Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Improve logging in the oauth2 callback handler #11370

Merged
merged 1 commit into from
Jul 16, 2023
Merged

feat: Improve logging in the oauth2 callback handler #11370

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions server/auth/sso/sso.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,7 @@ func (s *sso) HandleCallback(w http.ResponseWriter, r *http.Request) {
cookie, err := r.Cookie(state)
http.SetCookie(w, &http.Cookie{Name: state, MaxAge: 0})
if err != nil {
log.WithError(err).Error("failed to get cookie")
w.WriteHeader(400)
return
}
Expand All @@ -238,25 +239,28 @@ func (s *sso) HandleCallback(w http.ResponseWriter, r *http.Request) {
oauth2Context := context.WithValue(ctx, oauth2.HTTPClient, s.httpClient)
oauth2Token, err := s.config.Exchange(oauth2Context, r.URL.Query().Get("code"), redirectOption)
if err != nil {
log.WithError(err).Error("failed to get oauth2Token by using code from the oauth2 server")
w.WriteHeader(401)
return
}
rawIDToken, ok := oauth2Token.Extra("id_token").(string)
if !ok {
log.Error("failed to extract id_token from the response")
w.WriteHeader(401)
return
}
idToken, err := s.idTokenVerifier.Verify(ctx, rawIDToken)
if err != nil {
log.WithError(err).Error("failed to verify the id token issued")
w.WriteHeader(401)
return
}
c := &types.Claims{}
if err := idToken.Claims(c); err != nil {
log.WithError(err).Error("failed to get claims from the id token")
w.WriteHeader(401)
return
}

// Default to groups claim but if customClaimName is set
// extract groups based on that claim key
groups := c.Groups
Expand All @@ -266,17 +270,16 @@ func (s *sso) HandleCallback(w http.ResponseWriter, r *http.Request) {
log.Warn(err)
}
}

// Some SSO implementations (Okta) require a call to
// the OIDC user info path to get attributes like groups
if s.userInfoPath != "" {
groups, err = c.GetUserInfoGroups(oauth2Token.AccessToken, s.issuer, s.userInfoPath)
if err != nil {
log.WithError(err).Errorf("failed to get groups claim from the given userInfoPath(%s)", s.userInfoPath)
w.WriteHeader(401)
return
}
}

argoClaims := &types.Claims{
Claims: jwt.Claims{
Issuer: issuer,
Expand All @@ -291,9 +294,9 @@ func (s *sso) HandleCallback(w http.ResponseWriter, r *http.Request) {
PreferredUsername: c.PreferredUsername,
ServiceAccountNamespace: c.ServiceAccountNamespace,
}

raw, err := jwt.Encrypted(s.encrypter).Claims(argoClaims).CompactSerialize()
if err != nil {
log.WithError(err).Errorf("failed to encrypt and serialize the jwt token")
w.WriteHeader(401)
return
}
Expand Down