Skip to content

Commit

Permalink
Validate client redirects in SSO client logins (#41833)
Browse files Browse the repository at this point in the history
  • Loading branch information
espadolini committed May 21, 2024
1 parent 3ecedd0 commit e4ec728
Show file tree
Hide file tree
Showing 18 changed files with 2,602 additions and 1,957 deletions.
16 changes: 16 additions & 0 deletions api/proto/teleport/legacy/types/types.proto
Original file line number Diff line number Diff line change
Expand Up @@ -4361,6 +4361,9 @@ message OIDCConnectorSpecV3 {
(gogoproto.jsontag) = "",
(gogoproto.embed) = true
];
// ClientRedirectSettings defines which client redirect URLs are allowed for
// non-browser SSO logins other than the standard localhost ones.
SSOClientRedirectSettings ClientRedirectSettings = 18 [(gogoproto.jsontag) = "client_redirect_settings,omitempty"];
}

// MaxAge allows the max_age parameter to be nullable to preserve backwards
Expand All @@ -4372,6 +4375,13 @@ message MaxAge {
];
}

// SSOClientRedirectSettings contains settings to define which additional client
// redirect URLs should be allowed for non-browser SSO logins.
message SSOClientRedirectSettings {
// a list of hostnames allowed for https client redirect URLs
repeated string allowed_https_hostnames = 1;
}

// OIDCAuthRequest is a request to authenticate with OIDC
// provider, the state about request is managed by auth server
message OIDCAuthRequest {
Expand Down Expand Up @@ -4515,6 +4525,9 @@ message SAMLConnectorSpecV2 {
(gogoproto.nullable) = true,
(gogoproto.jsontag) = "allow_idp_initiated,omitempty"
];
// ClientRedirectSettings defines which client redirect URLs are allowed for
// non-browser SSO logins other than the standard localhost ones.
SSOClientRedirectSettings ClientRedirectSettings = 15 [(gogoproto.jsontag) = "client_redirect_settings,omitempty"];
}

// SAMLAuthRequest is a request to authenticate with SAML
Expand Down Expand Up @@ -4653,6 +4666,9 @@ message GithubConnectorSpecV3 {
// APIEndpointURL is the URL of the API endpoint of the Github instance
// this connector is for.
string APIEndpointURL = 8 [(gogoproto.jsontag) = "api_endpoint_url"];
// ClientRedirectSettings defines which client redirect URLs are allowed for
// non-browser SSO logins other than the standard localhost ones.
SSOClientRedirectSettings ClientRedirectSettings = 9 [(gogoproto.jsontag) = "client_redirect_settings,omitempty"];
}

// GithubAuthRequest is the request to start Github OAuth2 flow.
Expand Down
10 changes: 10 additions & 0 deletions api/types/github.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,8 @@ type GithubConnector interface {
GetEndpointURL() string
// GetAPIEndpointURL returns the API endpoint URL
GetAPIEndpointURL() string
// GetClientRedirectSettings returns the client redirect settings.
GetClientRedirectSettings() *SSOClientRedirectSettings
}

// NewGithubConnector creates a new Github connector from name and spec
Expand Down Expand Up @@ -288,6 +290,14 @@ func (c *GithubConnectorV3) GetAPIEndpointURL() string {
return GithubAPIURL
}

// GetClientRedirectSettings returns the client redirect settings.
func (c *GithubConnectorV3) GetClientRedirectSettings() *SSOClientRedirectSettings {
if c == nil {
return nil
}
return c.Spec.ClientRedirectSettings
}

// MapClaims returns a list of logins based on the provided claims,
// returns a list of logins and list of kubernetes groups
func (c *GithubConnectorV3) MapClaims(claims GithubClaims) ([]string, []string, []string) {
Expand Down
10 changes: 10 additions & 0 deletions api/types/oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,8 @@ type OIDCConnector interface {
// does not login again within this time period, they will be forced
// to re-authenticate.
GetMaxAge() (time.Duration, bool)
// GetClientRedirectSettings returns the client redirect settings.
GetClientRedirectSettings() *SSOClientRedirectSettings
}

// NewOIDCConnector returns a new OIDCConnector based off a name and OIDCConnectorSpecV3.
Expand Down Expand Up @@ -473,6 +475,14 @@ func (o *OIDCConnectorV3) GetMaxAge() (time.Duration, bool) {
return o.Spec.MaxAge.Value.Duration(), true
}

// GetClientRedirectSettings returns the client redirect settings.
func (o *OIDCConnectorV3) GetClientRedirectSettings() *SSOClientRedirectSettings {
if o == nil {
return nil
}
return o.Spec.ClientRedirectSettings
}

// Check returns nil if all parameters are great, err otherwise
func (i *OIDCAuthRequest) Check() error {
if i.ConnectorID == "" {
Expand Down
10 changes: 10 additions & 0 deletions api/types/saml.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,8 @@ type SAMLConnector interface {
GetAllowIDPInitiated() bool
// SetAllowIDPInitiated sets whether the identity provider can initiate a login or not.
SetAllowIDPInitiated(bool)
// GetClientRedirectSettings returns the client redirect settings.
GetClientRedirectSettings() *SSOClientRedirectSettings
}

// NewSAMLConnector returns a new SAMLConnector based off a name and SAMLConnectorSpecV2.
Expand Down Expand Up @@ -377,6 +379,14 @@ func (o *SAMLConnectorV2) SetAllowIDPInitiated(allow bool) {
o.Spec.AllowIDPInitiated = allow
}

// GetClientRedirectSettings returns the client redirect settings.
func (o *SAMLConnectorV2) GetClientRedirectSettings() *SSOClientRedirectSettings {
if o == nil {
return nil
}
return o.Spec.ClientRedirectSettings
}

// setStaticFields sets static resource header and metadata fields.
func (o *SAMLConnectorV2) setStaticFields() {
o.Kind = KindSAMLConnector
Expand Down
Loading

0 comments on commit e4ec728

Please sign in to comment.