implement multi-oidc client support

.github/resources/hosts

@@ -1,5 +1,5 @@
 127.0.0.1       public.example.com
 127.0.0.1       app1.example.com
 127.0.0.1       app2.example.com
-127.0.0.1       auth.example.com  # Used for the redirect callback ending the OAuth2 transaction
+127.0.0.1       app3.example.com
 127.0.0.1       dex.example.com   # An OIDC server implementation

.github/scripts/build_and_test.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+go run .github/scripts/prepare/main.go
+sleep 20
+
+go test tests/*.go
+result=$?
+
+go run .github/scripts/cleanup/main.go
+exit $result

.github/scripts/cleanup/main.go

@@ -34,7 +34,23 @@ func execute(command string, arg ...string) error {
 }
 
 func cleanup() error {
-	err := execute("docker-compose", "down", "-v")
+	err := execute("docker-compose", "logs", "spoe")
+	if err != nil {
+		return err
+	}
+	err = execute("docker-compose", "logs", "haproxy")
+	if err != nil {
+		return err
+	}
+	err = execute("docker-compose", "logs", "dex")
+	if err != nil {
+		return err
+	}
+	err = execute("docker-compose", "logs", "ldap")
+	if err != nil {
+		return err
+	}
+	err = execute("docker-compose", "down", "-v")
 	if err != nil {
 		return err
 	}

.github/workflows/build_and_test.yml

@@ -20,4 +20,4 @@ jobs:
         chromedriver --url-base=/wd/hub &
         sudo Xvfb -ac :99 -screen 0 1280x1024x24 > /dev/null 2>&1 & # optional
     - run: cat .github/resources/hosts | sudo tee -a /etc/hosts
-    - run: go run .github/scripts/prepare/main.go && sleep 20 && go test tests/*.go && go run .github/scripts/cleanup/main.go
+    - run: .github/scripts/build_and_test.sh

README.md

@@ -17,7 +17,7 @@ Now, add the two following lines to your /etc/hosts to fake the domains:
     127.0.0.1       public.example.com
     127.0.0.1       app1.example.com
     127.0.0.1       app2.example.com
-    127.0.0.1       auth.example.com  # Used for the redirect callback ending the OAuth2 transaction
+    127.0.0.1       app3.example.com
     127.0.0.1       dex.example.com   # An OIDC server implementation
 
 And then run
@@ -39,9 +39,13 @@ Now you can test the following commands
     curl -u "john:badpassword" http://app1.example.com:9080/
 
     # This domain is protected by OpenID Connect. This should redirect you to the authorization server where you can provide the same credentials as above.
-    Visit http://app2.example.com:9080/ in a browser
+    # Visit http://app2.example.com:9080/ or http://app3.example.com:9080/ in a browser. They are two different applications
+    in order to test SSO. Note: Dex seems not to provide this feature though but Okta does for instance.
 
-    # Once authenticated and consent granted, your redirected to app2.
+    # Once authenticated and consent granted, your redirected to the app.
+
+    # One can also visit http://app2.example.com:9080/secret.html or http://app3.example.com:9080/secret.html to verify the
+    user is properly redirected as requested before authentication.
 
 Trying to visit the website protected by LDAP in a browser will display a basic auth form that you should fill
 before being granted the rights to visit the page. With OpenID Connect, you should be redirected to the Dex

cmd/haproxy-spoe-auth/main.go

@@ -41,34 +41,44 @@ func main() {
 
 	logrus.SetLevel(LogLevelFromLogString(viper.GetString("server.log_level")))
 
-	ldapAuthentifier := auth.NewLDAPAuthenticator(auth.LDAPConnectionDetails{
-		Hostname:   viper.GetString("ldap.hostname"),
-		Port:       viper.GetInt("ldap.port"),
-		UserDN:     viper.GetString("ldap.user_dn"),
-		Password:   viper.GetString("ldap.password"),
-		BaseDN:     viper.GetString("ldap.base_dn"),
-		UserFilter: viper.GetString("ldap.user_filter"),
-	})
+	authenticators := map[string]auth.Authenticator{}
 
-	oidcAuthenticator := auth.NewOIDCAuthenticator(auth.OIDCAuthenticatorOptions{
-		OAuth2AuthenticatorOptions: auth.OAuth2AuthenticatorOptions{
-			ClientID:        viper.GetString("oidc.client_id"),
-			ClientSecret:    viper.GetString("oidc.client_secret"),
-			RedirectURL:     viper.GetString("oidc.redirect_url"),
-			CallbackAddr:    viper.GetString("oidc.callback_addr"),
-			CookieName:      viper.GetString("oidc.cookie_name"),
-			CookieDomain:    viper.GetString("oidc.cookie_domain"),
-			CookieSecure:    viper.GetBool("oidc.cookie_secure"),
-			CookieTTL:       viper.GetDuration("oidc.cookie_ttl_seconds") * time.Second,
-			SignatureSecret: viper.GetString("oidc.signature_secret"),
-			Scopes:          viper.GetStringSlice("oidc.scopes"),
-		},
-		ProviderURL:      viper.GetString("oidc.provider_url"),
-		EncryptionSecret: viper.GetString("oidc.encryption_secret"),
-	})
+	if viper.IsSet("ldap") {
+		ldapAuthentifier := auth.NewLDAPAuthenticator(auth.LDAPConnectionDetails{
+			Hostname:   viper.GetString("ldap.hostname"),
+			Port:       viper.GetInt("ldap.port"),
+			UserDN:     viper.GetString("ldap.user_dn"),
+			Password:   viper.GetString("ldap.password"),
+			BaseDN:     viper.GetString("ldap.base_dn"),
+			UserFilter: viper.GetString("ldap.user_filter"),
+		})
+		authenticators["try-auth-ldap"] = ldapAuthentifier
+	}
+
+	if viper.IsSet("oidc") {
+		// TODO: watch the config file to update the list of clients dynamically
+		var clientsConfig map[string]auth.OIDCClientConfig
+		err := viper.UnmarshalKey("oidc.clients", &clientsConfig)
+		if err != nil {
+			logrus.Panic(err)
+		}
+
+		oidcAuthenticator := auth.NewOIDCAuthenticator(auth.OIDCAuthenticatorOptions{
+			OAuth2AuthenticatorOptions: auth.OAuth2AuthenticatorOptions{
+				RedirectCallbackPath: viper.GetString("oidc.oauth2_callback_path"),
+				LogoutPath:           viper.GetString("oidc.oauth2_logout_path"),
+				CallbackAddr:         viper.GetString("oidc.callback_addr"),
+				CookieName:           viper.GetString("oidc.cookie_name"),
+				CookieSecure:         viper.GetBool("oidc.cookie_secure"),
+				CookieTTL:            viper.GetDuration("oidc.cookie_ttl_seconds") * time.Second,
+				SignatureSecret:      viper.GetString("oidc.signature_secret"),
+				ClientsStore:         auth.NewStaticOIDCClientStore(clientsConfig),
+			},
+			ProviderURL:      viper.GetString("oidc.provider_url"),
+			EncryptionSecret: viper.GetString("oidc.encryption_secret"),
+		})
+		authenticators["try-auth-oidc"] = oidcAuthenticator
+	}
 
-	agent.StartAgent(viper.GetString("server.addr"), map[string]auth.Authenticator{
-		"try-auth-ldap": ldapAuthentifier,
-		"try-auth-oidc": oidcAuthenticator,
-	})
+	agent.StartAgent(viper.GetString("server.addr"), authenticators)
 }

docker-compose.yml

@@ -9,6 +9,9 @@ services:
     depends_on:
       - spoe
       - dex
+      - protected-backend
+      - unprotected-backend
+      - unauthorized-backend
     networks:
       haproxy-spoe-net:
         aliases:

go.mod

@@ -5,12 +5,16 @@ go 1.15
 require (
 	github.com/coreos/go-oidc/v3 v3.0.0
 	github.com/criteo/haproxy-spoe-go v1.0.6
-	github.com/go-delve/delve v1.7.0 // indirect
+	github.com/go-delve/delve v1.7.3 // indirect
 	github.com/sirupsen/logrus v1.7.0
 	github.com/spf13/viper v1.8.1
 	github.com/stretchr/testify v1.7.0
 	github.com/tebeka/selenium v0.9.9
+	github.com/vmihailenco/msgpack/v5 v5.3.4
+	golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f // indirect
 	golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602
+	golang.org/x/sys v0.0.0-20211019181941-9d821ace8654 // indirect
+	golang.org/x/text v0.3.7 // indirect
 	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
 	gopkg.in/ldap.v3 v3.0.3
 )