Merge pull request #396 from MadAppGang/federated-oidc-settings

federated OIDC settings
MadAppGang · Mar 10, 2023 · 447686f · 447686f
2 parents 6078ec4 + d433b64
commit 447686f
Show file tree

Hide file tree

Showing 9 changed files with 46 additions and 24 deletions.
diff --git a/localization/messages_const.go b/localization/messages_const.go
diff --git a/localization/translations/en.yaml b/localization/translations/en.yaml
@@ -101,6 +101,8 @@ error.federated.idtoken.missing: "No id_token returned for federated login"
 error.federated.idtoken.invalid: "Invalid id_token returned for federated login: %v"
 error.federated.claims.error: "Invalid claims error: %v"
 error.federated.oidc.provider.error: "Failed to init OIDC provider: %v"
+error.federated.oidc.disabled: "Federated OIDC login disabled"
+
 
 # Storages
 error.storage.update_user.error: "Unable to update user with id %s with error: %v"

diff --git a/model/oidc_settings.go b/model/oidc_settings.go
@@ -11,6 +11,7 @@ type OIDCSettings struct {
 	EmailClaimField  string   `bson:"email_claim_field,omitempty" json:"email_claim_field,omitempty"`
 	UserIDClaimField string   `bson:"user_id_claim_field,omitempty" json:"user_id_claim_field,omitempty"`
 	Scopes           []string `bson:"scopes,omitempty" json:"scopes,omitempty"`
+	InitURL          string   `bson:"init_url,omitempty" json:"init_url,omitempty"`
 	// ScopeMapping maps OIDC scopes to Identifo scopes.
 	ScopeMapping map[string]string `bson:"scope_mapping,omitempty" json:"scope_mapping,omitempty"`
 }

diff --git a/model/server_settings.go b/model/server_settings.go
@@ -294,10 +294,11 @@ type LoginSettings struct {
 
 // LoginWith is a type for configuring supported login ways.
 type LoginWith struct {
-	Username  bool `yaml:"username" json:"username"`
-	Phone     bool `yaml:"phone" json:"phone"`
-	Email     bool `yaml:"email" json:"email"`
-	Federated bool `yaml:"federated" json:"federated"`
+	Username      bool `yaml:"username" json:"username"`
+	Phone         bool `yaml:"phone" json:"phone"`
+	Email         bool `yaml:"email" json:"email"`
+	Federated     bool `yaml:"federated" json:"federated"`
+	FederatedOIDC bool `yaml:"federatedOIDC" json:"federated_oidc"`
 }
 
 // TFAType is a type of two-factor authentication for apps that support it.

diff --git a/model/server_settings_defaults.go b/model/server_settings_defaults.go
@@ -31,9 +31,10 @@ var DefaultServerSettings = ServerSettings{
 	},
 	Login: LoginSettings{
 		LoginWith: LoginWith{
-			Phone:     true,
-			Username:  true,
-			Federated: false,
+			Phone:         true,
+			Username:      true,
+			Federated:     false,
+			FederatedOIDC: false,
 		},
 		TFAType:          TFATypeApp,
 		TFAResendTimeout: 30,

diff --git a/web/api/app_settings.go b/web/api/app_settings.go
@@ -22,6 +22,7 @@ type appSettings struct {
 	LoginWith                    model.LoginWith `json:"loginWith"`
 	FederatedProviders           []string        `json:"federatedProviders"`
 	CustomEmailTemplates         bool            `json:"customEmailTemplates"`
+	FederatedOIDCInitURL         string          `json:"federatedOIDCInitURL"`
 }
 
 // GetAppSettings return app settings
@@ -49,6 +50,7 @@ func (ar *Router) GetAppSettings() http.HandlerFunc {
 			LoginWith:                    ar.SupportedLoginWays,
 			FederatedProviders:           make([]string, 0, len(app.FederatedProviders)),
 			CustomEmailTemplates:         app.CustomEmailTemplates,
+			FederatedOIDCInitURL:         app.OIDCSettings.InitURL,
 		}
 
 		for k := range app.FederatedProviders {

diff --git a/web/api/federated_oidc_login.go b/web/api/federated_oidc_login.go
@@ -87,6 +87,11 @@ func (ar *Router) OIDCLogin(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !ar.SupportedLoginWays.FederatedOIDC {
+		ar.Error(w, locale, http.StatusBadRequest, l.ErrorFederatedOidcDisabled)
+		return
+	}
+
 	redirect := r.URL.Query().Get("redirectUrl")
 	if len(redirect) == 0 {
 		ar.Error(w, locale, http.StatusBadRequest, l.APIAPPFederatedProviderEmptyRedirect)
@@ -151,6 +156,11 @@ func (ar *Router) OIDCLoginComplete(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !ar.SupportedLoginWays.FederatedOIDC {
+		ar.Error(w, locale, http.StatusBadRequest, l.ErrorFederatedOidcDisabled)
+		return
+	}
+
 	claims, fsess, err := ar.completeOIDCAuth(r, app)
 	if err != nil {
 		ar.ErrorResponse(w, err)

diff --git a/web/api/federated_oidc_login_test.go b/web/api/federated_oidc_login_test.go
@@ -45,6 +45,7 @@ var testServerSettings = model.DefaultServerSettings
 
 func (tc testConfig) LoadServerSettings(validate bool) (model.ServerSettings, []error) {
 	testServerSettings.KeyStorage.Local.Path = "../../jwt/test_artifacts/private.pem"
+	testServerSettings.Login.LoginWith.FederatedOIDC = true
 	return testServerSettings, nil
 }
 
@@ -62,6 +63,9 @@ func init() {
 	}
 
 	rs := api.RouterSettings{
+		LoginWith: model.LoginWith{
+			FederatedOIDC: true,
+		},
 		Server: testServer,
 		Cors:   cors.New(model.DefaultCors),
 	}

diff --git a/web/management/auth_middleware.go b/web/management/auth_middleware.go
@@ -15,30 +15,30 @@ func (ar *Router) AuthMiddleware(next http.Handler) http.Handler {
 		locale := r.Header.Get("Accept-Language")
 
 		if len(r.Header[KeyIDHeaderKey]) != 1 || len(r.Header[KeyIDHeaderKey][0]) == 0 {
-			ar.Error(w, locale, http.StatusBadRequest, l.ErrorMANoKeyID)
+			ar.Error(w, locale, http.StatusBadRequest, l.ErrorNativeLoginMaNoKeyID)
 			return
 		}
 
 		keyID := r.Header[KeyIDHeaderKey][0]
 		key, err := ar.stor.GetKey(r.Context(), keyID)
 		if err != nil {
-			ar.Error(w, locale, http.StatusBadRequest, l.ErrorMAErrorGettingKeyWithID, keyID, err)
+			ar.Error(w, locale, http.StatusBadRequest, l.ErrorNativeLoginMaErrorKeyWithID, keyID, err)
 			return
 		}
 
-		if key.Active == false {
-			ar.Error(w, locale, http.StatusBadRequest, l.ErrorMAErrorInactiveKey)
+		if !key.Active {
+			ar.Error(w, locale, http.StatusBadRequest, l.ErrorNativeLoginMaKeyInactive)
 			return
 		}
 
 		if key.ValidTill != nil && time.Now().After(*key.ValidTill) {
-			ar.Error(w, locale, http.StatusBadRequest, l.ErrorMAErrorExpiredKey)
+			ar.Error(w, locale, http.StatusBadRequest, l.ErrorNativeLoginMaKeyExpired)
 			return
 		}
 
 		err = sig.VerifySignature(r, []byte(key.Secret))
 		if err != nil {
-			ar.Error(w, locale, http.StatusBadRequest, l.ErrorMAErrorInvalidSignature, err)
+			ar.Error(w, locale, http.StatusBadRequest, l.ErrorNativeLoginMaErrorSignature, err)
 			return
 		}
 		next.ServeHTTP(w, r)