"
scopes:
- "openid"
- "email"
service_name: "auth"
service_port: 443
service_source: "dns"
timeout_millis: 2000
```
### 访问服务页面,未登陆的话进行跳转
![auth0_1.png](auth0_1.png)
### 登陆成功跳转到服务页面
![oath_2.png](oath_2.png)
---
## OpenID Connect with keyclocak
### 配置 keyclocak 账户
* 本文档采用 docker 本机进行部署,所以注册的 ip 应该采用 ifconfig 获取网卡 ip
![keycloak_0.png](keycloak_0.png)
* 注册测试 web 应用程序
### 将测试 keyclocak 应用程序与 Higress 关联
* 创建服务来源
![keycloak_1.png](keycloak_1.png)
### 将测试 keyclocak 应用程序与您的 Oidc-Wasm 插件关联
* 配置 oidc 插件
```yaml
issuer: "http://127.0.0.1:9090/realms/myrealm"
redirect_url: "http://foo.bar.com/bar/oauth2/callback"
client_url: "http://foo.bar.com/"
scopes:
- "openid"
- "email"
cookie_name: "_oauth2_wasm_keyclocak"
cookie_domain: "foo.bar.com"
client_id: "myclinet"
client_secret: "EdKdKBX4N0jtYuPD4aGxZWiI7EVh4pr9"
service_host: "127.0.0.1:9090"
service_name: "keyclocak"
service_port: 80
service_source: "ip"
```
### 访问服务页面,未登陆的话进行跳转
![keycloak_2.png](keycloak_2.png)
### 登陆成功跳转到服务页面
![keycloak_3.png](keycloak_3.png)
## 与oauth2-proxy支持的服务对比
| 服务 | 是否支持 | |
| ----------------------- | ----------------- | ---------------------------------------- |
| Auth0 | 支持 | |
| Okta | 支持 | |
| dex | 支持 | |
| Keycloak | 支持 | |
| Gitea | 支持 | |
| GitLab | 支持 | |
| Google | 不支持 | 域名不一致 |
| GitHub | 不支持 | 域名不一致 |
| Microsoft Azure AD | 不支持 | |
| Azure | 不支持 | |
## 主要的差异
| 主要功能差异 | OAuth2-Proxy | OIDC-Wasm |
|----------------------------------------------------|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|
| 将服务放置在 OAuth2-Proxy 后 | ✓ | 不具备直接验证的能力 |
| 在当前层可以展示具体信息,如 email 等 | ✓ | 作为网关的插件,校验 token 的正确性后只是进行了转发。在实现的过程中已经捕捉到了 ID Token 信息,可以实现提取出具体的信息用于优化日志展示等。 |
| 校验一些非标准的 issuer如启动 skipIssuerCheck 的 Github | ✓ | 已经抽象出 OIDCHandler开启 skipIssuerChecker。只要实现 OIDCHandler 的能力,可以在 ProcessRedirect 中指定 authURL 的校验,在 ProcessExchangeToken 中指定 TokenURL 获取 token在 ProcessVerify 中校验 token |

BIN
plugins/wasm-go/extensions/oidc/doc/auth0_0.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 25 KiB

BIN
plugins/wasm-go/extensions/oidc/doc/auth0_1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 62 KiB

BIN
plugins/wasm-go/extensions/oidc/doc/keycloak_0.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 118 KiB

BIN
plugins/wasm-go/extensions/oidc/doc/keycloak_1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 57 KiB

BIN
plugins/wasm-go/extensions/oidc/doc/keycloak_2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 114 KiB

BIN
plugins/wasm-go/extensions/oidc/doc/keycloak_3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 36 KiB

BIN
plugins/wasm-go/extensions/oidc/doc/oath_2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 36 KiB

BIN
plugins/wasm-go/extensions/oidc/doc/okta_1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 110 KiB

BIN
plugins/wasm-go/extensions/oidc/doc/okta_2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 124 KiB

BIN
plugins/wasm-go/extensions/oidc/doc/okta_3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 60 KiB

BIN
plugins/wasm-go/extensions/oidc/doc/okta_4.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 36 KiB

30
plugins/wasm-go/extensions/oidc/go.mod
View File

@@ -1,27 +1,33 @@
module oidc
module github.com/alibaba/higress/plugins/wasm-go/extensions/oidc
go 1.19
replace github.com/alibaba/higress/plugins/wasm-go => ../..
require (
github.com/alibaba/higress/plugins/wasm-go v0.0.0-20230807053545-d307d0e755f1
github.com/go-jose/go-jose/v3 v3.0.0
github.com/alibaba/higress/plugins/wasm-go v1.3.6-0.20240531060402-2807ddfbb79e
github.com/higress-group/oauth2-proxy v1.0.0
github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20240711023527-ba358c48772f
github.com/tidwall/gjson v1.14.3
golang.org/x/oauth2 v0.11.0
github.com/tidwall/gjson v1.17.1
)
require (
github.com/golang/protobuf v1.5.3 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/benbjohnson/clock v1.3.5 // indirect
github.com/bitly/go-simplejson v0.5.1 // indirect
github.com/go-jose/go-jose/v4 v4.0.1 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/gorilla/mux v1.8.1 // indirect
github.com/higress-group/nottinygc v0.0.0-20231101025119-e93c4c2f8520 // indirect
github.com/magefile/mage v1.14.0 // indirect
github.com/justinas/alice v1.2.0 // indirect
github.com/magefile/mage v1.15.1-0.20230912152418-9f54e0f83e2a // indirect
github.com/ohler55/ojg v1.22.0 // indirect
github.com/spf13/cast v1.6.0 // indirect
github.com/tetratelabs/wazero v1.7.2 // indirect
github.com/tidwall/match v1.1.1 // indirect
github.com/tidwall/pretty v1.2.0 // indirect
github.com/tidwall/resp v0.1.1 // indirect
golang.org/x/crypto v0.12.0 // indirect
golang.org/x/net v0.14.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.31.0 // indirect
github.com/wasilibs/go-re2 v1.6.0 // indirect
golang.org/x/crypto v0.23.0 // indirect
golang.org/x/oauth2 v0.20.0 // indirect
golang.org/x/sys v0.21.0 // indirect
)

92
plugins/wasm-go/extensions/oidc/go.sum
View File

@@ -1,60 +1,52 @@
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=
github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/benbjohnson/clock v1.3.5 h1:VvXlSJBzZpA/zum6Sj74hxwYI2DIxRWuNIoXAzHZz5o=
github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
github.com/bitly/go-simplejson v0.5.1 h1:xgwPbetQScXt1gh9BmoJ6j9JMr3TElvuIyjR8pgdoow=
github.com/bitly/go-simplejson v0.5.1/go.mod h1:YOPVLzCfwK14b4Sff3oP1AmGhI9T9Vsg84etUnlyp+Q=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
github.com/higress-group/nottinygc v0.0.0-20231101025119-e93c4c2f8520 h1:IHDghbGQ2DTIXHBHxWfqCYQW1fKjyJ/I7W1pMyUDeEA=
github.com/higress-group/nottinygc v0.0.0-20231101025119-e93c4c2f8520/go.mod h1:Nz8ORLaFiLWotg6GeKlJMhv8cci8mM43uEnLA5t8iew=
github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20240226064518-b3dc4646a35a h1:luYRvxLTE1xYxrXYj7nmjd1U0HHh8pUPiKfdZ0MhCGE=
github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20240226064518-b3dc4646a35a/go.mod h1:hNFjhrLUIq+kJ9bOcs8QtiplSQ61GZXtd2xHKx4BYRo=
github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20240318034951-d5306e367c43/go.mod h1:hNFjhrLUIq+kJ9bOcs8QtiplSQ61GZXtd2xHKx4BYRo=
github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20240327114451-d6b7174a84fc/go.mod h1:hNFjhrLUIq+kJ9bOcs8QtiplSQ61GZXtd2xHKx4BYRo=
github.com/higress-group/oauth2-proxy v1.0.0 h1:JwmApDYXhxwVcDD8HZ7fsOYq0rq2JxiYR7LszU5Uq9g=
github.com/higress-group/oauth2-proxy v1.0.0/go.mod h1:UOXEF1DEkmLIfVO0p+gP5ceGPuWHI4IKMmQGt8aUTrw=
github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20240711023527-ba358c48772f h1:ZIiIBRvIw62gA5MJhuwp1+2wWbqL9IGElQ499rUsYYg=
github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20240711023527-ba358c48772f/go.mod h1:hNFjhrLUIq+kJ9bOcs8QtiplSQ61GZXtd2xHKx4BYRo=
github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo=
github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
github.com/tidwall/gjson v1.14.3 h1:9jvXn7olKEHU1S9vwoMGliaT8jq1vJ7IH/n9zD9Dnlw=
github.com/tidwall/gjson v1.14.3/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
github.com/justinas/alice v1.2.0 h1:+MHSA/vccVCF4Uq37S42jwlkvI2Xzl7zTPCN5BnZNVo=
github.com/justinas/alice v1.2.0/go.mod h1:fN5HRH/reO/zrUflLfTN43t3vXvKzvZIENsNEe7i7qA=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/magefile/mage v1.15.1-0.20230912152418-9f54e0f83e2a h1:tdPcGgyiH0K+SbsJBBm2oPyEIOTAvLBwD9TuUwVtZho=
github.com/magefile/mage v1.15.1-0.20230912152418-9f54e0f83e2a/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
github.com/ohler55/ojg v1.22.0 h1:McZObj3cD/Zz/ojzk5Pi5VvgQcagxmT1bVKNzhE5ihI=
github.com/ohler55/ojg v1.22.0/go.mod h1:gQhDVpQLqrmnd2eqGAvJtn+NfKoYJbe/A4Sj3/Vro4o=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
github.com/tetratelabs/wazero v1.7.2 h1:1+z5nXJNwMLPAWaTePFi49SSTL0IMx/i3Fg8Yc25GDc=
github.com/tetratelabs/wazero v1.7.2/go.mod h1:ytl6Zuh20R/eROuyDaGPkp82O9C/DJfXAwJfQ3X6/7Y=
github.com/tidwall/gjson v1.17.1 h1:wlYEnwqAHgzmhNUFfw7Xalt2JzQvsMx2Se4PcoFCT/U=
github.com/tidwall/gjson v1.17.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
github.com/tidwall/resp v0.1.1 h1:Ly20wkhqKTmDUPlyM1S7pWo5kk0tDu8OoC/vFArXmwE=
github.com/tidwall/resp v0.1.1/go.mod h1:3/FrruOBAxPTPtundW0VXgmsQ4ZBA0Aw714lVYgwFa0=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU=
golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
github.com/wasilibs/go-re2 v1.6.0 h1:CLlhDebt38wtl/zz4ww+hkXBMcxjrKFvTDXzFW2VOz8=
github.com/wasilibs/go-re2 v1.6.0/go.mod h1:prArCyErsypRBI/jFAFJEbzyHzjABKqkzlidF0SNA04=
github.com/wasilibs/nottinygc v0.4.0 h1:h1TJMihMC4neN6Zq+WKpLxgd9xCFMw7O9ETLwY2exJQ=
golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo=
golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

296
plugins/wasm-go/extensions/oidc/main.go
View File

@@ -1,261 +1,121 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"errors"
"fmt"
"net/http"
"net/url"
"oidc/oc"
"strings"
"time"
oidc "github.com/higress-group/oauth2-proxy"
"github.com/higress-group/oauth2-proxy/pkg/apis/options"
"github.com/higress-group/oauth2-proxy/pkg/util"
"github.com/alibaba/higress/plugins/wasm-go/pkg/wrapper"
"github.com/higress-group/proxy-wasm-go-sdk/proxywasm"
"github.com/higress-group/proxy-wasm-go-sdk/proxywasm/types"
"github.com/tidwall/gjson"
"golang.org/x/oauth2"
)
const OAUTH2CALLBACK = "oauth2/callback"
type OidcConfig struct {
Issuer string
Path string
ClientID string
ClientSecret string
RedirectURL string
ClientURL string
Timeout int
CookieName string
CookieSecret string
CookieDomain string
CookiePath string
CookieSameSite string
CookieSecure bool
CookieHTTPOnly bool
Scopes []string
SkipExpiryCheck bool
SkipNonceCheck bool
Client wrapper.HttpClient
}
func main() {
wrapper.SetCtx(
// 插件名称
"oidc",
// 为解析插件配置,设置自定义函数
wrapper.ParseConfigBy(parseConfig),
// 为处理请求头,设置自定义函数
wrapper.ProcessRequestHeadersBy(onHttpRequestHeaders),
// 为处理响应头,设置自定义函数
wrapper.ProcessResponseHeadersBy(onHttpResponseHeaders),
)
}
func parseConfig(json gjson.Result, config *OidcConfig, log wrapper.Log) error {
config.Issuer = json.Get("issuer").String()
if config.Issuer == "" {
return errors.New("missing issuer in config")
}
var oidcHandler *oidc.OAuthProxy
config.ClientID = json.Get("client_id").String()
if config.ClientID == "" {
return errors.New("missing client_id in config")
}
type PluginConfig struct {
options *options.Options
}
config.ClientSecret = json.Get("client_secret").String()
if config.ClientSecret == "" {
return errors.New("missing client_secret in config")
}
config.ClientURL = json.Get("client_url").String()
_, err := url.ParseRequestURI(config.ClientURL)
if err != nil {
return errors.New("missing client_url in config or err format")
}
err = oc.IsValidRedirect(json.Get("redirect_url").String())
// 在控制台插件配置中填写的yaml配置会自动转换为json此处直接从json这个参数里解析配置即可
func parseConfig(json gjson.Result, config *PluginConfig, log wrapper.Log) error {
oidc.SetLogger(log)
opts, err := oidc.LoadOptions(json)
if err != nil {
return err
}
config.RedirectURL = json.Get("redirect_url").String()
config.options = opts
config.SkipExpiryCheck = json.Get("skip_expiry_check").Bool()
config.SkipNonceCheck = json.Get("skip_nonce_check").Bool()
for _, item := range json.Get("scopes").Array() {
scopes := item.String()
config.Scopes = append(config.Scopes, scopes)
}
parsedURL, err := url.Parse(config.Issuer)
oidcHandler, err = oidc.NewOAuthProxy(opts)
if err != nil {
return errors.New("failed to parse issuer URL")
}
config.Path = parsedURL.Path
timeout := json.Get("timeout_millis").Int()
if timeout <= 0 {
config.Timeout = 500
} else {
config.Timeout = int(timeout)
return err
}
//cookie
config.CookieSecret = oc.Set32Bytes(config.ClientSecret)
config.CookieName = json.Get("cookie_name").String()
if config.CookieName == "" {
config.CookieName = "_oidc_wasm"
}
config.CookieDomain = json.Get("cookie_domain").String()
if config.CookieDomain == "" {
return errors.New("missing cookie_domain in config or err format")
}
config.CookiePath = json.Get("cookie_path").String()
if config.CookiePath == "" {
config.CookiePath = "/"
}
config.CookieSecure = json.Get("cookie_secure").Bool()
config.CookieSecure = json.Get("cookie_httponly").Bool()
config.CookieSameSite = json.Get("cookie_samesite").String()
if config.CookieSameSite == "" {
config.CookieSameSite = "Lax"
}
serviceSource := json.Get("service_source").String()
serviceName := json.Get("service_name").String()
servicePort := json.Get("service_port").Int()
serviceHost := json.Get("service_host").String()
if serviceName == "" || servicePort == 0 {
return errors.New("invalid service config")
}
switch serviceSource {
case "ip":
config.Client = wrapper.NewClusterClient(&wrapper.StaticIpCluster{
ServiceName: serviceName,
Host: serviceHost,
Port: servicePort,
})
log.Debugf("%v %v %v", serviceName, serviceHost, servicePort)
return nil
case "dns":
domain := json.Get("service_domain").String()
if domain == "" {
return errors.New("missing service_domain in config")
}
config.Client = wrapper.NewClusterClient(&wrapper.DnsCluster{
ServiceName: serviceName,
Port: servicePort,
Domain: domain,
})
return nil
default:
return errors.New("unknown service source: " + serviceSource)
}
wrapper.RegisteTickFunc(opts.VerifierInterval.Milliseconds(), func() {
oidcHandler.SetVerifier(opts)
})
return nil
}
func onHttpRequestHeaders(ctx wrapper.HttpContext, config OidcConfig, log wrapper.Log) types.Action {
defaultHandler := oc.NewDefaultOAuthHandler()
cookieString, _ := proxywasm.GetHttpRequestHeader("cookie")
oidcCookieValue, code, state, err := oc.GetParams(config.CookieName, cookieString, ctx.Path(), config.CookieSecret)
if err != nil {
oc.SendError(&log, fmt.Sprintf("GetParams err : %v", err), http.StatusBadRequest, "oidc.get_params_failed")
return types.ActionContinue
}
nonce, _ := oc.Nonce(32)
nonceStr := oc.GenState(nonce, config.ClientSecret, config.RedirectURL)
createdAtTime := time.Now()
cfg := &oc.Oatuh2Config{
Config: oauth2.Config{
ClientID: config.ClientID,
ClientSecret: config.ClientSecret,
RedirectURL: config.RedirectURL,
Scopes: config.Scopes,
},
Issuer: config.Issuer,
ClientUrl: config.ClientURL,
Path: config.Path,
SkipExpiryCheck: config.SkipExpiryCheck,
Timeout: config.Timeout,
Client: config.Client,
SkipNonceCheck: config.SkipNonceCheck,
Option: &oc.OidcOption{},
CookieOption: &oc.CookieOption{
Name: config.CookieName,
Domain: config.CookieDomain,
Secret: config.CookieSecret,
Path: config.CookiePath,
SameSite: config.CookieSameSite,
Secure: config.CookieSecure,
HTTPOnly: config.CookieHTTPOnly,
},
CookieData: &oc.CookieData{
Nonce: []byte(nonceStr),
CreatedAt: createdAtTime,
},
}
log.Debugf("path :%v host :%v state :%v code :%v cookie :%v", ctx.Path(), ctx.Host(), state, code, oidcCookieValue)
if oidcCookieValue == "" {
if code == "" {
if err := defaultHandler.ProcessRedirect(&log, cfg); err != nil {
oc.SendError(&log, fmt.Sprintf("ProcessRedirect error : %v", err), http.StatusInternalServerError, "oidc.process_redirect_failed")
return types.ActionContinue
}
return types.ActionPause
}
if strings.Contains(ctx.Path(), OAUTH2CALLBACK) {
parts := strings.Split(state, ".")
if len(parts) != 2 {
oc.SendError(&log, "State signature verification failed", http.StatusUnauthorized, "oidc.bad_state")
return types.ActionContinue
}
stateVal, signature := parts[0], parts[1]
if err := oc.VerifyState(stateVal, signature, cfg.ClientSecret, cfg.RedirectURL); err != nil {
oc.SendError(&log, fmt.Sprintf("State signature verification failed : %v", err), http.StatusUnauthorized, "oidc.invalid_state")
return types.ActionContinue
}
cfg.Option.Code = code
cfg.Option.Mod = oc.SenBack
if err := defaultHandler.ProcessExchangeToken(&log, cfg); err != nil {
oc.SendError(&log, fmt.Sprintf("ProcessExchangeToken error : %v", err), http.StatusInternalServerError, "oidc.process_exchange_token_failed")
return types.ActionContinue
}
return types.ActionPause
}
oc.SendError(&log, fmt.Sprintf("redirect URL must end with oauth2/callback"), http.StatusBadRequest, "oidc.bad_redirect_url")
func onHttpRequestHeaders(ctx wrapper.HttpContext, config PluginConfig, log wrapper.Log) types.Action {
oidcHandler.SetContext(ctx)
req := getHttpRequest()
rw := util.NewRecorder()
if options.IsAllowedByMode(req.URL.Host, req.URL.Path, config.options.MatchRules, config.options.ProxyPrefix) {
log.Infof("request is allowed by mode %s", config.options.MatchRules.Mode)
return types.ActionContinue
}
cookieData, err := oc.DeserializeCookieData(oidcCookieValue)
if err != nil {
oc.SendError(&log, fmt.Sprintf("DeserializeCookieData err : %v", err), http.StatusInternalServerError, "oidc.bad_cookie_value")
// TODO: remove this verifier after envoy support send request during parseConfig
if err := oidcHandler.ValidateVerifier(); err != nil {
log.Critical(err.Error())
return types.ActionContinue
}
cfg.CookieData = &oc.CookieData{
IDToken: cookieData.IDToken,
Secret: cfg.CookieOption.Secret,
Nonce: cookieData.Nonce,
CreatedAt: cookieData.CreatedAt,
ExpiresOn: cookieData.ExpiresOn,
}
cfg.Option.RawIdToken = cfg.CookieData.IDToken
cfg.Option.Mod = oc.Access
if err := defaultHandler.ProcessVerify(&log, cfg); err != nil {
oc.SendError(&log, fmt.Sprintf("ProcessVerify error : %v", err), http.StatusUnauthorized, "oidc.unauthorized")
oidcHandler.ServeHTTP(rw, req)
if code := rw.GetStatus(); code != 0 {
return types.ActionContinue
}
return types.ActionPause
}
func onHttpResponseHeaders(ctx wrapper.HttpContext, config PluginConfig, log wrapper.Log) types.Action {
value := ctx.GetContext(oidc.SetCookieHeader)
if value != nil {
proxywasm.AddHttpResponseHeader(oidc.SetCookieHeader, value.(string))
}
oidcHandler.SetContext(nil)
return types.ActionContinue
}
func getHttpRequest() *http.Request {
headers, _ := proxywasm.GetHttpRequestHeaders()
var method, path, authority, scheme string
for _, header := range headers {
switch header[0] {
case ":method":
method = header[1]
case ":path":
path = header[1]
case ":authority":
authority = header[1]
case ":scheme":
scheme = header[1]
}
}
rawURL := fmt.Sprintf("%s://%s%s", scheme, authority, path)
parsedURL, _ := url.Parse(rawURL)
req := &http.Request{
Method: method,
URL: parsedURL,
Header: make(http.Header),
Body: nil,
}
req.Form, _ = url.ParseQuery(parsedURL.RawQuery)
for _, header := range headers {
if !strings.HasPrefix(header[0], ":") {
req.Header.Add(header[0], header[1])
}
}
return req
}

116
plugins/wasm-go/extensions/oidc/oc/config.go
View File

@@ -1,116 +0,0 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package oc
import (
"errors"
"net/url"
"regexp"
"strings"
"time"
"github.com/alibaba/higress/plugins/wasm-go/pkg/wrapper"
"golang.org/x/oauth2"
)
type Accessmod int
const (
Access Accessmod = 0
SenBack Accessmod = 1
)
var invalidRedirectRegex = regexp.MustCompile(`[/\\](?:[\s\v]*|\.{1,2})[/\\]`)
type IDConfig struct {
ClientID string
SupportedSigningAlgs []string
SkipExpiryCheck bool
//SkipIssuerCheck 用于特殊情况,其中调用者希望推迟对签发者的验证。
//当启用时,调用者必须独立验证令牌的签发者是否为已知的有效值。
//
//
//不匹配的签发者通常指示客户端配置错误。如果不希望发生不匹配请检查所提供的签发者URL是否正确而不是启用这个选项。
SkipIssuerCheck bool
SkipNonceCheck bool
Now func() time.Time
}
type idToken struct {
Issuer string `json:"iss"`
Subject string `json:"sub"`
Audience audience `json:"aud"`
Expiry jsonTime `json:"exp"`
IssuedAt jsonTime `json:"iat"`
NotBefore *jsonTime `json:"nbf"`
Nonce string `json:"nonce"`
AtHash string `json:"at_hash"`
ClaimNames map[string]string `json:"_claim_names"`
ClaimSources map[string]claimSource `json:"_claim_sources"`
}
type claimSource struct {
Endpoint string `json:"endpoint"`
AccessToken string `json:"access_token"`
}
type Oatuh2Config struct {
oauth2.Config
Issuer string
JwksURL string
ClientUrl string
Path string
SupportedSigningAlgs []string
SkipExpiryCheck bool
Timeout int
Client wrapper.HttpClient
SkipNonceCheck bool
Option *OidcOption
CookieOption *CookieOption
CookieData *CookieData
}
type OidcOption struct {
StateStr string
Nonce string
Code string
Mod Accessmod
RawIdToken string
AuthStyle AuthStyle
}
func IsValidRedirect(redirect string) error {
if !strings.HasSuffix(redirect, "oauth2/callback") {
return errors.New("redirect URL must end with oauth2/callback")
}
switch {
case redirect == "":
return errors.New("redirect URL is empty")
case strings.HasPrefix(redirect, "/"):
if strings.HasPrefix(redirect, "//") || invalidRedirectRegex.MatchString(redirect) {
return errors.New("invalid local redirect URL")
}
return nil
case strings.HasPrefix(redirect, "http://"), strings.HasPrefix(redirect, "https://"):
_, err := url.ParseRequestURI(redirect)
if err != nil {
return errors.New("invalid remote redirect URL")
}
return nil
default:
return errors.New("redirect URL must start with /, http://, or https://")
}
}

188
plugins/wasm-go/extensions/oidc/oc/cookie.go
View File

@@ -1,188 +0,0 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package oc
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"encoding/base64"
"encoding/json"
"fmt"
"io"
"net/url"
"strings"
"time"
)
type CookieData struct {
IDToken string
Secret string
Nonce []byte
CreatedAt time.Time
ExpiresOn time.Time
}
type CookieOption struct {
Name string
Domain string
Secret string
value string
Path string
SameSite string
Expire time.Time
Secure bool
HTTPOnly bool
}
// SerializeAndEncrypt 将 CookieData 对象序列化并加密为一个安全的cookie header
func SerializeAndEncryptCookieData(data *CookieData, keySecret string, cookieSettings *CookieOption) (string, error) {
return buildSecureCookieHeader(data, keySecret, cookieSettings)
}
// DeserializeCookieData 将一个安全的cookie header解密并反序列化为 CookieData 对象
func DeserializeCookieData(cookievalue string) (*CookieData, error) {
data, err := retrieveCookieData(cookievalue)
if err != nil {
return nil, err
}
if checkCookieExpiry(data) {
return nil, fmt.Errorf("cookie is expired")
}
return data, nil
}
func Set32Bytes(key string) string {
const desiredLength = 32
keyLength := len(key)
var adjustedKey string
if keyLength > desiredLength {
adjustedKey = key[:desiredLength]
} else if keyLength < desiredLength {
padding := strings.Repeat("0", desiredLength-keyLength)
adjustedKey = key + padding
} else {
adjustedKey = key
}
return adjustedKey
}
// 必须是16/24/32字节长
func Decrypt(ciphertext string, key string) (string, error) {
block, err := aes.NewCipher([]byte(key))
if err != nil {
return "", err
}
decodedCiphertext, err := base64.URLEncoding.DecodeString(ciphertext)
if err != nil {
return "", err
}
if len(decodedCiphertext) < aes.BlockSize {
return "", fmt.Errorf("ciphertext is too short")
}
iv := decodedCiphertext[:aes.BlockSize]
decodedCiphertext = decodedCiphertext[aes.BlockSize:]
stream := cipher.NewCFBDecrypter(block, iv)
stream.XORKeyStream(decodedCiphertext, decodedCiphertext)
return string(decodedCiphertext), nil
}
func encrypt(plainText string, key string) (string, error) {
block, err := aes.NewCipher([]byte(key))
if err != nil {
return "", err
}
ciphertext := make([]byte, aes.BlockSize+len(plainText))
iv := ciphertext[:aes.BlockSize]
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
return "", err
}
stream := cipher.NewCFBEncrypter(block, iv)
stream.XORKeyStream(ciphertext[aes.BlockSize:], []byte(plainText))
return base64.URLEncoding.EncodeToString(ciphertext), nil
}
func buildSecureCookieHeader(data *CookieData, keySecret string, cookieSettings *CookieOption) (string, error) {
jsonData, err := json.Marshal(data)
if err != nil {
return "", err
}
encryptedValue, err := encrypt(string(jsonData), keySecret)
if err != nil {
return "", err
}
encodedValue := url.QueryEscape(encryptedValue)
cookieSettings.value = encodedValue
return generateCookie(cookieSettings), nil
}
func retrieveCookieData(cookieValue string) (*CookieData, error) {
var data CookieData
err := json.Unmarshal([]byte(cookieValue), &data)
if err != nil {
return nil, err
}
return &data, nil
}
func generateCookie(settings *CookieOption) string {
var secureFlag, httpOnlyFlag, sameSiteFlag string
if settings.Secure {
secureFlag = "Secure;"
}
if settings.HTTPOnly {
httpOnlyFlag = "HttpOnly;"
}
if settings.SameSite != "" {
sameSiteFlag = fmt.Sprintf("SameSite=%s;", settings.SameSite)
}
expiresStr := settings.Expire.Format(time.RFC1123)
maxAge := int(settings.Expire.Sub(time.Now()).Seconds())
cookie := fmt.Sprintf("%s=%s; Path=%s; Domain=%s; Expires=%s; Max-Age=%d; %s %s %s",
settings.Name,
settings.value,
settings.Path,
settings.Domain,
expiresStr,
maxAge,
secureFlag,
httpOnlyFlag,
sameSiteFlag,
)
return cookie
}
func checkCookieExpiry(data *CookieData) bool {
return data.ExpiresOn.Before(time.Now())
}

76
plugins/wasm-go/extensions/oidc/oc/encryption.go
View File

@@ -1,76 +0,0 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package oc
import (
"crypto/hmac"
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"fmt"
"golang.org/x/oauth2"
"strings"
)
func Nonce(length int) ([]byte, error) {
b := make([]byte, length)
_, err := rand.Read(b)
return b, err
}
func HashNonce(nonce []byte) string {
hasher := sha256.New()
hasher.Write(nonce)
return base64.RawURLEncoding.EncodeToString(hasher.Sum(nil))
}
func GenState(nonce []byte, key string, redirectUrl string) string {
hashedNonce := HashNonce(nonce)
encodedRedirectUrl := base64.RawURLEncoding.EncodeToString([]byte(redirectUrl))
state := fmt.Sprintf("%s:%s", hashedNonce, encodedRedirectUrl)
signature := SignState(state, key)
return fmt.Sprintf("%s.%s", state, signature)
}
func SignState(state string, key string) string {
mac := hmac.New(sha256.New, []byte(key))
mac.Write([]byte(state))
return base64.RawURLEncoding.EncodeToString(mac.Sum(nil))
}
func VerifyState(state, signature, key, redirect string) error {
if !hmac.Equal([]byte(signature), []byte(SignState(state, key))) {
return fmt.Errorf("signature mismatch")
}
parts := strings.Split(state, ":")
if len(parts) != 2 {
return fmt.Errorf("invalid state format")
}
redirectUrl, err := base64.RawURLEncoding.DecodeString(parts[1])
if err != nil {
return fmt.Errorf("failed to decode redirect URL: %v", err)
}
if string(redirectUrl) != redirect {
return fmt.Errorf("redirect URL mismatch")
}
return nil
}
func SetNonce(nonce string) oauth2.AuthCodeOption {
return oauth2.SetAuthURLParam("nonce", nonce)
}

256
plugins/wasm-go/extensions/oidc/oc/exchange.go
View File

@@ -1,256 +0,0 @@
//Copyright 2023 go-oidc
//
//Licensed under the Apache License, Version 2.0 (the "License");
//you may not use this file except in compliance with the License.
//You may obtain a copy of the License at
//
//http://www.apache.org/licenses/LICENSE-2.0
//
//Unless required by applicable law or agreed to in writing, software
//distributed under the License is distributed on an "AS IS" BASIS,
//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//See the License for the specific language governing permissions and
//limitations under the License.
package oc
import (
"encoding/json"
"errors"
"fmt"
"github.com/tidwall/gjson"
"io"
"math"
"mime"
"net/http"
"net/url"
"strconv"
"strings"
"time"
)
type Token struct {
AccessToken string
TokenType string
RefreshToken string
Expiry time.Time
Raw interface{}
}
type tokenJSON struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
RefreshToken string `json:"refresh_token"`
ExpiresIn expirationTime `json:"expires_in"` // at least PayPal returns string, while most return number
}
type AuthCodeOption interface {
setValue(url.Values)
}
type setParam struct{ k, v string }
func (p setParam) SetValue(m url.Values) { m.Set(p.k, p.v) }
func ReturnURL(RedirectURL, code string, opts ...AuthCodeOption) url.Values {
v := url.Values{
"grant_type": {"authorization_code"},
"code": {code},
}
if RedirectURL != "" {
v.Set("redirect_uri", RedirectURL)
}
for _, opt := range opts {
opt.setValue(v)
}
return v
}
func TokenFromInternal(t *Token) *Token {
if t == nil {
return nil
}
return &Token{
AccessToken: t.AccessToken,
TokenType: t.TokenType,
RefreshToken: t.RefreshToken,
Expiry: t.Expiry,
Raw: t.Raw,
}
}
func (e *tokenJSON) expiry() (t time.Time) {
if v := e.ExpiresIn; v != 0 {
return time.Now().Add(time.Duration(v) * time.Second)
}
return
}
type expirationTime int32
func (e *expirationTime) UnmarshalJSON(b []byte) error {
if len(b) == 0 || string(b) == "null" {
return nil
}
var n json.Number
err := json.Unmarshal(b, &n)
if err != nil {
return err
}
i, err := n.Int64()
if err != nil {
return err
}
if i > math.MaxInt32 {
i = math.MaxInt32
}
*e = expirationTime(i)
return nil
}
type AuthStyle int
const (
AuthStyleUnknown AuthStyle = 0
AuthStyleInParams AuthStyle = 1
AuthStyleInHeader AuthStyle = 2
)
var authStyleCache struct {
m map[string]AuthStyle // keyed by tokenURL
}
func LookupAuthStyle(tokenURL string) (style AuthStyle, ok bool) {
style, ok = authStyleCache.m[tokenURL]
return
}
// SetAuthStyle adds an entry to authStyleCache, documented above.
func SetAuthStyle(tokenURL string, v AuthStyle) {
if authStyleCache.m == nil {
authStyleCache.m = make(map[string]AuthStyle)
}
authStyleCache.m[tokenURL] = v
}
func (t *Token) Extra(key string) interface{} {
if raw, ok := t.Raw.(map[string]interface{}); ok {
return raw[key]
}
vals, ok := t.Raw.(url.Values)
if !ok {
return nil
}
v := vals.Get(key)
switch s := strings.TrimSpace(v); strings.Count(s, ".") {
case 0: // Contains no "."; try to parse as int
if i, err := strconv.ParseInt(s, 10, 64); err == nil {
return i
}
case 1: // Contains a single "."; try to parse as float
if f, err := strconv.ParseFloat(s, 64); err == nil {
return f
}
}
return v
}
func UnmarshalToken(token *Token, Headers http.Header, body []byte) (*Token, error) {
if !gjson.ValidBytes(body) {
return nil, fmt.Errorf("invalid JSON format in response body , get %v", string(body))
}
content, _, _ := mime.ParseMediaType(Headers.Get("Content-Type"))
switch content {
case "application/x-www-form-urlencoded", "text/plain":
vals, err := url.ParseQuery(string(body))
if err != nil {
return nil, err
}
token = &Token{
AccessToken: vals.Get("access_token"),
TokenType: vals.Get("token_type"),
RefreshToken: vals.Get("refresh_token"),
Raw: vals,
}
e := vals.Get("expires_in")
expires, _ := strconv.Atoi(e)
if expires != 0 {
token.Expiry = time.Now().Add(time.Duration(expires) * time.Second)
}
default:
var tj tokenJSON
if err := json.Unmarshal(body, &tj); err != nil {
return nil, err
}
token = &Token{
AccessToken: tj.AccessToken,
TokenType: tj.TokenType,
RefreshToken: tj.RefreshToken,
Expiry: tj.expiry(),
Raw: make(map[string]interface{}),
}
if err := json.Unmarshal(body, &token.Raw); err != nil {
return nil, err
}
// no error checks for optional fields
}
if token.AccessToken == "" {
return nil, errors.New("oauth2: server response missing access_token")
}
return token, nil
}
func NewTokenRequest(tokenURL, clientID, clientSecret string, v url.Values, authStyle AuthStyle) ([][2]string, []byte, error) {
if authStyle == AuthStyleInParams {
v = cloneURLValues(v)
if clientID != "" {
v.Set("client_id", clientID)
}
if clientSecret != "" {
v.Set("client_secret", clientSecret)
}
}
req, err := http.NewRequest("POST", tokenURL, strings.NewReader(v.Encode()))
if err != nil {
return nil, nil, err
}
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
if authStyle == AuthStyleInHeader {
req.SetBasicAuth(url.QueryEscape(clientID), url.QueryEscape(clientSecret))
}
var headerArray [][2]string
for key, values := range req.Header {
if len(values) > 0 {
headerArray = append(headerArray, [2]string{key, values[0]})
}
}
bodyBytes, err := io.ReadAll(req.Body)
req.Body.Close()
if err != nil {
return nil, nil, err
}
return headerArray, bodyBytes, nil
}
func cloneURLValues(v url.Values) url.Values {
v2 := make(url.Values, len(v))
for k, vv := range v {
v2[k] = append([]string(nil), vv...)
}
return v2
}
type RetrieveError struct {
Response *http.Response
Body []byte
}
func (r *RetrieveError) Error() string {
return fmt.Sprintf("oauth2: cannot fetch token: %v\nResponse: %s", r.Response.Status, r.Body)
}

628
plugins/wasm-go/extensions/oidc/oc/jwks.go
View File

@@ -1,628 +0,0 @@
/*-
* Copyright 2014 Square Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package oc
import (
"bytes"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rsa"
"crypto/sha1"
"crypto/sha256"
"crypto/x509"
"encoding/base64"
"encoding/hex"
"errors"
"fmt"
"math/big"
"net/url"
"reflect"
"strings"
"github.com/alibaba/higress/plugins/wasm-go/pkg/wrapper"
jose "github.com/go-jose/go-jose/v3"
"github.com/tidwall/gjson"
)
const (
RS256 = "RS256" // RSASSA-PKCS-v1.5 using SHA-256
RS384 = "RS384" // RSASSA-PKCS-v1.5 using SHA-384
RS512 = "RS512" // RSASSA-PKCS-v1.5 using SHA-512
ES256 = "ES256" // ECDSA using P-256 and SHA-256
ES384 = "ES384" // ECDSA using P-384 and SHA-384
ES512 = "ES512" // ECDSA using P-521 and SHA-512
PS256 = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256
PS384 = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384
PS512 = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512
EdDSA = "EdDSA" // Ed25519 using SHA-512
)
var SupportedAlgorithms = map[string]bool{
RS256: true,
RS384: true,
RS512: true,
ES256: true,
ES384: true,
ES512: true,
PS256: true,
PS384: true,
PS512: true,
EdDSA: true,
}
type rawJSONWebKey struct {
Use string `json:"use,omitempty"`
Kty string `json:"kty,omitempty"`
Kid string `json:"kid,omitempty"`
Crv string `json:"crv,omitempty"`
Alg string `json:"alg,omitempty"`
K *byteBuffer `json:"k,omitempty"`
X *byteBuffer `json:"x,omitempty"`
Y *byteBuffer `json:"y,omitempty"`
N *byteBuffer `json:"n,omitempty"`
E *byteBuffer `json:"e,omitempty"`
// -- Following fields are only used for private keys --
// RSA uses D, P and Q, while ECDSA uses only D. Fields Dp, Dq, and Qi are
// completely optional. Therefore for RSA/ECDSA, D != nil is a contract that
// we have a private key whereas D == nil means we have only a public key.
D *byteBuffer `json:"d,omitempty"`
P *byteBuffer `json:"p,omitempty"`
Q *byteBuffer `json:"q,omitempty"`
Dp *byteBuffer `json:"dp,omitempty"`
Dq *byteBuffer `json:"dq,omitempty"`
Qi *byteBuffer `json:"qi,omitempty"`
// Certificates
X5c []string `json:"x5c,omitempty"`
X5u string `json:"x5u,omitempty"`
X5tSHA1 string `json:"x5t,omitempty"`
X5tSHA256 string `json:"x5t#S256,omitempty"`
}
type JSONWebKey struct {
// Cryptographic key, can be a symmetric or asymmetric key.
Key interface{}
// Key identifier, parsed from `kid` header.
KeyID string
// Key algorithm, parsed from `alg` header.
Algorithm string
// Key use, parsed from `use` header.
Use string
// X.509 certificate chain, parsed from `x5c` header.
Certificates []*x509.Certificate
// X.509 certificate URL, parsed from `x5u` header.
CertificatesURL *url.URL
// X.509 certificate thumbprint (SHA-1), parsed from `x5t` header.
CertificateThumbprintSHA1 []byte
// X.509 certificate thumbprint (SHA-256), parsed from `x5t#S256` header.
CertificateThumbprintSHA256 []byte
}
type byteBuffer struct {
data []byte
}
func base64URLDecode(value string) ([]byte, error) {
value = strings.TrimRight(value, "=")
return base64.RawURLEncoding.DecodeString(value)
}
func newBuffer(data []byte) *byteBuffer {
if data == nil {
return nil
}
return &byteBuffer{
data: data,
}
}
func parseCertificateChain(chain []string) ([]*x509.Certificate, error) {
out := make([]*x509.Certificate, len(chain))
for i, cert := range chain {
raw, err := base64.StdEncoding.DecodeString(cert)
if err != nil {
var log wrapper.Log
log.Errorf("base64.StdEncoding.DecodeString(cert) err :")
return nil, err
}
out[i], err = x509.ParseCertificate(raw)
if err != nil {
return nil, err
}
}
return out, nil
}
func (b byteBuffer) bigInt() *big.Int {
return new(big.Int).SetBytes(b.data)
}
func (b byteBuffer) toInt() int {
return int(b.bigInt().Int64())
}
func (key rawJSONWebKey) ecPublicKey() (*ecdsa.PublicKey, error) {
var curve elliptic.Curve
switch key.Crv {
case "P-256":
curve = elliptic.P256()
case "P-384":
curve = elliptic.P384()
case "P-521":
curve = elliptic.P521()
default:
return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv)
}
if key.X == nil || key.Y == nil {
return nil, errors.New("go-jose/go-jose: invalid EC key, missing x/y values")
}
// The length of this octet string MUST be the full size of a coordinate for
// the curve specified in the "crv" parameter.
// https://tools.ietf.org/html/rfc7518#section-6.2.1.2
if curveSize(curve) != len(key.X.data) {
return nil, fmt.Errorf("go-jose/go-jose: invalid EC public key, wrong length for x")
}
if curveSize(curve) != len(key.Y.data) {
return nil, fmt.Errorf("go-jose/go-jose: invalid EC public key, wrong length for y")
}
x := key.X.bigInt()
y := key.Y.bigInt()
if !curve.IsOnCurve(x, y) {
return nil, errors.New("go-jose/go-jose: invalid EC key, X/Y are not on declared curve")
}
return &ecdsa.PublicKey{
Curve: curve,
X: x,
Y: y,
}, nil
}
func (key rawJSONWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) {
var missing []string
switch {
case key.N == nil:
missing = append(missing, "N")
case key.E == nil:
missing = append(missing, "E")
case key.D == nil:
missing = append(missing, "D")
case key.P == nil:
missing = append(missing, "P")
case key.Q == nil:
missing = append(missing, "Q")
}
if len(missing) > 0 {
return nil, fmt.Errorf("go-jose/go-jose: invalid RSA private key, missing %s value(s)", strings.Join(missing, ", "))
}
rv := &rsa.PrivateKey{
PublicKey: rsa.PublicKey{
N: key.N.bigInt(),
E: key.E.toInt(),
},
D: key.D.bigInt(),
Primes: []*big.Int{
key.P.bigInt(),
key.Q.bigInt(),
},
}
if key.Dp != nil {
rv.Precomputed.Dp = key.Dp.bigInt()
}
if key.Dq != nil {
rv.Precomputed.Dq = key.Dq.bigInt()
}
if key.Qi != nil {
rv.Precomputed.Qinv = key.Qi.bigInt()
}
err := rv.Validate()
return rv, err
}
func (key rawJSONWebKey) rsaPublicKey() (*rsa.PublicKey, error) {
if key.N == nil || key.E == nil {
return nil, fmt.Errorf("go-jose/go-jose: invalid RSA key, missing n/e values")
}
return &rsa.PublicKey{
N: key.N.bigInt(),
E: key.E.toInt(),
}, nil
}
func (b *byteBuffer) bytes() []byte {
// Handling nil here allows us to transparently handle nil slices when serializing.
if b == nil {
return nil
}
return b.data
}
func (key rawJSONWebKey) symmetricKey() ([]byte, error) {
if key.K == nil {
return nil, fmt.Errorf("go-jose/go-jose: invalid OCT (symmetric) key, missing k value")
}
return key.K.bytes(), nil
}
func (key rawJSONWebKey) edPrivateKey() (ed25519.PrivateKey, error) {
var missing []string
switch {
case key.D == nil:
missing = append(missing, "D")
case key.X == nil:
missing = append(missing, "X")
}
if len(missing) > 0 {
return nil, fmt.Errorf("go-jose/go-jose: invalid Ed25519 private key, missing %s value(s)", strings.Join(missing, ", "))
}
privateKey := make([]byte, ed25519.PrivateKeySize)
copy(privateKey[0:32], key.D.bytes())
copy(privateKey[32:], key.X.bytes())
rv := ed25519.PrivateKey(privateKey)
return rv, nil
}
func (key rawJSONWebKey) edPublicKey() (ed25519.PublicKey, error) {
if key.X == nil {
return nil, fmt.Errorf("go-jose/go-jose: invalid Ed key, missing x value")
}
publicKey := make([]byte, ed25519.PublicKeySize)
copy(publicKey[0:32], key.X.bytes())
rv := ed25519.PublicKey(publicKey)
return rv, nil
}
func GenJswkey(parseBytes gjson.Result) (*jose.JSONWebKey, error) {
var raw rawJSONWebKey
var log wrapper.Log
selClom(&raw, parseBytes)
//
certs, err := parseCertificateChain(raw.X5c)
if err != nil {
log.Errorf("err : %v", err)
}
var key interface{}
var certPub interface{}
var keyPub interface{}
if len(certs) > 0 {
// We need to check that leaf public key matches the key embedded in this
// JWK, as required by the standard (see RFC 7517, Section 4.7). Otherwise
// the JWK parsed could be semantically invalid. Technically, should also
// check key usage fields and other extensions on the cert here, but the
// standard doesn't exactly explain how they're supposed to map from the
// JWK representation to the X.509 extensions.
certPub = certs[0].PublicKey
}
switch raw.Kty {
case "EC":
if raw.D != nil {
key, err = raw.ecPrivateKey()
if err == nil {
keyPub = key.(*ecdsa.PrivateKey).Public()
}
} else {
key, err = raw.ecPublicKey()
keyPub = key
}
case "RSA":
if raw.D != nil {
key, err = raw.rsaPrivateKey()
if err == nil {
keyPub = key.(*rsa.PrivateKey).Public()
}
} else {
key, err = raw.rsaPublicKey()
keyPub = key
}
case "oct":
if certPub != nil {
return nil, errors.New("go-jose/go-jose: invalid JWK, found 'oct' (symmetric) key with cert chain")
}
key, err = raw.symmetricKey()
case "OKP":
if raw.Crv == "Ed25519" && raw.X != nil {
if raw.D != nil {
key, err = raw.edPrivateKey()
if err == nil {
keyPub = key.(ed25519.PrivateKey).Public()
}
} else {
key, err = raw.edPublicKey()
keyPub = key
}
} else {
err = fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
}
default:
err = fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
}
if err != nil {
return nil, err
}
if certPub != nil && keyPub != nil {
if !reflect.DeepEqual(certPub, keyPub) {
return nil, errors.New("go-jose/go-jose: invalid JWK, public keys in key and x5c fields do not match")
}
}
k := &jose.JSONWebKey{Key: key, KeyID: raw.Kid, Algorithm: raw.Alg, Use: raw.Use, Certificates: certs}
if raw.X5u != "" {
k.CertificatesURL, err = url.Parse(raw.X5u)
if err != nil {
return nil, fmt.Errorf("go-jose/go-jose: invalid JWK, x5u header is invalid URL: %w", err)
}
}
// x5t parameters are base64url-encoded SHA thumbprints
// See RFC 7517, Section 4.8, https://tools.ietf.org/html/rfc7517#section-4.8
x5tSHA1bytes, err := base64URLDecode(raw.X5tSHA1)
if err != nil {
return nil, errors.New("go-jose/go-jose: invalid JWK, x5t header has invalid encoding")
}
// RFC 7517, Section 4.8 is ambiguous as to whether the digest output should be byte or hex,
// for this reason, after base64 decoding, if the size is sha1.Size it's likely that the value is a byte encoded
// checksum so we skip this. Otherwise if the checksum was hex encoded we expect a 40 byte sized array so we'll
// try to hex decode it. When Marshalling this value we'll always use a base64 encoded version of byte format checksum.
if len(x5tSHA1bytes) == 2*sha1.Size {
hx, err := hex.DecodeString(string(x5tSHA1bytes))
if err != nil {
return nil, fmt.Errorf("go-jose/go-jose: invalid JWK, unable to hex decode x5t: %v", err)
}
x5tSHA1bytes = hx
}
k.CertificateThumbprintSHA1 = x5tSHA1bytes
x5tSHA256bytes, err := base64URLDecode(raw.X5tSHA256)
if err != nil {
return nil, errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header has invalid encoding")
}
if len(x5tSHA256bytes) == 2*sha256.Size {
hx256, err := hex.DecodeString(string(x5tSHA256bytes))
if err != nil {
return nil, fmt.Errorf("go-jose/go-jose: invalid JWK, unable to hex decode x5t#S256: %v", err)
}
x5tSHA256bytes = hx256
}
k.CertificateThumbprintSHA256 = x5tSHA256bytes
x5tSHA1Len := len(k.CertificateThumbprintSHA1)
x5tSHA256Len := len(k.CertificateThumbprintSHA256)
if x5tSHA1Len > 0 && x5tSHA1Len != sha1.Size {
return nil, errors.New("go-jose/go-jose: invalid JWK, x5t header is of incorrect size")
}
if x5tSHA256Len > 0 && x5tSHA256Len != sha256.Size {
return nil, errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header is of incorrect size")
}
// If certificate chain *and* thumbprints are set, verify correctness.
if len(k.Certificates) > 0 {
leaf := k.Certificates[0]
sha1sum := sha1.Sum(leaf.Raw)
sha256sum := sha256.Sum256(leaf.Raw)
if len(k.CertificateThumbprintSHA1) > 0 && !bytes.Equal(sha1sum[:], k.CertificateThumbprintSHA1) {
return nil, errors.New("go-jose/go-jose: invalid JWK, x5c thumbprint does not match x5t value")
}
if len(k.CertificateThumbprintSHA256) > 0 && !bytes.Equal(sha256sum[:], k.CertificateThumbprintSHA256) {
return nil, errors.New("go-jose/go-jose: invalid JWK, x5c thumbprint does not match x5t#S256 value")
}
}
return k, nil
}
func curveSize(crv elliptic.Curve) int {
bits := crv.Params().BitSize
div := bits / 8
mod := bits % 8
if mod == 0 {
return div
}
return div + 1
}
func dSize(curve elliptic.Curve) int {
order := curve.Params().P
bitLen := order.BitLen()
size := bitLen / 8
if bitLen%8 != 0 {
size++
}
return size
}
func (key rawJSONWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) {
var curve elliptic.Curve
switch key.Crv {
case "P-256":
curve = elliptic.P256()
case "P-384":
curve = elliptic.P384()
case "P-521":
curve = elliptic.P521()
default:
return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv)
}
if key.X == nil || key.Y == nil || key.D == nil {
return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, missing x/y/d values")
}
// The length of this octet string MUST be the full size of a coordinate for
// the curve specified in the "crv" parameter.
// https://tools.ietf.org/html/rfc7518#section-6.2.1.2
if curveSize(curve) != len(key.X.data) {
return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for x")
}
if curveSize(curve) != len(key.Y.data) {
return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for y")
}
// https://tools.ietf.org/html/rfc7518#section-6.2.2.1
if dSize(curve) != len(key.D.data) {
return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for d")
}
x := key.X.bigInt()
y := key.Y.bigInt()
if !curve.IsOnCurve(x, y) {
return nil, errors.New("go-jose/go-jose: invalid EC key, X/Y are not on declared curve")
}
return &ecdsa.PrivateKey{
PublicKey: ecdsa.PublicKey{
Curve: curve,
X: x,
Y: y,
},
D: key.D.bigInt(),
}, nil
}
func selClom(raw *rawJSONWebKey, parseBytes gjson.Result) {
raw.Use = parseBytes.Get("use").String()
raw.Kty = parseBytes.Get("kty").String()
raw.Kid = parseBytes.Get("kid").String()
raw.Crv = parseBytes.Get("crv").String()
raw.Alg = parseBytes.Get("alg").String()
for _, item := range parseBytes.Get("x5c").Array() {
scopes := item.String()
raw.X5c = append(raw.X5c, scopes)
}
raw.X5u = parseBytes.Get("x5u").String()
raw.X5tSHA1 = parseBytes.Get("x5t").String()
raw.X5tSHA256 = parseBytes.Get("x5t#S256").String()
//k
if k := parseBytes.Get("k").Exists(); k {
decode, err := base64URLDecode(parseBytes.Get("k").String())
if err != nil {
return
}
raw.K = newBuffer(decode)
}
//x
if x := parseBytes.Get("x").Exists(); x {
decode, err := base64URLDecode(parseBytes.Get("x").String())
if err != nil {
return
}
raw.X = newBuffer(decode)
}
//y
if y := parseBytes.Get("y").Exists(); y {
decode, err := base64URLDecode(parseBytes.Get("y").String())
if err != nil {
return
}
raw.Y = newBuffer(decode)
}
//n
if n := parseBytes.Get("n").Exists(); n {
decode, err := base64URLDecode(parseBytes.Get("n").String())
if err != nil {
return
}
raw.N = newBuffer(decode)
}
//e
if e := parseBytes.Get("e").Exists(); e {
decode, err := base64URLDecode(parseBytes.Get("e").String())
if err != nil {
return
}
raw.E = newBuffer(decode)
}
//d
if d := parseBytes.Get("d").Exists(); d {
decode, err := base64URLDecode(parseBytes.Get("d").String())
if err != nil {
return
}
raw.D = newBuffer(decode)
}
//p
if p := parseBytes.Get("p").Exists(); p {
decode, err := base64URLDecode(parseBytes.Get("p").String())
if err != nil {
return
}
raw.P = newBuffer(decode)
}
//q
if q := parseBytes.Get("q").Exists(); q {
decode, err := base64URLDecode(parseBytes.Get("q").String())
if err != nil {
return
}
raw.Q = newBuffer(decode)
}
//dp
if dp := parseBytes.Get("dp").Exists(); dp {
decode, err := base64URLDecode(parseBytes.Get("dp").String())
if err != nil {
return
}
raw.Dp = newBuffer(decode)
}
//dq
if dq := parseBytes.Get("dq").Exists(); dq {
decode, err := base64URLDecode(parseBytes.Get("dq").String())
if err != nil {
return
}
raw.Dq = newBuffer(decode)
}
//qi
if qi := parseBytes.Get("qi").Exists(); qi {
decode, err := base64URLDecode(parseBytes.Get("qi").String())
if err != nil {
return
}
raw.Qi = newBuffer(decode)
}
}

290
plugins/wasm-go/extensions/oidc/oc/provider.go
View File

@@ -1,290 +0,0 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package oc
import (
"errors"
"fmt"
"net/http"
"net/url"
"regexp"
"strings"
"github.com/alibaba/higress/plugins/wasm-go/pkg/wrapper"
"github.com/go-jose/go-jose/v3"
"github.com/higress-group/proxy-wasm-go-sdk/proxywasm"
"github.com/tidwall/gjson"
"golang.org/x/oauth2"
)
var re = regexp.MustCompile("<[^>]*>")
// OidcHandler 定义了处理 OpenID ConnectOIDC认证流程的方法集合。
// OIDC 是一个基于 OAuth 2.0 协议的身份验证和授权协议。
type OidcHandler interface {
// ProcessRedirect 负责处理来自 OIDC 身份提供者的重定向响应。
// 该方法会从openid-configuration中获取 authorization_endpoint
// 并确保其中的状态以及任何可能的错误代码都得到正确处理。
ProcessRedirect(log *wrapper.Log, cfg *Oatuh2Config) error
// ProcessExchangeToken 负责执行令牌交换过程。
// 该方法会从 openid-configuration 中获取 token_endpoint 和 jwks_uri
// 然后使用授权码来交换 access token 和 ID token。
ProcessExchangeToken(log *wrapper.Log, cfg *Oatuh2Config) error
// ProcessVerify 负责验证 ID 令牌的有效性。
// 通过使用 openid-configuration 中的获取的 jwks_uri 配置信息来验证 ID 令牌的签名和有效性。
ProcessVerify(log *wrapper.Log, cfg *Oatuh2Config) error
}
type DefaultOAuthHandler struct {
}
func NewDefaultOAuthHandler() OidcHandler {
return &DefaultOAuthHandler{}
}
func ProcessHTTPCall(log *wrapper.Log, cfg *Oatuh2Config, callback func(responseBody []byte)) error {
wellKnownPath := strings.TrimSuffix(cfg.Path, "/") + "/.well-known/openid-configuration"
if err := cfg.Client.Get(wellKnownPath, nil, func(statusCode int, responseHeaders http.Header, responseBody []byte) {
if err := ValidateHTTPResponse(statusCode, responseHeaders, responseBody); err != nil {
cleanedBody := re.ReplaceAllString(string(responseBody), "")
SendError(log, fmt.Sprintf("ValidateHTTPResponse failed , status : %v err : %v err_info: %v ", statusCode, err, cleanedBody), statusCode, "oidc.bad_well_known_response")
return
}
callback(responseBody)
}, uint32(cfg.Timeout)); err != nil {
return err
}
return nil
}
func (d *DefaultOAuthHandler) ProcessRedirect(log *wrapper.Log, cfg *Oatuh2Config) error {
return ProcessHTTPCall(log, cfg, func(responseBody []byte) {
state, _ := Nonce(32)
statStr := GenState(state, cfg.ClientSecret, cfg.RedirectURL)
cfg.Endpoint.AuthURL = gjson.ParseBytes(responseBody).Get("authorization_endpoint").String()
if cfg.Endpoint.AuthURL == "" {
SendError(log, "Missing 'authorization_endpoint' in the OpenID configuration response.", http.StatusInternalServerError, "oidc.auth_endpoint_missing")
return
}
var opts oauth2.AuthCodeOption
if !cfg.SkipNonceCheck {
opts = SetNonce(string(cfg.CookieData.Nonce))
}
codeURL := cfg.AuthCodeURL(statStr, opts)
proxywasm.SendHttpResponseWithDetail(http.StatusFound, "oidc.authed", [][2]string{
{"Location", codeURL},
}, nil, -1)
return
})
}
func (d *DefaultOAuthHandler) ProcessExchangeToken(log *wrapper.Log, cfg *Oatuh2Config) error {
return ProcessHTTPCall(log, cfg, func(responseBody []byte) {
PvRJson := gjson.ParseBytes(responseBody)
cfg.Endpoint.TokenURL = PvRJson.Get("token_endpoint").String()
if cfg.Endpoint.TokenURL == "" {
SendError(log, "Missing 'token_endpoint' in the OpenID configuration response.", http.StatusInternalServerError, "oidc.token_endpoint_missing")
return
}
cfg.JwksURL = PvRJson.Get("jwks_uri").String()
if cfg.JwksURL == "" {
SendError(log, "Missing 'jwks_uri' in the OpenID configuration response.", http.StatusInternalServerError, "oidc.jwks_uri_missing")
return
}
cfg.Option.AuthStyle = AuthStyle(cfg.Endpoint.AuthStyle)
if err := processToken(log, cfg); err != nil {
SendError(log, fmt.Sprintf("ProcessToken failed : err %v", err), http.StatusInternalServerError, "oidc.process_token_failed")
return
}
})
}
func (d *DefaultOAuthHandler) ProcessVerify(log *wrapper.Log, cfg *Oatuh2Config) error {
return ProcessHTTPCall(log, cfg, func(responseBody []byte) {
PvRJson := gjson.ParseBytes(responseBody)
cfg.JwksURL = PvRJson.Get("jwks_uri").String()
if cfg.JwksURL == "" {
SendError(log, "Missing 'token_endpoint' in the OpenID configuration response.", http.StatusInternalServerError, "oidc.token_endpoint_missing")
return
}
var algs []string
for _, a := range PvRJson.Get("id_token_signing_alg_values_supported").Array() {
if SupportedAlgorithms[a.String()] {
algs = append(algs, a.String())
}
}
cfg.SupportedSigningAlgs = algs
if err := processTokenVerify(log, cfg); err != nil {
SendError(log, fmt.Sprintf("failed to verify token: %v", err), http.StatusInternalServerError, "oidc.verify_token_failed")
return
}
})
}
func processToken(log *wrapper.Log, cfg *Oatuh2Config) error {
parsedURL, err := url.Parse(cfg.Endpoint.TokenURL)
if err != nil {
return fmt.Errorf("invalid TokenURL: %v", err)
}
var token Token
urlVales := ReturnURL(cfg.RedirectURL, cfg.Option.Code)
needsAuthStyleProbe := cfg.Option.AuthStyle == AuthStyleUnknown
if needsAuthStyleProbe {
if style, ok := LookupAuthStyle(cfg.Endpoint.TokenURL); ok {
cfg.Option.AuthStyle = style
} else {
cfg.Option.AuthStyle = AuthStyleInHeader
}
}
headers, body, err := NewTokenRequest(cfg.Endpoint.TokenURL, cfg.ClientID, cfg.ClientSecret, urlVales, cfg.Option.AuthStyle)
cb := func(statusCode int, responseHeaders http.Header, responseBody []byte) {
if err := ValidateHTTPResponse(statusCode, responseHeaders, responseBody); err != nil {
cleanedBody := re.ReplaceAllString(string(responseBody), "")
SendError(log, fmt.Sprintf("Valid failed , status : %v err : %v err_info: %v ", statusCode, err, cleanedBody), statusCode, "oidc.bad_token_response")
return
}
tk, err := UnmarshalToken(&token, responseHeaders, responseBody)
if err != nil {
SendError(log, fmt.Sprintf("UnmarshalToken error: %v", err), http.StatusInternalServerError, "oidc.extract_token_failed")
return
}
if tk != nil && token.RefreshToken == "" {
token.RefreshToken = urlVales.Get("refresh_token")
}
betoken := TokenFromInternal(tk)
rawIDToken, ok := betoken.Extra("id_token").(string)
if !ok {
SendError(log, fmt.Sprintf("No id_token field in oauth2 token."), http.StatusInternalServerError, "oidc.id_token_missing")
return
}
cfg.Option.RawIdToken = rawIDToken
err = processTokenVerify(log, cfg)
if err != nil {
SendError(log, fmt.Sprintf("failed to verify token: %v", err), http.StatusInternalServerError, "oidc.verify_token_failed")
return
}
}
err = cfg.Client.Post(parsedURL.Path, headers, body, cb, uint32(cfg.Timeout))
if err != nil {
return fmt.Errorf("HTTP POST error: %v", err)
}
return nil
}
func processTokenVerify(log *wrapper.Log, cfg *Oatuh2Config) error {
keySet := jose.JSONWebKeySet{}
idTokenVerify := cfg.Verifier(&IDConfig{
ClientID: cfg.ClientID,
SupportedSigningAlgs: cfg.SupportedSigningAlgs,
SkipExpiryCheck: cfg.SkipExpiryCheck,
SkipNonceCheck: cfg.SkipNonceCheck,
})
defaultHandlerForRedirect := NewDefaultOAuthHandler()
parsedURL, err := url.Parse(cfg.JwksURL)
if err != nil {
log.Errorf("JwksURL is invalid err : %v", err)
return err
}
cb := func(statusCode int, responseHeaders http.Header, responseBody []byte) {
if err := ValidateHTTPResponse(statusCode, responseHeaders, responseBody); err != nil {
cleanedBody := re.ReplaceAllString(string(responseBody), "")
SendError(log, fmt.Sprintf("Valid failed , status : %v err : %v err_info: %v ", statusCode, err, cleanedBody), statusCode, "oidc.bad_validate_response")
return
}
res := gjson.ParseBytes(responseBody)
for _, val := range res.Get("keys").Array() {
jsw, err := GenJswkey(val)
if err != nil {
log.Errorf("err: %v", err)
SendError(log, fmt.Sprintf("GenJswkey error:%v", err), http.StatusInternalServerError, "oidc.gen_jsw_key_failed")
return
}
keySet.Keys = append(keySet.Keys, *jsw)
}
idtoken, err := idTokenVerify.VerifyToken(cfg.Option.RawIdToken, keySet)
if err != nil {
log.Errorf("VerifyToken err : %v ", err)
defaultHandlerForRedirect.ProcessRedirect(log, cfg)
return
}
if !cfg.SkipNonceCheck && Access == cfg.Option.Mod {
err := verifyNonce(idtoken, cfg)
if err != nil {
log.Error("VerifyNonce failed")
defaultHandlerForRedirect.ProcessRedirect(log, cfg)
return
}
}
//回发和放行
if cfg.Option.Mod == Access {
proxywasm.AddHttpRequestHeader("Authorization", "Bearer "+cfg.Option.RawIdToken)
proxywasm.ResumeHttpRequest()
return
}
cfg.CookieOption.Expire = idtoken.Expiry
cfg.CookieData.IDToken = cfg.Option.RawIdToken
cfg.CookieData.ExpiresOn = idtoken.Expiry
cfg.CookieData.Secret = cfg.CookieOption.Secret
cookieHeader, err := SerializeAndEncryptCookieData(cfg.CookieData, cfg.CookieOption.Secret, cfg.CookieOption)
if err != nil {
SendError(log, fmt.Sprintf("SerializeAndEncryptCookieData failed : %v", err), http.StatusInternalServerError, "oidc.gen_cookie_failed")
return
}
proxywasm.SendHttpResponseWithDetail(http.StatusFound, "oidc.token_verified", [][2]string{
{"Location", cfg.ClientUrl},
{"Set-Cookie", cookieHeader},
}, nil, -1)
return
}
if err := cfg.Client.Get(parsedURL.Path, nil, cb, uint32(cfg.Timeout)); err != nil {
log.Errorf("client.Get error: %v", err)
return err
}
return nil
}
func verifyNonce(idtoken *IDToken, cfg *Oatuh2Config) error {
parts := strings.Split(idtoken.Nonce, ".")
if len(parts) != 2 {
return errors.New("nonce format err expect 2 parts")
}
stateval, signature := parts[0], parts[1]
return VerifyState(stateval, signature, cfg.ClientSecret, cfg.RedirectURL)
}

112
plugins/wasm-go/extensions/oidc/oc/util.go
View File

@@ -1,112 +0,0 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package oc
import (
"encoding/json"
"errors"
"fmt"
"net/http"
"net/url"
"strings"
"time"
"github.com/alibaba/higress/plugins/wasm-go/pkg/wrapper"
"github.com/higress-group/proxy-wasm-go-sdk/proxywasm"
"github.com/tidwall/gjson"
)
func ValidateHTTPResponse(statusCode int, headers http.Header, body []byte) error {
contentType := headers.Get("Content-Type")
if statusCode != http.StatusOK {
return errors.New("call failed with status code")
}
if !strings.Contains(contentType, "application/json") {
return fmt.Errorf("expected Content-Type = application/json , but got %s", contentType)
}
if !gjson.ValidBytes(body) {
return errors.New("invalid JSON format in response body")
}
return nil
}
// GetParams 返回顺序 cookie code state
func GetParams(name, cookie, path, key string) (oidcCookieValue, code, state string, err error) {
u, err := url.Parse(path)
if err != nil {
return "", "", "", err
}
query := u.Query()
code, state = query.Get("code"), query.Get("state")
cookiePairs := strings.Split(cookie, "; ")
for _, pair := range cookiePairs {
keyValue := strings.Split(pair, "=")
if keyValue[0] == name {
oidcCookieValue = keyValue[1]
break
}
}
oidcCookieValue, err = url.QueryUnescape(oidcCookieValue)
if err != nil {
return "", "", "", err
}
oidcCookieValue, err = Decrypt(oidcCookieValue, key)
return oidcCookieValue, code, state, nil
}
func SendError(log *wrapper.Log, errMsg string, status int, statusDetail string) {
log.Errorf(errMsg)
proxywasm.SendHttpResponseWithDetail(uint32(status), statusDetail, nil, []byte(errMsg), -1)
}
type jsonTime time.Time
func (j *jsonTime) UnmarshalJSON(b []byte) error {
var n json.Number
if err := json.Unmarshal(b, &n); err != nil {
return err
}
var unix int64
if t, err := n.Int64(); err == nil {
unix = t
} else {
f, err := n.Float64()
if err != nil {
return err
}
unix = int64(f)
}
*j = jsonTime(time.Unix(unix, 0))
return nil
}
type audience []string
func (a *audience) UnmarshalJSON(b []byte) error {
var s string
if json.Unmarshal(b, &s) == nil {
*a = audience{s}
return nil
}
var auds []string
if err := json.Unmarshal(b, &auds); err != nil {
return err
}
*a = auds
return nil
}

219
plugins/wasm-go/extensions/oidc/oc/verifer.go
View File

@@ -1,219 +0,0 @@
/*
Copyright 2023 go-oidc
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* http://www.apache.org/licenses/LICENSE-2.0
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package oc
import (
"bytes"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"strings"
"time"
"github.com/alibaba/higress/plugins/wasm-go/pkg/wrapper"
"github.com/go-jose/go-jose/v3"
)
// IDTokenVerifierConfig
type IDTokenVerifier struct {
config *IDConfig
issuer string
}
const (
issuerGoogleAccounts = "https://accounts.google.com"
issuerGoogleAccountsNoScheme = "accounts.google.com"
LEEWAY = 5 * time.Minute
)
type IDToken struct {
Issuer string
Audience []string
Subject string
Expiry time.Time
IssuedAt time.Time
Nonce string
AccessTokenHash string
sigAlgorithm string
claims []byte
distributedClaims map[string]claimSource
}
type TokenExpiredError struct {
Expiry time.Time
}
func (e *TokenExpiredError) Error() string {
return fmt.Sprintf("oidc: token is expired (Token Expiry: %v)", e.Expiry)
}
func (i *IDToken) Claims(v interface{}) error {
if i.claims == nil {
return errors.New("oidc: claims not set")
}
return json.Unmarshal(i.claims, v)
}
func (v *IDTokenVerifier) VerifyToken(rawIDToken string, keySet jose.JSONWebKeySet) (*IDToken, error) {
var log wrapper.Log
payload, err := parseJWT(rawIDToken)
if err != nil {
return nil, fmt.Errorf(" malformed jwt: %v", err)
}
var token idToken
if err := json.Unmarshal(payload, &token); err != nil {
log.Errorf("idToken Unmarshal error : %v ", err)
return nil, fmt.Errorf("failed to unmarshal claims: %v", err)
}
distributedClaims := make(map[string]claimSource)
//step through the token to map claim names to claim sources
for cn, src := range token.ClaimNames {
if src == "" {
return nil, fmt.Errorf("failed to obtain source from claim name")
}
s, ok := token.ClaimSources[src]
if !ok {
return nil, fmt.Errorf("source does not exist")
}
distributedClaims[cn] = s
}
t := &IDToken{
Issuer: token.Issuer,
Subject: token.Subject,
Audience: []string(token.Audience),
Expiry: time.Time(token.Expiry),
IssuedAt: time.Time(token.IssuedAt),
Nonce: token.Nonce,
AccessTokenHash: token.AtHash,
claims: payload,
distributedClaims: distributedClaims,
}
// Check issuer.
if !v.config.SkipIssuerCheck && t.Issuer != v.issuer {
// Google sometimes returns "accounts.google.com" as the issuer claim instead of
// the required "https://accounts.google.com". Detect this case and allow it only
// for Google.
//
// We will not add hooks to let other providers go off spec like this.
if !(v.issuer == issuerGoogleAccounts && t.Issuer == issuerGoogleAccountsNoScheme) {
return nil, fmt.Errorf("oidc: id token issued by a different provider, expected %q got %q", v.issuer, t.Issuer)
}
}
if v.config.ClientID != "" {
if !contains(t.Audience, v.config.ClientID) {
return nil, fmt.Errorf("oidc: expected audience %q got %q", v.config.ClientID, t.Audience)
}
}
// If a SkipExpiryCheck is false, make sure token is not expired.
if !v.config.SkipExpiryCheck {
now := time.Now
if v.config.Now != nil {
now = v.config.Now
}
nowTime := now()
if t.Expiry.Before(nowTime) {
return nil, &TokenExpiredError{Expiry: t.Expiry}
}
// If nbf claim is provided in token, ensure that it is indeed in the past.
if token.NotBefore != nil {
nbfTime := time.Time(*token.NotBefore)
// Set to 5 minutes since this is what other OpenID Connect providers do to deal with clock skew.
// https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/6.12.2/src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs#L149-L153
if nowTime.Add(LEEWAY).Before(nbfTime) {
return nil, fmt.Errorf("oidc: current time %v before the nbf (not before) time: %v", nowTime, nbfTime)
}
}
}
jws, err := jose.ParseSigned(rawIDToken)
if err != nil {
return nil, fmt.Errorf("oidc: malformed jwt: %v", err)
}
switch len(jws.Signatures) {
case 0:
return nil, fmt.Errorf("oidc: id token not signed")
case 1:
default:
return nil, fmt.Errorf("oidc: multiple signatures on id token not supported")
}
sig := jws.Signatures[0]
supportedSigAlgs := v.config.SupportedSigningAlgs
if len(supportedSigAlgs) == 0 {
supportedSigAlgs = []string{RS256}
}
if !contains(supportedSigAlgs, sig.Header.Algorithm) {
return nil, fmt.Errorf("oidc: id token signed with unsupported algorithm, expected %q got %q", supportedSigAlgs, sig.Header.Algorithm)
}
t.sigAlgorithm = sig.Header.Algorithm
keyID := ""
for _, sig := range jws.Signatures {
keyID = sig.Header.KeyID
break
}
for _, key := range keySet.Keys {
if keyID == "" || key.KeyID == keyID {
if gotPayload, err := jws.Verify(&key); err == nil {
if !bytes.Equal(gotPayload, payload) {
return nil, errors.New("oidc: internal error, payload parsed did not match previous payload")
}
}
}
}
return t, nil
}
func contains(sli []string, ele string) bool {
for _, s := range sli {
if s == ele {
return true
}
}
return false
}
func parseJWT(p string) ([]byte, error) {
parts := strings.Split(p, ".")
if len(parts) < 2 {
return nil, fmt.Errorf("oidc: malformed jwt, expected 3 parts got %d", len(parts))
}
payload, err := base64.RawURLEncoding.DecodeString(parts[1])
if err != nil {
return nil, fmt.Errorf("oidc: malformed jwt payload: %v", err)
}
return payload, nil
}
func (cfg *Oatuh2Config) Verifier(config *IDConfig) *IDTokenVerifier {
return &IDTokenVerifier{
config: config,
issuer: cfg.Issuer,
}
}