Merge pull request #2 from segmentio/SEC-757-okta-refresh

Sec 757 okta refresh

Author: John Boggs

.gitignore

@@ -29,3 +29,5 @@ _testmain.go
 
 # Editor swap/temp files
 .*.swp
+
+local

README.md

@@ -37,6 +37,7 @@ Valid providers are :
 * [GitHub](#github-auth-provider)
 * [GitLab](#gitlab-auth-provider)
 * [LinkedIn](#linkedin-auth-provider)
+* [Okta](#okta-auth-provider)
 
 The provider can be selected using the `provider` configuration value.
 
@@ -155,6 +156,10 @@ OpenID Connect is a spec for OAUTH 2.0 + identity that is implemented by many ma
     -cookie-secure=false
     -email-domain example.com
 
+### Okta Auth Provider
+
+[Okta](https://www.okta.com/) is a hosted SSO provider. You will need to set the `okta-domain` to your organization's Okta domain.
+
 ## Email Authentication
 
 To authorize by email domain use `--email-domain=yourcompany.com`. To authorize individual email addresses use `--authenticated-emails-file=/path/to/file` with one email per line. To authorize all email addresses use `--email-domain=*`.

main.go

@@ -49,6 +49,7 @@ func main() {
 	flagSet.Var(&googleGroups, "google-group", "restrict logins to members of this google group (may be given multiple times).")
 	flagSet.String("google-admin-email", "", "the google admin to impersonate for api calls")
 	flagSet.String("google-service-account-json", "", "the path to the service account json credentials")
+	flagSet.String("okta-domain", "", "the full domain for which your organization's okta is configured (example.okta.com)")
 	flagSet.String("client-id", "", "the OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"")
 	flagSet.String("client-secret", "", "the OAuth Client Secret")
 	flagSet.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")

oauthproxy.go

@@ -427,9 +427,16 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error)
 
 	redirect = req.Form.Get("rd")
 	if redirect == "" || !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") {
-		redirect = "/"
+		redirect = req.URL.RequestURI()
+	}
+
+	if req.Header.Get("X-Auth-Request-Redirect") != "" {
+		redirect = req.Header.Get("X-Auth-Request-Redirect")
 	}
 
+	if redirect == p.SignInPath || redirect == p.OAuthStartPath {
+		redirect = "/"
+	}
 	return
 }
 

options.go

@@ -37,6 +37,7 @@ type Options struct {
 	GoogleGroups             []string `flag:"google-group" cfg:"google_group"`
 	GoogleAdminEmail         string   `flag:"google-admin-email" cfg:"google_admin_email"`
 	GoogleServiceAccountJSON string   `flag:"google-service-account-json" cfg:"google_service_account_json"`
+	OktaDomain               string   `flag:"okta-domain" cfg:"okta_domain"`
 	HtpasswdFile             string   `flag:"htpasswd-file" cfg:"htpasswd_file"`
 	DisplayHtpasswdForm      bool     `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"`
 	CustomTemplatesDir       string   `flag:"custom-templates-dir" cfg:"custom_templates_dir"`
@@ -278,6 +279,8 @@ func parseProviderInfo(o *Options, msgs []string) []string {
 		} else {
 			p.Verifier = o.oidcVerifier
 		}
+	case *providers.OktaProvider:
+		p.SetOktaDomain(o.OktaDomain)
 	}
 	return msgs
 }

providers/okta.go

@@ -0,0 +1,229 @@
+package providers
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/bitly/oauth2_proxy/api"
+)
+
+type OktaProvider struct {
+	*ProviderData
+}
+
+func NewOktaProvider(p *ProviderData) *OktaProvider {
+	p.ProviderName = "Okta"
+	if p.Scope == "" {
+		p.Scope = "openid profile email offline_access"
+	}
+	return &OktaProvider{ProviderData: p}
+}
+
+func (p *OktaProvider) SetOktaDomain(domain string) {
+	if p.LoginURL == nil || p.LoginURL.String() == "" {
+		p.LoginURL = &url.URL{
+			Scheme: "https",
+			Host:   domain,
+			Path:   "/oauth2/v1/authorize",
+		}
+	}
+	if p.RedeemURL == nil || p.RedeemURL.String() == "" {
+		p.RedeemURL = &url.URL{
+			Scheme: "https",
+			Host:   domain,
+			Path:   "/oauth2/v1/token",
+		}
+	}
+	if p.ValidateURL == nil || p.ValidateURL.String() == "" {
+		p.ValidateURL = &url.URL{
+			Scheme: "https",
+			Host:   domain,
+			Path:   "/oauth2/v1/userinfo",
+		}
+	}
+
+}
+
+func getOktaHeader(access_token string) http.Header {
+	header := make(http.Header)
+	header.Set("Authorization", fmt.Sprintf("Bearer %s", access_token))
+	return header
+}
+
+func emailFromOktaIdToken(idToken string) (string, error) {
+
+	// id_token is a base64 encode ID token payload
+	// https://developers.google.com/accounts/docs/OAuth2Login#obtainuserinfo
+	jwt := strings.Split(idToken, ".")
+	b, err := base64.RawURLEncoding.DecodeString(jwt[1])
+	if err != nil {
+		return "", err
+	}
+
+	var email struct {
+		Email string `json:"email"`
+	}
+	err = json.Unmarshal(b, &email)
+	if err != nil {
+		return "", err
+	}
+	if email.Email == "" {
+		return "", errors.New("Okta ID token missing email")
+	}
+
+	return email.Email, nil
+}
+
+func (p *OktaProvider) GetUserName(s *SessionState) (string, error) {
+	req, err := http.NewRequest("GET",
+		p.ValidateURL.String(), nil)
+	if err != nil {
+		log.Printf("failed building request %s", err)
+		return "", err
+	}
+	req.Header = getOktaHeader(s.AccessToken)
+	json, err := api.Request(req)
+	if err != nil {
+		log.Printf("failed making request %s", err)
+		return "", err
+	}
+	return json.Get("preferred_username").String()
+}
+
+func (p *OktaProvider) ValidateSessionState(s *SessionState) bool {
+	return validateToken(p, s.AccessToken, getOktaHeader(s.AccessToken))
+}
+
+func (p *OktaProvider) Redeem(redirectURL, code string) (s *SessionState, err error) {
+	if code == "" {
+		err = errors.New("missing code")
+		return
+	}
+
+	params := url.Values{}
+	params.Add("redirect_uri", redirectURL)
+	params.Add("client_id", p.ClientID)
+	params.Add("client_secret", p.ClientSecret)
+	params.Add("code", code)
+	params.Add("grant_type", "authorization_code")
+	var req *http.Request
+	req, err = http.NewRequest("POST", p.RedeemURL.String(), bytes.NewBufferString(params.Encode()))
+	if err != nil {
+		return
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return
+	}
+	var body []byte
+	body, err = ioutil.ReadAll(resp.Body)
+	resp.Body.Close()
+	if err != nil {
+		return
+	}
+
+	if resp.StatusCode != 200 {
+		err = fmt.Errorf("got %d from %q %s", resp.StatusCode, p.RedeemURL.String(), body)
+		return
+	}
+
+	var jsonResponse struct {
+		AccessToken  string `json:"access_token"`
+		RefreshToken string `json:"refresh_token"`
+		ExpiresIn    int64  `json:"expires_in"`
+		IdToken      string `json:"id_token"`
+	}
+	err = json.Unmarshal(body, &jsonResponse)
+	if err != nil {
+		return
+	}
+	var email string
+	email, err = emailFromOktaIdToken(jsonResponse.IdToken)
+
+	if err != nil {
+		return
+	}
+	s = &SessionState{
+		AccessToken:  jsonResponse.AccessToken,
+		ExpiresOn:    time.Now().Add(time.Duration(jsonResponse.ExpiresIn) * time.Second).Truncate(time.Second),
+		RefreshToken: jsonResponse.RefreshToken,
+		Email:        email,
+	}
+	return
+}
+
+func (p *OktaProvider) RefreshSessionIfNeeded(s *SessionState) (bool, error) {
+	//@todo: Remove from here before accepting PR. This is for local testing
+	if s == nil || s.ExpiresOn.After(time.Now()) || s.RefreshToken == "" {
+		return false, nil
+	}
+
+	newToken, duration, err := p.redeemRefreshToken(s.RefreshToken)
+	if err != nil {
+		return false, err
+	}
+
+	// re-check that the user is in the proper google group(s)
+	if !p.ValidateGroup(s.Email) {
+		return false, fmt.Errorf("%s is no longer in the group(s)", s.Email)
+	}
+
+	origExpiration := s.ExpiresOn
+	s.AccessToken = newToken
+	s.ExpiresOn = time.Now().Add(duration).Truncate(time.Second)
+	log.Printf("refreshed access token %s (expired on %s)", s, origExpiration)
+	return true, nil
+}
+
+func (p *OktaProvider) redeemRefreshToken(refreshToken string) (token string, expires time.Duration, err error) {
+	params := url.Values{}
+	params.Add("client_id", p.ClientID)
+	params.Add("client_secret", p.ClientSecret)
+	params.Add("refresh_token", refreshToken)
+	params.Add("grant_type", "refresh_token")
+	var req *http.Request
+	req, err = http.NewRequest("POST", p.RedeemURL.String(), bytes.NewBufferString(params.Encode()))
+	if err != nil {
+		return
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return
+	}
+	var body []byte
+	body, err = ioutil.ReadAll(resp.Body)
+	resp.Body.Close()
+	if err != nil {
+		return
+	}
+
+	if resp.StatusCode != 200 {
+		err = fmt.Errorf("got %d from %q %s", resp.StatusCode, p.RedeemURL.String(), body)
+		return
+	}
+
+	var data struct {
+		AccessToken string `json:"access_token"`
+		ExpiresIn   int64  `json:"expires_in"`
+	}
+	err = json.Unmarshal(body, &data)
+	if err != nil {
+		return
+	}
+	token = data.AccessToken
+	expires = time.Duration(data.ExpiresIn) * time.Second
+	return
+}