cherry-pick OIDC changes from gitea (#4724)

These are the three conflicted changes from #4716:

* https://github.com/go-gitea/gitea/pull/31632
* https://github.com/go-gitea/gitea/pull/31688
* https://github.com/go-gitea/gitea/pull/31706

cc @earl-warren; as per discussion on https://github.com/go-gitea/gitea/pull/31632 this involves a small compatibility break (OIDC introspection requests now require a valid client ID and secret, instead of a valid OIDC token)

## Checklist

The [developer guide](https://forgejo.org/docs/next/developer/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

<!--start release-notes-assistant-->

## Draft release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Breaking features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/4724): <!--number 4724 --><!--line 0 --><!--description T0lEQyBpbnRlZ3JhdGlvbnMgdGhhdCBQT1NUIHRvIGAvbG9naW4vb2F1dGgvaW50cm9zcGVjdGAgd2l0aG91dCBzZW5kaW5nIEhUVFAgYmFzaWMgYXV0aGVudGljYXRpb24gd2lsbCBub3cgZmFpbCB3aXRoIGEgNDAxIEhUVFAgVW5hdXRob3JpemVkIGVycm9yLiBUbyBmaXggdGhlIGVycm9yLCB0aGUgY2xpZW50IG11c3QgYmVnaW4gc2VuZGluZyBIVFRQIGJhc2ljIGF1dGhlbnRpY2F0aW9uIHdpdGggYSB2YWxpZCBjbGllbnQgSUQgYW5kIHNlY3JldC4gVGhpcyBlbmRwb2ludCB3YXMgcHJldmlvdXNseSBhdXRoZW50aWNhdGVkIHZpYSB0aGUgaW50cm9zcGVjdGlvbiB0b2tlbiBpdHNlbGYsIHdoaWNoIGlzIGxlc3Mgc2VjdXJlLg==-->OIDC integrations that POST to `/login/oauth/introspect` without sending HTTP basic authentication will now fail with a 401 HTTP Unauthorized error. To fix the error, the client must begin sending HTTP basic authentication with a valid client ID and secret. This endpoint was previously authenticated via the introspection token itself, which is less secure.<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4724
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Co-committed-by: Shivaram Lingamneni <slingamn@cs.stanford.edu>
This commit is contained in:
Shivaram Lingamneni 2024-08-08 06:32:14 +00:00 committed by Earl Warren
parent 633406704c
commit 878c236f49
5 changed files with 107 additions and 25 deletions

View file

@ -48,13 +48,10 @@ func BasicAuthDecode(encoded string) (string, string, error) {
return "", "", err return "", "", err
} }
auth := strings.SplitN(string(s), ":", 2) if username, password, ok := strings.Cut(string(s), ":"); ok {
return username, password, nil
if len(auth) != 2 {
return "", "", errors.New("invalid basic authentication")
} }
return "", "", errors.New("invalid basic authentication")
return auth[0], auth[1], nil
} }
// VerifyTimeLimitCode verify time limit code // VerifyTimeLimitCode verify time limit code

View file

@ -41,6 +41,9 @@ func TestBasicAuthDecode(t *testing.T) {
_, _, err = BasicAuthDecode("invalid") _, _, err = BasicAuthDecode("invalid")
require.Error(t, err) require.Error(t, err)
_, _, err = BasicAuthDecode("YWxpY2U=") // "alice", no colon
require.Error(t, err)
} }
func TestVerifyTimeLimitCode(t *testing.T) { func TestVerifyTimeLimitCode(t *testing.T) {

1
release-notes/4724.md Normal file
View file

@ -0,0 +1 @@
OIDC integrations that POST to `/login/oauth/introspect` without sending HTTP basic authentication will now fail with a 401 HTTP Unauthorized error. To fix the error, the client must begin sending HTTP basic authentication with a valid client ID and secret. This endpoint was previously authenticated via the introspection token itself, which is less secure.

View file

@ -332,17 +332,37 @@ func getOAuthGroupsForUser(ctx go_context.Context, user *user_model.User) ([]str
return groups, nil return groups, nil
} }
func parseBasicAuth(ctx *context.Context) (username, password string, err error) {
authHeader := ctx.Req.Header.Get("Authorization")
if authType, authData, ok := strings.Cut(authHeader, " "); ok && strings.EqualFold(authType, "Basic") {
return base.BasicAuthDecode(authData)
}
return "", "", errors.New("invalid basic authentication")
}
// IntrospectOAuth introspects an oauth token // IntrospectOAuth introspects an oauth token
func IntrospectOAuth(ctx *context.Context) { func IntrospectOAuth(ctx *context.Context) {
if ctx.Doer == nil { clientIDValid := false
ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm=""`) if clientID, clientSecret, err := parseBasicAuth(ctx); err == nil {
app, err := auth.GetOAuth2ApplicationByClientID(ctx, clientID)
if err != nil && !auth.IsErrOauthClientIDInvalid(err) {
// this is likely a database error; log it and respond without details
log.Error("Error retrieving client_id: %v", err)
ctx.Error(http.StatusInternalServerError)
return
}
clientIDValid = err == nil && app.ValidateClientSecret([]byte(clientSecret))
}
if !clientIDValid {
ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm=""`)
ctx.PlainText(http.StatusUnauthorized, "no valid authorization") ctx.PlainText(http.StatusUnauthorized, "no valid authorization")
return return
} }
var response struct { var response struct {
Active bool `json:"active"` Active bool `json:"active"`
Scope string `json:"scope,omitempty"` Scope string `json:"scope,omitempty"`
Username string `json:"username,omitempty"`
jwt.RegisteredClaims jwt.RegisteredClaims
} }
@ -359,6 +379,9 @@ func IntrospectOAuth(ctx *context.Context) {
response.Audience = []string{app.ClientID} response.Audience = []string{app.ClientID}
response.Subject = fmt.Sprint(grant.UserID) response.Subject = fmt.Sprint(grant.UserID)
} }
if user, err := user_model.GetUserByID(ctx, grant.UserID); err == nil {
response.Username = user.Name
}
} }
} }
@ -645,9 +668,8 @@ func AccessTokenOAuth(ctx *context.Context) {
// if there is no ClientID or ClientSecret in the request body, fill these fields by the Authorization header and ensure the provided field matches the Authorization header // if there is no ClientID or ClientSecret in the request body, fill these fields by the Authorization header and ensure the provided field matches the Authorization header
if form.ClientID == "" || form.ClientSecret == "" { if form.ClientID == "" || form.ClientSecret == "" {
authHeader := ctx.Req.Header.Get("Authorization") authHeader := ctx.Req.Header.Get("Authorization")
authContent := strings.SplitN(authHeader, " ", 2) if authType, authData, ok := strings.Cut(authHeader, " "); ok && strings.EqualFold(authType, "Basic") {
if len(authContent) == 2 && authContent[0] == "Basic" { clientID, clientSecret, err := base.BasicAuthDecode(authData)
payload, err := base64.StdEncoding.DecodeString(authContent[1])
if err != nil { if err != nil {
handleAccessTokenError(ctx, AccessTokenError{ handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest, ErrorCode: AccessTokenErrorCodeInvalidRequest,
@ -655,30 +677,23 @@ func AccessTokenOAuth(ctx *context.Context) {
}) })
return return
} }
pair := strings.SplitN(string(payload), ":", 2) // validate that any fields present in the form match the Basic auth header
if len(pair) != 2 { if form.ClientID != "" && form.ClientID != clientID {
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest,
ErrorDescription: "cannot parse basic auth header",
})
return
}
if form.ClientID != "" && form.ClientID != pair[0] {
handleAccessTokenError(ctx, AccessTokenError{ handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest, ErrorCode: AccessTokenErrorCodeInvalidRequest,
ErrorDescription: "client_id in request body inconsistent with Authorization header", ErrorDescription: "client_id in request body inconsistent with Authorization header",
}) })
return return
} }
form.ClientID = pair[0] form.ClientID = clientID
if form.ClientSecret != "" && form.ClientSecret != pair[1] { if form.ClientSecret != "" && form.ClientSecret != clientSecret {
handleAccessTokenError(ctx, AccessTokenError{ handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest, ErrorCode: AccessTokenErrorCodeInvalidRequest,
ErrorDescription: "client_secret in request body inconsistent with Authorization header", ErrorDescription: "client_secret in request body inconsistent with Authorization header",
}) })
return return
} }
form.ClientSecret = pair[1] form.ClientSecret = clientSecret
} }
} }

View file

@ -733,3 +733,69 @@ func TestOAuth_GrantApplicationOAuth(t *testing.T) {
resp = ctx.MakeRequest(t, req, http.StatusSeeOther) resp = ctx.MakeRequest(t, req, http.StatusSeeOther)
assert.Contains(t, test.RedirectURL(resp), "error=access_denied&error_description=the+request+is+denied") assert.Contains(t, test.RedirectURL(resp), "error=access_denied&error_description=the+request+is+denied")
} }
func TestOAuthIntrospection(t *testing.T) {
defer tests.PrepareTestEnv(t)()
req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "authorization_code",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
"redirect_uri": "a",
"code": "authcode",
"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
})
resp := MakeRequest(t, req, http.StatusOK)
type response struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
ExpiresIn int64 `json:"expires_in"`
RefreshToken string `json:"refresh_token"`
}
parsed := new(response)
DecodeJSON(t, resp, parsed)
assert.Greater(t, len(parsed.AccessToken), 10)
assert.Greater(t, len(parsed.RefreshToken), 10)
type introspectResponse struct {
Active bool `json:"active"`
Scope string `json:"scope,omitempty"`
Username string `json:"username"`
}
// successful request with a valid client_id/client_secret and a valid token
t.Run("successful request with valid token", func(t *testing.T) {
req := NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{
"token": parsed.AccessToken,
})
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")
resp := MakeRequest(t, req, http.StatusOK)
introspectParsed := new(introspectResponse)
DecodeJSON(t, resp, introspectParsed)
assert.True(t, introspectParsed.Active)
assert.Equal(t, "user1", introspectParsed.Username)
})
// successful request with a valid client_id/client_secret, but an invalid token
t.Run("successful request with invalid token", func(t *testing.T) {
req := NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{
"token": "xyzzy",
})
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")
resp := MakeRequest(t, req, http.StatusOK)
introspectParsed := new(introspectResponse)
DecodeJSON(t, resp, introspectParsed)
assert.False(t, introspectParsed.Active)
})
// unsuccessful request with an invalid client_id/client_secret
t.Run("unsuccessful request due to invalid basic auth", func(t *testing.T) {
req := NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{
"token": parsed.AccessToken,
})
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpK")
resp := MakeRequest(t, req, http.StatusUnauthorized)
assert.Contains(t, resp.Body.String(), "no valid authorization")
})
}