Patch to make username accessible from haproxy so it will be availlable to the logs
This commit is contained in:
parent
79b0cc0818
commit
5c5bda119b
58
files/patch-internal__auth__authenticator_oidc.go
Normal file
58
files/patch-internal__auth__authenticator_oidc.go
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
diff --git internal/auth/authenticator_oidc.go internal/auth/authenticator_oidc.go
|
||||||
|
index 88de5a9..c271a9a 100644
|
||||||
|
--- internal/auth/authenticator_oidc.go
|
||||||
|
+++ internal/auth/authenticator_oidc.go
|
||||||
|
@@ -72,6 +72,12 @@ type OIDCAuthenticator struct {
|
||||||
|
options OIDCAuthenticatorOptions
|
||||||
|
}
|
||||||
|
|
||||||
|
+type Claims struct {
|
||||||
|
+ Email string `json:"email"`
|
||||||
|
+ EmailVerified bool `json:"email_verified"`
|
||||||
|
+ Name string `json:"name"`
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
// NewOIDCAuthenticator create an instance of an OIDC authenticator
|
||||||
|
func NewOIDCAuthenticator(options OIDCAuthenticatorOptions) *OIDCAuthenticator {
|
||||||
|
if len(options.SignatureSecret) < 16 {
|
||||||
|
@@ -154,14 +160,20 @@ func (oa *OIDCAuthenticator) verifyIDToken(context context.Context, domain strin
|
||||||
|
return idToken, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
-func (oa *OIDCAuthenticator) checkCookie(cookieValue string, domain string) error {
|
||||||
|
- idToken, err := oa.encryptor.Decrypt(cookieValue)
|
||||||
|
+// Returns claims if check OK
|
||||||
|
+func (oa *OIDCAuthenticator) checkCookie(cookieValue string, domain string) (Claims, error) {
|
||||||
|
+ var claims Claims
|
||||||
|
+ idTokenstr, err := oa.encryptor.Decrypt(cookieValue)
|
||||||
|
if err != nil {
|
||||||
|
- return fmt.Errorf("unable to decrypt session cookie: %v", err)
|
||||||
|
+ return claims, fmt.Errorf("unable to decrypt session cookie: %v", err)
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ idToken, err := oa.verifyIDToken(context.Background(), domain, idTokenstr)
|
||||||
|
+ if err := idToken.Claims(&claims); err != nil {
|
||||||
|
+ return claims, fmt.Errorf("unable to get claims from ID Token: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
- _, err = oa.verifyIDToken(context.Background(), domain, idToken)
|
||||||
|
- return err
|
||||||
|
+ return claims, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func extractOAuth2Args(msg *spoe.Message) (bool, string, string, string, error) {
|
||||||
|
@@ -268,11 +280,12 @@ func (oa *OIDCAuthenticator) Authenticate(msg *spoe.Message) (bool, []spoe.Actio
|
||||||
|
|
||||||
|
// Verify the cookie to make sure the user is authenticated
|
||||||
|
if cookieValue != "" {
|
||||||
|
- err := oa.checkCookie(cookieValue, extractDomainFromHost(host))
|
||||||
|
+ claims, err := oa.checkCookie(cookieValue, extractDomainFromHost(host))
|
||||||
|
if err != nil {
|
||||||
|
return false, nil, err
|
||||||
|
} else {
|
||||||
|
- return true, nil, nil
|
||||||
|
+ logrus.Debugf("User %s is authenticated", claims.Name)
|
||||||
|
+ return true, []spoe.Action{SetAuthenticatedUsernameMessage(claims.Name)}, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
Loading…
Reference in New Issue
Block a user