diff --git a/docs/Configuration.md b/docs/Configuration.md index 4a2ff902..7e301715 100644 --- a/docs/Configuration.md +++ b/docs/Configuration.md @@ -153,11 +153,11 @@ Usage of openvpn-auth-oauth2: --oauth2.client.secret value oauth2 client secret. If argument starts with file:// it reads the secret from a file. (env: CONFIG_OAUTH2_CLIENT_SECRET) --oauth2.endpoint.auth string - custom oauth2 auth endpoint (env: CONFIG_OAUTH2_ENDPOINT_AUTH) + The flag is used to specify a custom OAuth2 authorization endpoint. (env: CONFIG_OAUTH2_ENDPOINT_AUTH) --oauth2.endpoint.discovery string - custom oauth2 discovery url (env: CONFIG_OAUTH2_ENDPOINT_DISCOVERY) + The flag is used to set a custom OAuth2 discovery URL. This URL retrieves the provider's configuration details. (env: CONFIG_OAUTH2_ENDPOINT_DISCOVERY) --oauth2.endpoint.token string - custom oauth2 token endpoint (env: CONFIG_OAUTH2_ENDPOINT_TOKEN) + The flag is used to specify a custom OAuth2 token endpoint. (env: CONFIG_OAUTH2_ENDPOINT_TOKEN) --oauth2.issuer string oauth2 issuer (env: CONFIG_OAUTH2_ISSUER) --oauth2.nonce diff --git a/docs/FAQ.md b/docs/FAQ.md index 7ac024e8..438afcac 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -47,4 +47,8 @@ A: Although openvpn-auth-oauth2 theoretically doesn't require client-side authen ## Q: Can a Remember Me function be implemented in openvpn-auth-oauth2? -A: No, it is not feasible to implement a Remember Me function directly within openvpn-auth-oauth2 or OpenVPN. This limitation arises from the inability of openvpn-auth-oauth2 to store client cookies. While some OIDC providers like Keycloak offer a Remember Me feature, enabling automatic login would require implementation within the OIDC provider's settings rather than within openvpn-auth-oauth2 itself. \ No newline at end of file +A: No, it is not feasible to implement a Remember Me function directly within openvpn-auth-oauth2 or OpenVPN. This limitation arises from the inability of openvpn-auth-oauth2 to store client cookies. While some OIDC providers like Keycloak offer a Remember Me feature, enabling automatic login would require implementation within the OIDC provider's settings rather than within openvpn-auth-oauth2 itself. + +## Q: In logs, I see `Provider did not return a id_token. Validation of user data is not possible.`, but my provider is returning an id_token. + +A: This could happen, if `oauth2.endpoint.auth` and `oauth2.endpoint.token` are defined. In this case, the underlying works in OAUTH2 mode, and the id_token is not recognized. If you want to use the user validation, you should remove `oauth2.endpoint.auth` and `oauth2.endpoint.token` from your configuration. diff --git a/internal/config/flags.go b/internal/config/flags.go index 7a5ba72c..931d349a 100644 --- a/internal/config/flags.go +++ b/internal/config/flags.go @@ -228,17 +228,17 @@ func flagSetOAuth2(flagSet *flag.FlagSet) { flagSet.String( "oauth2.endpoint.discovery", Defaults.OAuth2.Endpoints.Discovery.String(), - "custom oauth2 discovery url", + "The flag is used to set a custom OAuth2 discovery URL. This URL retrieves the provider's configuration details.", ) flagSet.String( "oauth2.endpoint.auth", Defaults.OAuth2.Endpoints.Auth.String(), - "custom oauth2 auth endpoint", + "The flag is used to specify a custom OAuth2 authorization endpoint.", ) flagSet.String( "oauth2.endpoint.token", Defaults.OAuth2.Endpoints.Token.String(), - "custom oauth2 token endpoint", + "The flag is used to specify a custom OAuth2 token endpoint.", ) flagSet.String( "oauth2.client.id", diff --git a/internal/oauth2/provider.go b/internal/oauth2/provider.go index 4ac46815..d2f4db1b 100644 --- a/internal/oauth2/provider.go +++ b/internal/oauth2/provider.go @@ -103,6 +103,10 @@ func (p *Provider) Initialize(ctx context.Context, openvpn OpenVPN) error { p.Provider.GetName(), providerConfig.AuthURL, providerConfig.TokenURL, )) + if p.Provider.GetName() == generic.Name { + p.logger.Warn("generic provider with manual configuration is used. Validation of user data is not possible.") + } + rpConfig := &oauth2.Config{ ClientID: p.conf.OAuth2.Client.ID, ClientSecret: p.conf.OAuth2.Client.Secret.String(), diff --git a/internal/oauth2/providers/generic/user.go b/internal/oauth2/providers/generic/user.go index d52bcc63..0b08c260 100644 --- a/internal/oauth2/providers/generic/user.go +++ b/internal/oauth2/providers/generic/user.go @@ -18,6 +18,11 @@ func (p *Provider) GetUser(_ context.Context, logger *slog.Logger, tokens *oidc. if tokens.IDTokenClaims == nil { if tokens.IDToken == "" { + // if tokens.Token.Extra("id_token") != nil { + // logger.Warn("The provider has returned an 'id_token', however, it was configured as an OAUTH2 provider. " + + // "As a result, user data validation cannot be performed. If you have defined endpoints in the configuration, please remove them and retry.") + // logger.Debug("id_token", "id_token", tokens.Token.Extra("id_token")) + // } else { logger.Warn("provider did not return a id_token. Validation of user data is not possible.") } else { logger.Warn("provider did return a id_token, but it was not parsed correctly. Validation of user data is not possible." +