Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Made uid/gid claims parsing more robust in OIDC auth provider #2759

Merged
merged 2 commits into from
Apr 21, 2022
Merged

Made uid/gid claims parsing more robust in OIDC auth provider #2759

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0642bd6
Made uid, gid parsing more robust in OIDC auth provider
glpatcern Apr 20, 2022
957927c
Do not fail when uid/gid are missing
glpatcern Apr 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions changelog/unreleased/oidc-fix.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Bugfix: made uid, gid claims parsing more robust in OIDC auth provider

This fix makes sure the uid and gid claims are defined at init time and that
a proper error is returned in case they would be missing or invalid (i.e. not int64)
when authenticating users.

https://github.com/cs3org/reva/pull/2759
36 changes: 20 additions & 16 deletions pkg/auth/manager/oidc/oidc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,12 @@ func (c *config) init() {
if c.GroupClaim == "" {
c.GroupClaim = "groups"
}
if c.UIDClaim == "" {
c.UIDClaim = "uid"
}
if c.GIDClaim == "" {
c.GIDClaim = "gid"
}

c.GatewaySvc = sharedconf.GetGatewaySVC(c.GatewaySvc)
}
Expand Down Expand Up @@ -192,6 +198,16 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string)
if claims["email"] == nil {
return nil, nil, fmt.Errorf("no \"email\" attribute found in userinfo: maybe the client did not request the oidc \"email\"-scope")
}
if uid, ok := claims[am.c.UIDClaim].(float64); ok {
claims[am.c.UIDClaim] = int64(uid)
} else {
return nil, nil, fmt.Errorf("malformed or missing uid claim in userinfo: '%v'", claims[am.c.UIDClaim])
glpatcern marked this conversation as resolved.
Show resolved Hide resolved
}
if gid, ok := claims[am.c.GIDClaim].(float64); ok {
claims[am.c.GIDClaim] = int64(gid)
} else {
return nil, nil, fmt.Errorf("malformed or missing gid claim in userinfo: '%v'", claims[am.c.GIDClaim])
}

err = am.resolveUser(ctx, claims)
if err != nil {
Expand All @@ -218,23 +234,15 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string)
return nil, nil, status.NewErrorFromCode(getGroupsResp.Status.Code, "oidc")
}

var uid, gid int64
if am.c.UIDClaim != "" {
uid, _ = claims[am.c.UIDClaim].(int64)
}
if am.c.GIDClaim != "" {
gid, _ = claims[am.c.GIDClaim].(int64)
}

u := &user.User{
Id: userID,
Username: claims["preferred_username"].(string),
Groups: getGroupsResp.Groups,
Mail: claims["email"].(string),
MailVerified: claims["email_verified"].(bool),
DisplayName: claims["name"].(string),
UidNumber: uid,
GidNumber: gid,
UidNumber: claims[am.c.UIDClaim].(int64),
GidNumber: claims[am.c.GIDClaim].(int64),
}

var scopes map[string]*authpb.Scope
Expand Down Expand Up @@ -338,12 +346,8 @@ func (am *mgr) resolveUser(ctx context.Context, claims map[string]interface{}) e
claims["preferred_username"] = username
claims[am.c.IDClaim] = getUserByClaimResp.GetUser().GetId().OpaqueId
claims["iss"] = getUserByClaimResp.GetUser().GetId().Idp
if am.c.UIDClaim != "" {
claims[am.c.UIDClaim] = getUserByClaimResp.GetUser().UidNumber
}
if am.c.GIDClaim != "" {
claims[am.c.GIDClaim] = getUserByClaimResp.GetUser().GidNumber
}
claims[am.c.UIDClaim] = getUserByClaimResp.GetUser().UidNumber
claims[am.c.GIDClaim] = getUserByClaimResp.GetUser().GidNumber
appctx.GetLogger(ctx).Debug().Str("username", username).Interface("claims", claims).Msg("resolveUser: claims overridden from mapped user")
}
return nil
Expand Down