WIP: Allow roles to be specified for Keycloak

CHANGELOG.md

@@ -79,6 +79,7 @@
 - [#750](https://github.com/oauth2-proxy/oauth2-proxy/pull/750) ci: Migrate to Github Actions (@shinebayar-g)
 - [#829](https://github.com/oauth2-proxy/oauth2-proxy/pull/820) Rename test directory to testdata (@johejo)
 - [#819](https://github.com/oauth2-proxy/oauth2-proxy/pull/819) Improve CI (@johejo)
+- [#767](https://github.com/oauth2-proxy/oauth2-proxy/pull/767) Add ability to specify roles when using the Keycloak provider (@khawaga)
 
 # v6.1.1
 

contrib/oauth2-proxy_autocomplete.sh

@@ -24,7 +24,7 @@ _oauth2_proxy() {
 			COMPREPLY=( $(compgen -W 'X-Real-IP X-Forwarded-For X-ProxyUser-IP' -- ${cur}) )
 			return 0
 			;;
-		--@(http-address|https-address|redirect-url|upstream|basic-auth-password|skip-auth-regex|flush-interval|extra-jwt-issuers|email-domain|whitelist-domain|trusted-ip|keycloak-group|azure-tenant|bitbucket-team|bitbucket-repository|github-org|github-team|github-repo|github-token|gitlab-group|github-user|google-group|google-admin-email|google-service-account-json|client-id|client_secret|banner|footer|proxy-prefix|ping-path|cookie-name|cookie-secret|cookie-domain|cookie-path|cookie-expire|cookie-refresh|cookie-samesite|redist-sentinel-master-name|redist-sentinel-connection-urls|redist-cluster-connection-urls|logging-max-size|logging-max-age|logging-max-backups|standard-logging-format|request-logging-format|exclude-logging-paths|auth-logging-format|oidc-issuer-url|oidc-jwks-url|login-url|redeem-url|profile-url|resource|validate-url|scope|approval-prompt|signature-key|acr-values|jwt-key|pubjwk-url))
+		--@(http-address|https-address|redirect-url|upstream|basic-auth-password|skip-auth-regex|flush-interval|extra-jwt-issuers|email-domain|whitelist-domain|trusted-ip|keycloak-group|keycloak-role|azure-tenant|bitbucket-team|bitbucket-repository|github-org|github-team|github-repo|github-token|gitlab-group|github-user|google-group|google-admin-email|google-service-account-json|client-id|client_secret|banner|footer|proxy-prefix|ping-path|cookie-name|cookie-secret|cookie-domain|cookie-path|cookie-expire|cookie-refresh|cookie-samesite|redist-sentinel-master-name|redist-sentinel-connection-urls|redist-cluster-connection-urls|logging-max-size|logging-max-age|logging-max-backups|standard-logging-format|request-logging-format|exclude-logging-paths|auth-logging-format|oidc-issuer-url|oidc-jwks-url|login-url|redeem-url|profile-url|resource|validate-url|scope|approval-prompt|signature-key|acr-values|jwt-key|pubjwk-url))
 			return 0
 			;;
 	esac

docs/versioned_docs/version-6.1.x/configuration/auth.md

@@ -142,9 +142,12 @@ Make sure you set the following to the appropriate url:
     -redeem-url="http(s)://<keycloak host>/realms/<your realm>/protocol/openid-connect/token"
     -validate-url="http(s)://<keycloak host>/realms/<your realm>/protocol/openid-connect/userinfo"
     -keycloak-group=<user_group>
+    -keycloak-role=<user_role>
 
 The group management in keycloak is using a tree. If you create a group named admin in keycloak you should define the 'keycloak-group' value to /admin.
 
+You can restrict logins to users with specific roles by passing a comma-separated list of roles to 'keycloak-role', the users must have at least one of the specified roles in order to be granted access. Both realm and client roles can be used, client roles should be in the following format 'client:role'.
+
 ### GitLab Auth Provider
 
 Whether you are using GitLab.com or self-hosting GitLab, follow [these steps to add an application](https://docs.gitlab.com/ce/integration/oauth_provider.html). Make sure to enable at least the `openid`, `profile` and `email` scopes, and set the redirect url to your application url e.g. https://myapp.com/oauth2/callback.

pkg/apis/options/options.go

@@ -37,6 +37,7 @@ type Options struct {
 
 	AuthenticatedEmailsFile  string   `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
 	KeycloakGroup            string   `flag:"keycloak-group" cfg:"keycloak_group"`
+	KeycloakRoles            []string `flag:"keycloak-role" cfg:"keycloak_roles"`
 	AzureTenant              string   `flag:"azure-tenant" cfg:"azure_tenant"`
 	BitbucketTeam            string   `flag:"bitbucket-team" cfg:"bitbucket_team"`
 	BitbucketRepository      string   `flag:"bitbucket-repository" cfg:"bitbucket_repository"`
@@ -180,6 +181,7 @@ func NewFlagSet() *pflag.FlagSet {
 	flagSet.StringSlice("email-domain", []string{}, "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")
 	flagSet.StringSlice("whitelist-domain", []string{}, "allowed domains for redirection after authentication. Prefix domain with a . to allow subdomains (eg .example.com)")
 	flagSet.String("keycloak-group", "", "restrict login to members of this group.")
+	flagSet.StringSlice("keycloak-role", []string{}, "restrict logins to members with this role (may be given multiple times)")
 	flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")
 	flagSet.String("bitbucket-team", "", "restrict logins to members of this team")
 	flagSet.String("bitbucket-repository", "", "restrict logins to user with access to this repository")

pkg/validation/options.go

@@ -254,6 +254,8 @@ func parseProviderInfo(o *options.Options, msgs []string) []string {
 		p.SetUsers(o.GitHubUsers)
 	case *providers.KeycloakProvider:
 		p.SetGroup(o.KeycloakGroup)
+		p.SetRoles(o.KeycloakRoles)
+		p.SetAllowedGroups(p.PrefixAllowedGroups())
 	case *providers.GoogleProvider:
 		if o.GoogleServiceAccountJSON != "" {
 			file, err := os.Open(o.GoogleServiceAccountJSON)

providers/auth_test.go

@@ -8,7 +8,8 @@ import (
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
 )
 
-var authorizedAccessToken = "imaginary_access_token"
+// The following is a valid JWT, it can be decoded, edited and re-encoded using https://jwt.io/
+var authorizedAccessToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkhvbWVyIFNpbXBzb24iLCJlbWFpbCI6IkNodW5reUxvdmVyNTNAYW9sLmNvbSIsImlhdCI6MTUxNjIzOTAyMiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInRlc3QtcmVhbG1yb2xlMSIsInRlc3QtcmVhbG1yb2xlMiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImNsaWVudCI6eyJyb2xlcyI6WyJ0ZXN0LWNsaWVudHJvbGUxIiwidGVzdC1jbGllbnRyb2xlMiJdfX19.DqKfcantBn7B8acd9rl0LK8FL3sVhUcrM_AHztWI2A0"
 
 func CreateAuthorizedSession() *sessions.SessionState {
 	return &sessions.SessionState{AccessToken: authorizedAccessToken}

providers/keycloak.go

@@ -2,16 +2,20 @@ package providers
 
 import (
 	"context"
+	"errors"
+	"fmt"
 	"net/url"
 
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
+	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 type KeycloakProvider struct {
 	*ProviderData
 	Group string
+	Roles []string
 }
 
 var _ Provider = (*KeycloakProvider)(nil)
@@ -63,37 +67,126 @@ func (p *KeycloakProvider) SetGroup(group string) {
 	p.Group = group
 }
 
-func (p *KeycloakProvider) GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error) {
-	json, err := requests.New(p.ValidateURL.String()).
+func (p *KeycloakProvider) SetRoles(roles []string) {
+	p.Roles = roles
+}
+
+type keycloakUserInfo struct {
+	Email  string   `json:"email"`
+	Groups []string `json:"groups"`
+}
+
+func (p *KeycloakProvider) getUserInfo(ctx context.Context, s *sessions.SessionState) (*keycloakUserInfo, error) {
+	var userInfo keycloakUserInfo
+	err := requests.New(p.ValidateURL.String()).
 		WithContext(ctx).
 		SetHeader("Authorization", "Bearer "+s.AccessToken).
 		Do().
-		UnmarshalJSON()
+		UnmarshalInto(&userInfo)
 	if err != nil {
 		logger.Errorf("failed making request %s", err)
-		return "", err
+		return nil, fmt.Errorf("error getting user info: %v", err)
+	}
+	return &userInfo, nil
+}
+
+func getClientRoles(resourceAccess map[string]interface{}) ([]string, error) {
+	var clientRoles []string
+	for name, list := range resourceAccess {
+		scopes, ok := list.(map[string]interface{})
+		if !ok {
+			return nil, errors.New("error parsing client roles from claims")
+		}
+		if roles, found := scopes["roles"]; found {
+			for _, r := range roles.([]interface{}) {
+				clientRoles = append(clientRoles, fmt.Sprintf("%s:%s", name, r))
+			}
+		}
 	}
+	return clientRoles, nil
+}
+
+type realmAccess struct {
+	Roles []string `json:"roles"`
+}
+
+type customClaims struct {
+	RealmAccess    realmAccess            `json:"realm_access"`
+	ResourceAccess map[string]interface{} `json:"resource_access"`
+}
+
+func (p *KeycloakProvider) getRoles(s *sessions.SessionState) ([]string, error) {
+	// Decode JWT token without verifying the signature
+	token, err := jwt.ParseSigned(s.AccessToken)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse token: %v", err)
+	}
+	standardClaims := jwt.Claims{}
+	customClaims := customClaims{}
+	// Parse claims
+	if err := token.UnsafeClaimsWithoutVerification(&standardClaims, &customClaims); err != nil {
+		logger.Printf("failed to parse claims: %s", err)
+	}
+	clientRoles, err := getClientRoles(customClaims.ResourceAccess)
+	if err != nil {
+		logger.Printf("failed to extract client roles: %s", err)
+	}
+	return append(customClaims.RealmAccess.Roles, clientRoles...), nil
+}
+
+func (p *KeycloakProvider) addGroupsToSession(s *sessions.SessionState, groups []string) error {
+	for _, group := range groups {
+		s.Groups = append(s.Groups, fmt.Sprintf("group:%s", group))
+	}
+	return nil
+}
+
+func (p *KeycloakProvider) addRolesToSession(s *sessions.SessionState) error {
+	roles, err := p.getRoles(s)
+	if err != nil {
+		return err
+	}
+	for _, role := range roles {
+		s.Groups = append(s.Groups, fmt.Sprintf("role:%s", role))
+	}
+	return nil
+}
+
+func (p *KeycloakProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error {
+	userInfo, err := p.getUserInfo(ctx, s)
+	if err != nil {
+		return err
+	}
+
+	s.Email = userInfo.Email
 
 	if p.Group != "" {
-		var groups, err = json.Get("groups").Array()
+		err := p.addGroupsToSession(s, userInfo.Groups)
 		if err != nil {
-			logger.Printf("groups not found %s", err)
-			return "", err
+			return err
 		}
+	}
 
-		var found = false
-		for i := range groups {
-			if groups[i].(string) == p.Group {
-				found = true
-				break
-			}
+	if len(p.Roles) > 0 {
+		err := p.addRolesToSession(s)
+		if err != nil {
+			return err
 		}
+	}
 
-		if !found {
-			logger.Printf("group not found, access denied")
-			return "", nil
-		}
+	return nil
+}
+
+// PrefixAllowedGroups returns a list of allowed groups, prefixed by their `kind` value
+func (p *KeycloakProvider) PrefixAllowedGroups() (groups []string) {
+
+	if p.Group != "" {
+		groups = append(groups, fmt.Sprintf("group:%s", p.Group))
+	}
+
+	for _, role := range p.Roles {
+		groups = append(groups, fmt.Sprintf("role:%s", role))
 	}
 
-	return json.Get("email").String()
+	return groups
 }