165 lines
5.0 KiB
Go
165 lines
5.0 KiB
Go
package provider
|
|
|
|
import (
|
|
"context"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"fmt"
|
|
"regexp"
|
|
"strings"
|
|
|
|
"github.com/coreos/go-oidc/v3/oidc"
|
|
"github.com/supabase/auth/internal/conf"
|
|
"golang.org/x/oauth2"
|
|
)
|
|
|
|
const IssuerAzureCommon = "https://login.microsoftonline.com/common/v2.0"
|
|
const IssuerAzureOrganizations = "https://login.microsoftonline.com/organizations/v2.0"
|
|
|
|
// IssuerAzureMicrosoft is the OIDC issuer for microsoft.com accounts:
|
|
// https://learn.microsoft.com/en-us/azure/active-directory/develop/id-token-claims-reference#payload-claims
|
|
const IssuerAzureMicrosoft = "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0"
|
|
|
|
const (
|
|
defaultAzureAuthBase = "login.microsoftonline.com/common"
|
|
)
|
|
|
|
type azureProvider struct {
|
|
*oauth2.Config
|
|
|
|
// ExpectedIssuer contains the OIDC issuer that should be expected when
|
|
// the authorize flow completes. For example, when using the "common"
|
|
// endpoint the authorization flow will end with an ID token that
|
|
// contains any issuer. In this case, ExpectedIssuer is an empty
|
|
// string, because any issuer is allowed. But if a developer sets up a
|
|
// tenant-specific authorization endpoint, then we must ensure that the
|
|
// ID token received is issued by that specific issuer, and so
|
|
// ExpectedIssuer contains the issuer URL of that tenant.
|
|
ExpectedIssuer string
|
|
}
|
|
|
|
var azureIssuerRegexp = regexp.MustCompile("^https://login[.]microsoftonline[.]com/([^/]+)/v2[.]0/?$")
|
|
var azureCIAMIssuerRegexp = regexp.MustCompile("^https://[a-z0-9-]+[.]ciamlogin[.]com/([^/]+)/v2[.]0/?$")
|
|
|
|
func IsAzureIssuer(issuer string) bool {
|
|
return azureIssuerRegexp.MatchString(issuer)
|
|
}
|
|
|
|
func IsAzureCIAMIssuer(issuer string) bool {
|
|
return azureCIAMIssuerRegexp.MatchString(issuer)
|
|
}
|
|
|
|
// NewAzureProvider creates a Azure account provider.
|
|
func NewAzureProvider(ext conf.OAuthProviderConfiguration, scopes string) (OAuthProvider, error) {
|
|
if err := ext.ValidateOAuth(); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
oauthScopes := []string{"openid"}
|
|
|
|
if scopes != "" {
|
|
oauthScopes = append(oauthScopes, strings.Split(scopes, ",")...)
|
|
}
|
|
|
|
authHost := chooseHost(ext.URL, defaultAzureAuthBase)
|
|
expectedIssuer := ""
|
|
|
|
if ext.URL != "" {
|
|
expectedIssuer = authHost + "/v2.0"
|
|
|
|
if !IsAzureIssuer(expectedIssuer) || !IsAzureCIAMIssuer(expectedIssuer) || expectedIssuer == IssuerAzureCommon || expectedIssuer == IssuerAzureOrganizations {
|
|
// in tests, the URL is a local server which should not
|
|
// be the expected issuer
|
|
// also, IssuerAzure (common) never actually issues any
|
|
// ID tokens so it needs to be ignored
|
|
expectedIssuer = ""
|
|
}
|
|
}
|
|
|
|
return &azureProvider{
|
|
Config: &oauth2.Config{
|
|
ClientID: ext.ClientID[0],
|
|
ClientSecret: ext.Secret,
|
|
Endpoint: oauth2.Endpoint{
|
|
AuthURL: authHost + "/oauth2/v2.0/authorize",
|
|
TokenURL: authHost + "/oauth2/v2.0/token",
|
|
},
|
|
RedirectURL: ext.RedirectURI,
|
|
Scopes: oauthScopes,
|
|
},
|
|
ExpectedIssuer: expectedIssuer,
|
|
}, nil
|
|
}
|
|
|
|
func (g azureProvider) GetOAuthToken(code string) (*oauth2.Token, error) {
|
|
return g.Exchange(context.Background(), code)
|
|
}
|
|
|
|
func DetectAzureIDTokenIssuer(ctx context.Context, idToken string) (string, error) {
|
|
var payload struct {
|
|
Issuer string `json:"iss"`
|
|
}
|
|
|
|
parts := strings.Split(idToken, ".")
|
|
if len(parts) != 3 {
|
|
return "", fmt.Errorf("azure: invalid ID token")
|
|
}
|
|
|
|
payloadBytes, err := base64.RawURLEncoding.DecodeString(parts[1])
|
|
if err != nil {
|
|
return "", fmt.Errorf("azure: invalid ID token %w", err)
|
|
}
|
|
|
|
if err := json.Unmarshal(payloadBytes, &payload); err != nil {
|
|
return "", fmt.Errorf("azure: invalid ID token %w", err)
|
|
}
|
|
|
|
return payload.Issuer, nil
|
|
}
|
|
|
|
func (g azureProvider) GetUserData(ctx context.Context, tok *oauth2.Token) (*UserProvidedData, error) {
|
|
idToken := tok.Extra("id_token")
|
|
|
|
if idToken != nil {
|
|
issuer, err := DetectAzureIDTokenIssuer(ctx, idToken.(string))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Allow basic Azure issuers, except when the expected issuer
|
|
// is configured to be the Azure CIAM issuer, allow CIAM
|
|
// issuers to pass.
|
|
if !IsAzureIssuer(issuer) && (IsAzureCIAMIssuer(g.ExpectedIssuer) && !IsAzureCIAMIssuer(issuer)) {
|
|
return nil, fmt.Errorf("azure: ID token issuer not valid %q", issuer)
|
|
}
|
|
|
|
if g.ExpectedIssuer != "" && issuer != g.ExpectedIssuer {
|
|
// Since ExpectedIssuer was set, then the developer had
|
|
// setup GoTrue to use the tenant-specific
|
|
// authorization endpoint, which in-turn means that
|
|
// only those tenant's ID tokens will be accepted.
|
|
return nil, fmt.Errorf("azure: ID token issuer %q does not match expected issuer %q", issuer, g.ExpectedIssuer)
|
|
}
|
|
|
|
provider, err := oidc.NewProvider(ctx, issuer)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
_, data, err := ParseIDToken(ctx, provider, &oidc.Config{
|
|
ClientID: g.ClientID,
|
|
}, idToken.(string), ParseIDTokenOptions{
|
|
AccessToken: tok.AccessToken,
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return data, nil
|
|
}
|
|
|
|
// Only ID tokens supported, UserInfo endpoint has a history of being less secure.
|
|
|
|
return nil, fmt.Errorf("azure: no OIDC ID token present in response")
|
|
}
|