Add oidc pkce support

Author: idsulik

README.md

@@ -177,6 +177,7 @@ OIDC Provider:
   --providers.oidc.client-id=                           Client ID [$PROVIDERS_OIDC_CLIENT_ID]
   --providers.oidc.client-secret=                       Client Secret [$PROVIDERS_OIDC_CLIENT_SECRET]
   --providers.oidc.resource=                            Optional resource indicator [$PROVIDERS_OIDC_RESOURCE]
+  --providers.oidc.pkce_required=                       Optional pkce required indicator [$PROVIDERS_OIDC_PKCE_REQUIRED]
 
 Generic OAuth2 Provider:
   --providers.generic-oauth.auth-url=                   Auth/Login URL [$PROVIDERS_GENERIC_OAUTH_AUTH_URL]

internal/cookie/cookie.go

@@ -0,0 +1,66 @@
+package cookie
+
+import (
+	"errors"
+	"net/http"
+	"time"
+)
+
+// CookieStore interface defines methods for setting and getting cookies
+type CookieStore interface {
+	SetCookie(name, value string)
+	GetCookie(name string) (string, error)
+	DeleteCookie(name string)
+}
+
+// CookieStoreImpl is a concrete implementation of the CookieStore interface
+type CookieStoreImpl struct {
+	writer  http.ResponseWriter
+	request *http.Request
+	secure  bool
+}
+
+// NewCookieStore creates a new instance of CookieStoreImpl
+func NewCookieStore(w http.ResponseWriter, r *http.Request, secure bool) *CookieStoreImpl {
+	return &CookieStoreImpl{
+		writer:  w,
+		request: r,
+		secure:  secure,
+	}
+}
+
+// SetCookie sets a cookie with the given name, value, and attributes
+func (c *CookieStoreImpl) SetCookie(name, value string) {
+	cookie := &http.Cookie{
+		Name:     name,
+		Value:    value,
+		Path:     "/",
+		Secure:   c.secure,
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	}
+
+	http.SetCookie(c.writer, cookie)
+}
+
+// DeleteCookie removes a cookie with the given name
+func (c *CookieStoreImpl) DeleteCookie(name string) {
+	cookie := &http.Cookie{
+		Name:    name,
+		Value:   "",
+		Path:    "/",
+		MaxAge:  -1,
+		Expires: time.Unix(0, 0),
+	}
+
+	http.SetCookie(c.writer, cookie)
+}
+
+// GetCookie retrieves the value of the cookie with the given name
+func (c *CookieStoreImpl) GetCookie(name string) (string, error) {
+	cookie, err := c.request.Cookie(name)
+	if err != nil {
+		return "", errors.New("cookie not found")
+	}
+	return cookie.Value, nil
+}

internal/pkce/verifier.go

@@ -0,0 +1,58 @@
+package pkce
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"io"
+)
+
+type CodeVerifier struct {
+	Value string
+}
+
+func CreateCodeVerifier() (*CodeVerifier, error) {
+	secureRandomString, err := generateSecureRandomString(32)
+	if err != nil {
+		return nil, err
+	}
+	return &CodeVerifier{
+		Value: secureRandomString,
+	}, nil
+}
+
+func CreateCodeVerifierWithCode(code string) *CodeVerifier {
+	return &CodeVerifier{
+		Value: code,
+	}
+}
+
+func (v *CodeVerifier) String() string {
+	return v.Value
+}
+
+func (v *CodeVerifier) CodeChallengeS256() string {
+	h := sha256.New()
+	h.Write([]byte(v.Value))
+	hash := h.Sum(nil)
+
+	return encode(hash)
+}
+
+func GenerateNonce() (string, error) {
+	return generateSecureRandomString(32)
+}
+
+func generateSecureRandomString(length int) (string, error) {
+	bytes := make([]byte, length)
+	if _, err := io.ReadFull(rand.Reader, bytes); err != nil {
+		return "", fmt.Errorf("failed to generate secure random string: %w", err)
+	}
+	return base64.RawURLEncoding.EncodeToString(bytes), nil
+}
+
+func encode(msg []byte) string {
+	encoded := base64.RawURLEncoding.EncodeToString(msg)
+	return encoded
+}

internal/provider/generic_oauth.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net/http"
 
+	"github.com/thomseddon/traefik-forward-auth/internal/cookie"
 	"golang.org/x/oauth2"
 )
 
@@ -52,12 +53,12 @@ func (o *GenericOAuth) Setup() error {
 }
 
 // GetLoginURL provides the login url for the given redirect uri and state
-func (o *GenericOAuth) GetLoginURL(redirectURI, state string) string {
-	return o.OAuthGetLoginURL(redirectURI, state)
+func (o *GenericOAuth) GetLoginURL(redirectURI, state string, _ cookie.CookieStore) (string, error) {
+	return o.OAuthGetLoginURL(redirectURI, state), nil
 }
 
 // ExchangeCode exchanges the given redirect uri and code for a token
-func (o *GenericOAuth) ExchangeCode(redirectURI, code string) (string, error) {
+func (o *GenericOAuth) ExchangeCode(redirectURI, code string, _ cookie.CookieStore) (string, error) {
 	token, err := o.OAuthExchangeCode(redirectURI, code)
 	if err != nil {
 		return "", err

internal/provider/generic_oauth_test.go

@@ -53,7 +53,8 @@ func TestGenericOAuthGetLoginURL(t *testing.T) {
 	}
 
 	// Check url
-	uri, err := url.Parse(p.GetLoginURL("http://example.com/_oauth", "state"))
+	loginURL, _ := p.GetLoginURL("http://example.com/_oauth", "state", nil)
+	uri, err := url.Parse(loginURL)
 	assert.Nil(err)
 	assert.Equal("https", uri.Scheme)
 	assert.Equal("provider.com", uri.Host)
@@ -104,7 +105,7 @@ func TestGenericOAuthExchangeCode(t *testing.T) {
 	// AuthStyleInHeader is attempted
 	p.Config.Endpoint.AuthStyle = oauth2.AuthStyleInParams
 
-	token, err := p.ExchangeCode("http://example.com/_oauth", "code")
+	token, err := p.ExchangeCode("http://example.com/_oauth", "code", nil)
 	assert.Nil(err)
 	assert.Equal("123456789", token)
 }

internal/provider/google.go

@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+
+	"github.com/thomseddon/traefik-forward-auth/internal/cookie"
 )
 
 // Google provider
@@ -53,7 +55,7 @@ func (g *Google) Setup() error {
 }
 
 // GetLoginURL provides the login url for the given redirect uri and state
-func (g *Google) GetLoginURL(redirectURI, state string) string {
+func (g *Google) GetLoginURL(redirectURI, state string, _ cookie.CookieStore) (string, error) {
 	q := url.Values{}
 	q.Set("client_id", g.ClientID)
 	q.Set("response_type", "code")
@@ -68,11 +70,11 @@ func (g *Google) GetLoginURL(redirectURI, state string) string {
 	u = *g.LoginURL
 	u.RawQuery = q.Encode()
 
-	return u.String()
+	return u.String(), nil
 }
 
 // ExchangeCode exchanges the given redirect uri and code for a token
-func (g *Google) ExchangeCode(redirectURI, code string) (string, error) {
+func (g *Google) ExchangeCode(redirectURI, code string, _ cookie.CookieStore) (string, error) {
 	form := url.Values{}
 	form.Set("client_id", g.ClientID)
 	form.Set("client_secret", g.ClientSecret)

internal/provider/google_test.go

@@ -68,7 +68,8 @@ func TestGoogleGetLoginURL(t *testing.T) {
 	}
 
 	// Check url
-	uri, err := url.Parse(p.GetLoginURL("http://example.com/_oauth", "state"))
+	loginUrl, _ := p.GetLoginURL("http://example.com/_oauth", "state", nil)
+	uri, err := url.Parse(loginUrl)
 	assert.Nil(err)
 	assert.Equal("https", uri.Scheme)
 	assert.Equal("google.com", uri.Host)
@@ -116,7 +117,7 @@ func TestGoogleExchangeCode(t *testing.T) {
 		},
 	}
 
-	token, err := p.ExchangeCode("http://example.com/_oauth", "code")
+	token, err := p.ExchangeCode("http://example.com/_oauth", "code", nil)
 	assert.Nil(err)
 	assert.Equal("123456789", token)
 }

internal/provider/oidc.go

@@ -3,16 +3,25 @@ package provider
 import (
 	"context"
 	"errors"
+	"strings"
 
 	"github.com/coreos/go-oidc"
+	"github.com/thomseddon/traefik-forward-auth/internal/cookie"
+	"github.com/thomseddon/traefik-forward-auth/internal/pkce"
 	"golang.org/x/oauth2"
 )
 
+const (
+	CookieNameNonce    = "oidc-nonce"
+	CookieNamePkceCode = "oidc-pkce-code"
+)
+
 // OIDC provider
 type OIDC struct {
 	IssuerURL    string `long:"issuer-url" env:"ISSUER_URL" description:"Issuer URL"`
 	ClientID     string `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
 	ClientSecret string `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`
+	PkceRequired bool   `long:"pkce-required" env:"PKCE_REQUIRED" description:"Optional pkce required indicator"`
 
 	OAuthProvider
 
@@ -27,9 +36,9 @@ func (o *OIDC) Name() string {
 
 // Setup performs validation and setup
 func (o *OIDC) Setup() error {
-	// Check parms
-	if o.IssuerURL == "" || o.ClientID == "" || o.ClientSecret == "" {
-		return errors.New("providers.oidc.issuer-url, providers.oidc.client-id, providers.oidc.client-secret must be set")
+	// Check params
+	if err := o.checkParams(); err != nil {
+		return err
 	}
 
 	var err error
@@ -60,13 +69,47 @@ func (o *OIDC) Setup() error {
 }
 
 // GetLoginURL provides the login url for the given redirect uri and state
-func (o *OIDC) GetLoginURL(redirectURI, state string) string {
-	return o.OAuthGetLoginURL(redirectURI, state)
+func (o *OIDC) GetLoginURL(redirectURI, state string, cookieStore cookie.CookieStore) (string, error) {
+	var opts []oauth2.AuthCodeOption
+
+	// Generate and store nonce
+	nonce, err := pkce.GenerateNonce()
+	if err != nil {
+		return "", err
+	}
+
+	cookieStore.SetCookie(CookieNameNonce, nonce)
+
+	opts = append(opts, oauth2.SetAuthURLParam("nonce", nonce))
+
+	if o.PkceRequired {
+		pkceVerifier, err := pkce.CreateCodeVerifier()
+		if err != nil {
+			return "", err
+		}
+
+		opts = append(opts, oauth2.SetAuthURLParam("code_challenge_method", "S256"))
+		opts = append(opts, oauth2.SetAuthURLParam("code_challenge", pkceVerifier.CodeChallengeS256()))
+
+		cookieStore.SetCookie(CookieNamePkceCode, pkceVerifier.String())
+	}
+	return o.OAuthGetLoginURL(redirectURI, state, opts...), nil
 }
 
 // ExchangeCode exchanges the given redirect uri and code for a token
-func (o *OIDC) ExchangeCode(redirectURI, code string) (string, error) {
-	token, err := o.OAuthExchangeCode(redirectURI, code)
+func (o *OIDC) ExchangeCode(redirectURI, code string, cookieStore cookie.CookieStore) (string, error) {
+	var opts []oauth2.AuthCodeOption
+
+	if o.PkceRequired {
+		pkceCode, err := cookieStore.GetCookie(CookieNamePkceCode)
+		if err != nil {
+			return "", err
+		}
+		cookieStore.DeleteCookie(CookieNamePkceCode)
+		opts = append(opts, oauth2.SetAuthURLParam("code_verifier", pkceCode))
+	}
+
+	token, err := o.OAuthExchangeCode(redirectURI, code, opts...)
 	if err != nil {
 		return "", err
 	}
@@ -77,6 +120,23 @@ func (o *OIDC) ExchangeCode(redirectURI, code string) (string, error) {
 		return "", errors.New("Missing id_token")
 	}
 
+	// Verify nonce
+	idToken, err := o.verifier.Verify(o.ctx, rawIDToken)
+	if err != nil {
+		return "", err
+	}
+
+	nonce, err := cookieStore.GetCookie(CookieNameNonce)
+	if err != nil {
+		return "", errors.New("nonce not found")
+	}
+
+	cookieStore.DeleteCookie(CookieNameNonce)
+
+	if idToken.Nonce != nonce {
+		return "", errors.New("nonce verification failed")
+	}
+
 	return rawIDToken, nil
 }
 
@@ -97,3 +157,25 @@ func (o *OIDC) GetUser(token string) (User, error) {
 
 	return user, nil
 }
+
+func (o *OIDC) checkParams() error {
+	if o.IssuerURL == "" || o.ClientID == "" || (o.ClientSecret == "" && !o.PkceRequired) {
+		var emptyFields []string
+
+		if o.IssuerURL == "" {
+			emptyFields = append(emptyFields, "providers.oidc.issuer-url")
+		}
+
+		if o.ClientID == "" {
+			emptyFields = append(emptyFields, "providers.oidc.client-id")
+		}
+
+		if o.ClientSecret == "" && !o.PkceRequired {
+			emptyFields = append(emptyFields, "providers.oidc.client-secret")
+		}
+
+		return errors.New(strings.Join(emptyFields, ", ") + " must be set")
+	}
+
+	return nil
+}