Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial ADFS support #68

Merged
merged 4 commits into from
Feb 14, 2019
Merged

Conversation

simongottschlag
Copy link
Contributor

Seems to be working just fine, but should most likely be looked over since I know nothing about Golang.

@simongottschlag simongottschlag changed the title Adfs get username Initial ADFS support Feb 6, 2019
@bnfinet
Copy link
Member

bnfinet commented Feb 6, 2019

I very much appreciate the effort and I'm excited to get ADFS support in place.

As I think you suspect, we need to clean up your code and bring it a bit closer to doing things a bit more Go like.

I suggest taking a look at Marshall/Unmarshall in viper and see how mapstructure is used
https://stackoverflow.com/questions/10858787/what-are-the-uses-for-tags-in-go

Did you see any of the Azure AD items in the upstream library?
golang/oauth2#112
Is it possible that one of those implementations would work?

I'll look a bit closer at what you've offered over the next couple days and offer thoughts

Thanks again Simon!

@simongottschlag
Copy link
Contributor Author

Hi!

I really hope the code is corrected and cleaned before it’s included in the project. My hope is that you get the necessary information about the ADFS-integration and will be able to get it included without too much hassle. I’ll help with the testing!

I’m only doing this for a project that really needs it ASAP and your integration with nginx makes it so much easier than the others I’ve tried. But I’m no developer (got help from a co-worker, but none of us have ever used Golang) and have no illusions about that what I’ve written is bad.

I do know ADFS, OIDC, nginx, Kubernetes and everything around that so I’ll try to contribute with what I can. 😁👍

ADFS and Azure AD have some differences, so this will probably not work with AAD. I haven’t tried it, but the OIDC type will most likely work. AAD is much easier to test than ADFS, so if you want it included I’ll set it up and test it (maybe even create another bad PR 😉).

By the way, three questions:

  1. Why are converting the tokens we get from the providers instead of using the original ones? If we used the originals we shouldn’t have a requirement for a db (?) and just explicitly trust that the provider knows what it is doing.
  2. What are your thoughts on using implicit (response_type=id_token) instead of authorization code flow? This would remove the requirement for a client secret.
  3. I read comments in the code about the size of the token couch creates. Have you done any measurements regarding performance compared to the size of the token? Anything you can share?

As a last note, I’m the one who should say thanks. This project is great and I think it will have potential to be the go-to project instead of others to secure resources in the future.

Thanks! 😁

bnfinet added a commit that referenced this pull request Feb 8, 2019
@bnfinet
Copy link
Member

bnfinet commented Feb 8, 2019

@simongottschlag can you please try this branch and see if it works?
https://github.com/vouch/vouch-proxy/tree/simongottschlag-adfs_get_username

@bnfinet bnfinet mentioned this pull request Feb 8, 2019
@simongottschlag
Copy link
Contributor Author

@bnfinet I think I've really messed up with doing two PRs. Can we close this one and only use #71? I've tried to do some magic but seems like I'm not able to get it right in this one.

@bnfinet
Copy link
Member

bnfinet commented Feb 8, 2019 via email

@simongottschlag
Copy link
Contributor Author

@bnfinet I've removed the "cookie fix" and added the two sections (I hope) from the other PR.

@simongottschlag
Copy link
Contributor Author

can you please try this branch and see if it works?
https://github.com/vouch/vouch-proxy/tree/simongottschlag-adfs_get_username

@bnfinet Can you merge the last changes I did here to it? After that, I'll be able to test it. I'm using the following right now and it is working as expected (both with ADFS and idToken sent to upstream): https://github.com/simongottschlag/vouch-proxy/tree/v0.4.9-ADFS-03

@bnfinet
Copy link
Member

bnfinet commented Feb 13, 2019

@simongottschlag
Copy link
Contributor Author

Hi,

I branched v0.4.9 and merged your branch with my fork (https://github.com/simongottschlag/vouch-proxy/tree/simongottschlag-adfs_get_username) and created a container in quay.io (quay.io/simongottschlag/vouch-proxy:simongottschlag-adfs_get_username). When using this container, it does seem to work as expected.

See the logs below:

time="2019-02-13T13:24:23Z" level=info msg="configuring ADFS OAuth"
time="2019-02-13T13:24:23Z" level=info msg="configuring adfs OAuth with Endpoint https://adfs.example.com/adfs/oauth2/authorize/"
time="2019-02-13T13:24:23Z" level=info msg="starting Vouch" branch=HEAD buildhost=476ef8871199 buildtime="2019-02-13T13:22:34Z" listen="0.0.0.0:80" semver=v0.4.9-ADFS-03 version=9630d9b
time="2019-02-13T13:24:42Z" level=error msg="no jwt found in request"
time="2019-02-13T13:24:42Z" level=warning msg="domain protected.example.com not found in any domains []"
time="2019-02-13T13:24:42Z" level=info msg="|401|  132.502µs /validate" avgLatency=" 132.502µs" host=protected.example.com ipPort="127.0.0.1:52516" latency=" 132.502µs" method=GET path=/validate referer= request=1 statusCode=401
time="2019-02-13T13:24:42Z" level=warning msg="domain vouch.example.com not found in any domains []"
time="2019-02-13T13:24:42Z" level=info msg="|302| 3.352534ms /login" avgLatency=1.742518ms host=vouch.example.com ipPort="127.0.0.1:52524" latency=3.352534ms method=GET path=/login referer= request=2 statusCode=302
time="2019-02-13T13:24:51Z" level=error msg="code: ***"
time="2019-02-13T13:24:51Z" level=info msg="adfs adfsUser:  {{   0 0 0} *** [email protected]}"
time="2019-02-13T13:24:51Z" level=error msg="no bucket for users"
time="2019-02-13T13:24:51Z" level=warning msg="domain vouch.example.com not found in any domains []"
time="2019-02-13T13:24:51Z" level=info msg="|302| 452.610363ms /auth" avgLatency=152.031799ms host=vouch.example.com ipPort="127.0.0.1:52594" latency=452.610363ms method=GET path=/auth referer="https://adfs.example.com/adfs/oauth2/authorize/?client_id=***&redirect_uri=https%3A%2F%2Fvouch.example.com%2Fauth&response_type=code&scope=openid+email+profile&state=***" request=3 statusCode=302
time="2019-02-13T13:24:52Z" level=info msg="jwt cookie" [email protected]
time="2019-02-13T13:24:52Z" level=info msg="|200|  208.302µs /validate" avgLatency=114.075925ms host=protected.example.com ipPort="127.0.0.1:52600" latency=" 208.302µs" method=GET path=/validate referer= request=4 statusCode=200
time="2019-02-13T13:24:52Z" level=info msg="jwt cookie" [email protected]
time="2019-02-13T13:24:52Z" level=info msg="|200|  184.202µs /validate" avgLatency=91.297581ms host=protected.example.com ipPort="127.0.0.1:52608" latency=" 184.202µs" method=GET path=/validate referer="https://protected.example.com/" request=5 statusCode=200
time="2019-02-13T13:24:52Z" level=info msg="jwt cookie" [email protected]
time="2019-02-13T13:24:52Z" level=info msg="|200|  166.201µs /validate" avgLatency=76.109018ms host=protected.example.com ipPort="127.0.0.1:52606" latency=" 166.201µs" method=GET path=/validate referer="https://protected.example.com/" request=6 statusCode=200
time="2019-02-13T13:24:52Z" level=info msg="jwt cookie" [email protected]
time="2019-02-13T13:24:52Z" level=info msg="|200|  228.003µs /validate" avgLatency=65.268873ms host=protected.example.com ipPort="127.0.0.1:52604" latency=" 228.003µs" method=GET path=/validate referer="https://protected.example.com/" request=7 statusCode=200
time="2019-02-13T13:24:54Z" level=info msg="jwt cookie" [email protected]
time="2019-02-13T13:24:54Z" level=info msg="|200|  200.702µs /validate" avgLatency=57.135352ms host=protected.example.com ipPort="127.0.0.1:52628" latency=" 200.702µs" method=GET path=/validate referer="https://protected.example.com/" request=8 statusCode=200
time="2019-02-13T13:24:54Z" level=info msg="jwt cookie" [email protected]
time="2019-02-13T13:24:54Z" level=info msg="|200|  171.502µs /validate" avgLatency=50.806036ms host=protected.example.com ipPort="127.0.0.1:52630" latency=" 171.502µs" method=GET path=/validate referer="https://protected.example.com/static/css/main.b1dee2a6.css" request=9 statusCode=200
time="2019-02-13T13:24:55Z" level=info msg="jwt cookie" [email protected]
time="2019-02-13T13:24:55Z" level=info msg="|200| 3.725437ms /validate" avgLatency=46.097977ms host=protected.example.com ipPort="127.0.0.1:52634" latency=3.725437ms method=GET path=/validate referer="https://protected.example.com/" request=10 statusCode=200

The version in the logs are corresponding to the commit in GitHub (9630d9b).

I think this is working. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants