Allow OIDC Bearer Tokens without emails

This reverts to functionality before #499 where an OIDC provider could be used with `--skip-jwt-bearer-tokens` and tokens without an email or profileURL would still be valid. This logic mirrors `middleware.createSessionStateFromBearerToken` which used to be the universal logic before #499.
2020-07-27 14:51:29 -07:00 · 2020-07-27 14:51:29 -07:00 · 514db45d1a
commit 514db45d1a
parent 8515da3e91
3 changed files with 79 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -16,6 +16,7 @@
 - [#718](https://github.com/oauth2-proxy/oauth2-proxy/pull/718) Allow Logging to stdout with separate Error Log Channel
 - [#690](https://github.com/oauth2-proxy/oauth2-proxy/pull/690) Address GoSec security findings & remediate (@NickMeves)
 - [#689](https://github.com/oauth2-proxy/oauth2-proxy/pull/689) Fix finicky logging_handler_test from time drift (@NickMeves)
+- [#700](https://github.com/oauth2-proxy/oauth2-proxy/pull/700) Allow OIDC Bearer auth IDTokens to have empty email claim & profile URL (@NickMeves)
 - [#699](https://github.com/oauth2-proxy/oauth2-proxy/pull/699) Align persistence ginkgo tests with conventions (@NickMeves)
 - [#696](https://github.com/oauth2-proxy/oauth2-proxy/pull/696) Preserve query when building redirect
 - [#561](https://github.com/oauth2-proxy/oauth2-proxy/pull/561) Refactor provider URLs to package level vars (@JoelSpeed)
--- a/providers/oidc.go
+++ b/providers/oidc.go
@ -231,7 +231,6 @@ func getOIDCHeader(accessToken string) http.Header {
 }

 func (p *OIDCProvider) findClaimsFromIDToken(ctx context.Context, idToken *oidc.IDToken, accessToken string, profileURL string) (*OIDCClaims, error) {
-
 	claims := &OIDCClaims{}
 	// Extract default claims.
 	if err := idToken.Claims(&claims); err != nil {
@ -250,7 +249,8 @@ func (p *OIDCProvider) findClaimsFromIDToken(ctx context.Context, idToken *oidc.
 	// userID claim was not present or was empty in the ID Token
 	if claims.UserID == "" {
 		if profileURL == "" {
-			return nil, fmt.Errorf("id_token did not contain user ID claim (%q)", p.UserIDClaim)
+			claims.UserID = claims.Subject
+			return claims, nil
 		}

 		// If the userinfo endpoint profileURL is defined, then there is a chance the userinfo
--- a/providers/oidc_test.go
+++ b/providers/oidc_test.go
@ -60,6 +60,22 @@ var defaultIDToken idTokenClaims = idTokenClaims{
 	},
 }

+var minimalIDToken idTokenClaims = idTokenClaims{
+	"",
+	"",
+	"",
+	"",
+	jwt.StandardClaims{
+		Audience:  "https://test.myapp.com",
+		ExpiresAt: time.Now().Add(time.Duration(5) * time.Minute).Unix(),
+		Id:        "id-some-id",
+		IssuedAt:  time.Now().Unix(),
+		Issuer:    "https://issuer.example.com",
+		NotBefore: 0,
+		Subject:   "minimal",
+	},
+}
+
 type fakeKeySetStub struct{}

 func (fakeKeySetStub) VerifySignature(_ context.Context, jwt string) (payload []byte, err error) {
@ -253,6 +269,66 @@ func TestOIDCProviderRefreshSessionIfNeededWithIdToken(t *testing.T) {
 	assert.Equal(t, refreshToken, existingSession.RefreshToken)
 }

+func TestCreateSessionStateFromBearerToken(t *testing.T) {
+	const profileURLEmail = "janed@me.com"
+
+	testCases := map[string]struct {
+		IDToken       idTokenClaims
+		ProfileURL    bool
+		ExpectedEmail string
+	}{
+		"Default IDToken": {
+			IDToken:       defaultIDToken,
+			ProfileURL:    true,
+			ExpectedEmail: profileURLEmail,
+		},
+		"Minimal IDToken with no OIDC Profile URL": {
+			IDToken:       minimalIDToken,
+			ProfileURL:    false,
+			ExpectedEmail: "",
+		},
+		"Minimal IDToken with OIDC Profile URL": {
+			IDToken:       minimalIDToken,
+			ProfileURL:    true,
+			ExpectedEmail: profileURLEmail,
+		},
+	}
+	for testName, tc := range testCases {
+		t.Run(testName, func(t *testing.T) {
+			jsonResp := []byte(fmt.Sprintf(`{"email":"%s"}`, profileURLEmail))
+			server, provider := newTestSetup(jsonResp)
+			defer server.Close()
+			if !tc.ProfileURL {
+				provider.ProfileURL = &url.URL{}
+			}
+
+			rawIDToken, err := newSignedTestIDToken(tc.IDToken)
+			assert.NoError(t, err)
+
+			keyset := fakeKeySetStub{}
+			verifier := oidc.NewVerifier("https://issuer.example.com", keyset,
+				&oidc.Config{ClientID: "https://test.myapp.com", SkipExpiryCheck: true})
+
+			idToken, err := verifier.Verify(context.Background(), rawIDToken)
+			assert.NoError(t, err)
+
+			ss, err := provider.CreateSessionStateFromBearerToken(context.Background(), rawIDToken, idToken)
+			assert.NoError(t, err)
+
+			if tc.ExpectedEmail != "" {
+				assert.Equal(t, tc.ExpectedEmail, ss.Email)
+				assert.NotEqual(t, ss.Email, ss.User)
+			} else {
+				assert.Equal(t, tc.IDToken.Subject, ss.Email)
+				assert.Equal(t, ss.Email, ss.User)
+			}
+			assert.Equal(t, rawIDToken, ss.IDToken)
+			assert.Equal(t, rawIDToken, ss.AccessToken)
+			assert.Equal(t, "", ss.RefreshToken)
+		})
+	}
+}
+
 func TestOIDCProvider_findVerifiedIdToken(t *testing.T) {

 	server, provider := newTestSetup([]byte(""))