Merge pull request #165 from travisghansen/next

travisghansen · Jan 23, 2023 · 10c5acc · 10c5acc
2 parents f0ed0ef + 6f72df6
commit 10c5acc
Show file tree

Hide file tree

Showing 16 changed files with 1,126 additions and 914 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,20 @@
+# 0.13.0
+
+Released 2023-01-22
+
+- support additional `oauth` / `oidc` flows
+  - newly available callback endpoint `/oauth/callback-ua-client-code` which
+    retrieves the tokens via the browser instead of `eas` facilitating scenarios
+    where `eas` cannot directly communicate with `op`
+- support `pkce` with `oauth` / `oidc`
+- support `nonce` with `oidc`
+- use server-side storage of `oauth` / `oidc` `state` data
+- support `yaml` parsing in addition to `json` parsing in several locations
+- introduce env var `EAS_ALLOW_PLAIN_SERVER_SIDE_TOKENS` to facilitate
+  server-side `config_tokens` being stored as simple json/yaml
+- support `encoding` value of injected headers (plain (default), or base64)
+- bump deps
+
 # 0.12.5
 
 Released 2023-01-04

diff --git a/HEADERS.md b/HEADERS.md
@@ -41,6 +41,7 @@ as tokens etc may not exist.
             source: "userinfo",// userinfo, id_token, access_token, refresh_token, static, config_token, plugin_config, req, parentRequestInfo
             query_engine: "jp",
             query: "$.emails[*].email", // if left blank the data will be passed unaltered (ie: jwt encoded data)
+            encoding: "plain", // may be set to base64
 
             query_engine: "jp",
             query: "$.login",

diff --git a/PLUGINS.md b/PLUGINS.md
@@ -326,16 +326,34 @@ Please read [further details](OAUTH_PLUGINS.md) about configuration.
 ```
 {
     type: "oauth2",
+    
     issuer: {
         authorization_endpoint: 'https://accounts.google.com/o/oauth2/v2/auth',
         token_endpoint: 'https://www.googleapis.com/oauth2/v4/token',
     },
+
     client: {
         client_id: "...",
         client_secret: "..."
     },
+
+    // generally this should be unset and the provider default utilized (for authorization_code flow this is generally query)
+    // https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseTypesAndModes
+    //response_mode: , // query or fragment
+
+    // generally this should be unset and the default utilized
+    // https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseTypesAndModes
+    //response_types: ["code"],
+
     scopes: [],
 
+    // pkce settings
+    // https://oauth.net/2/pkce/
+    pkce: {
+      enabled: false,
+      code_challenge_method: 'S256' // can also be 'plain'
+    },
+
     // custom authorization URL parameters
     // values can be handlebars syntax with access to `req` and `parentReqInfo` objects (see examples/parent_request_info.json)
     // NOTE: all critical fields are managed automatically, this should only be used in advanced scenarios
@@ -550,8 +568,33 @@ Please read [further details](OAUTH_PLUGINS.md) about configuration.
         //registration_client_uri: "",
         //registration_access_token: "",
     },
+
+    // generally this should be unset and the provider default utilized (for authorization_code flow this is generally query)
+    // https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseTypesAndModes
+    //response_mode: , // query or fragment
+
+    // generally this should be unset and the default utilized
+    // https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseTypesAndModes
+    //response_types: ["code"],
+
     scopes: ["openid", "email", "profile"], // must include openid
 
+    // pkce settings
+    // https://oauth.net/2/pkce/
+    pkce: {
+      enabled: false,
+      code_challenge_method: 'S256' // can also be 'plain'
+    },
+
+    // nonce settings
+    // https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes
+    nonce: {
+      enabled: false,
+      // how long eas should retain nonce data
+      // note the nonce data is removed as quickly as possible during normal operation
+      ttl: 600
+    },
+
     // custom authorization URL parameters
     // values can be handlebars syntax with access to `req` and `parentReqInfo` objects (see examples/parent_request_info.json)
     // NOTE: all critical fields are managed automatically, this should only be used in advanced scenarios
@@ -579,6 +622,32 @@ Please read [further details](OAUTH_PLUGINS.md) about configuration.
     * if your oauth provider does not support wildcards place the URL configured in the provider (that will return to this proper service) here
     */
     redirect_uri: "https://eas.example.com/oauth/callback",
+
+    /**
+    *
+    * https://github.com/travisghansen/external-auth-server/issues/158
+    *
+    * the /oauth/callback-ua-client-code endpoint will cause the browser/user-agent to directly exchange the code for token(s) instead of eas
+    * generally this highly unecessary, but can be used in scenarios where the brower/user-agent can communicate with both eas and op,
+    * but eas cannot directly access op
+    *
+    * in order to use this flow:
+    * - pkce enabled
+    * - nonce enabled
+    * - disable refresh_access_token
+    * - disable introspect_access_token
+    * - highly recommended to enable the sig(nature) assertion (otherwise session/token data can be spoofed)
+    * - if indeed eas cannot reach op, you will need to manually define the issuer endpoints instead of discovery url
+    *
+    * The general flow is:
+    * - eas directs the browser to op
+    * - after successful auth browser is redirected to /oauth/callback-ua-client-code
+    * - browser uses code in exchange for tokens and submits tokens to eas (using pure javascript)
+    * - browser is redirected to eas to continue remaining auth process
+    *
+    */
+    //redirect_uri: "https://eas.example.com/oauth/callback-ua-client-code",
+    
     features: {
         /**
         * how to expire the cookie
@@ -690,6 +759,11 @@ Please read [further details](OAUTH_PLUGINS.md) about configuration.
         },
     },
     assertions: {
+        /**
+        * assert the token(s) has the appropriate aud (client_id)
+        */
+        aud: true,
+
         /**
         * assert the token(s) has not expired
         */
@@ -705,6 +779,16 @@ Please read [further details](OAUTH_PLUGINS.md) about configuration.
         */
         iss: true,
 
+        /**
+        * assert the token(s) has a valid signature
+        * usually only needed when using the /oauth/callback-ua-client-code redirect_uri with browser code exchange
+        */
+        sig: {
+          enabled: false,
+          // defaults to issuer jwks endpoint, can be jwks response data or plain shared key/public key
+          // secret:
+        },
+
         /**
         * custom userinfo assertions
         */

diff --git a/README.md b/README.md
@@ -235,6 +235,10 @@ set the `config_token` `redirect_uri` to the `eas` service at the
 - `EAS_GRPC_PORT` port the grpc server is bound to (default is `50051`)
 - `EAS_GRPC_SSL_CERT` path to ssl cert file to enable https
 - `EAS_GRPC_SSL_KEY` path to ssl key file to enable https
+- `EAS_ALLOW_EVAL` allow for potentially unsafe execution of untrusted code
+  (enables `request_js` and `js` query engine)
+- `EAS_ALLOW_PLAIN_SERVER_SIDE_TOKENS` allows server-side token to be
+  unsigned (ie: store plain json/yaml in the store(s))
 
 ## redis