small updates to allow control over cookies, custom authorization url…

… params, unencrypted server-side tokens
travisghansen · Feb 3, 2020 · 9eb59c2 · 9eb59c2
1 parent a88e3bd
commit 9eb59c2
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -74,6 +74,12 @@
 - opa plugin
 - opa assertions
 
+# 0.7.0
+
+- ~~support server-side tokens being stored decrypted~~
+- ~~support setting the `httpOnly` and `secure` flag on `oauth2`/`oidc` cookies~~
+- ~~support custom authorization URL parameters for `oauth2`/`oidc`~~
+
 # 0.6.0
 
 Released 2019-10-29

diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -98,6 +98,7 @@ https://medium.com/hal24k-techblog/multitenancy-on-kubernetes-with-istio-externa
 - https://www.express-gateway.io/
 - https://github.com/buzzfeed/sso
 - https://github.com/pomerium/pomerium
+- https://www.pomerium.io/
 
 ## contour
 

diff --git a/PLUGINS.md b/PLUGINS.md
@@ -254,6 +254,10 @@ Please read [further details](OAUTH_PLUGINS.md) about configuration.
         client_secret: "..."
     },
     scopes: [],
+    // custom static authorization URL parameters
+    // NOTE: all critical fields are managed automatically, this should only be used in advanced scenarios
+    // ie: https://developers.google.com/identity/protocols/OpenIDConnect#refresh-tokens
+    custom_authorization_parameters: {},
     /**
     * static redirect URI
     * if your oauth provider does not support wildcards place the URL configured in the provider (that will return to this proper service) here
@@ -363,6 +367,8 @@ Please read [further details](OAUTH_PLUGINS.md) about configuration.
         //name: "_my_company_session",//default is _oeas_oauth_session
         //domain: "example.com", //defaults to request domain, could do sso with more generic domain
         //path: "/",
+        //httpOnly: true,
+        //secure: false,
     },
     // see HEADERS.md for details
     headers: {},
@@ -411,6 +417,10 @@ Please read [further details](OAUTH_PLUGINS.md) about configuration.
         //registration_access_token: "",
     },
     scopes: ["openid", "email", "profile"], // must include openid
+    // custom static authorization URL parameters
+    // NOTE: all critical fields are managed automatically, this should only be used in advanced scenarios
+    // ie: https://developers.google.com/identity/protocols/OpenIDConnect#refresh-tokens
+    custom_authorization_parameters: {},
     /**
     * static redirect URI
     * if your oauth provider does not support wildcards place the URL configured in the provider (that will return to this proper service) here
@@ -534,6 +544,8 @@ Please read [further details](OAUTH_PLUGINS.md) about configuration.
         //name: "_my_company_session",//default is _oeas_oauth_session
         //domain: "example.com", //defaults to request domain, could do sso with more generic domain
         //path: "/",
+        //httpOnly: true,
+        //secure: false,
     },
     // see HEADERS.md for details
     headers: {},

diff --git a/src/plugin/oauth/index.js b/src/plugin/oauth/index.js
@@ -445,7 +445,8 @@ class BaseOauthPlugin extends BasePlugin {
          * if omitted will be a 'session' cookie
          */
         expires: cookieExpiresAt ? new Date(cookieExpiresAt) : null,
-        httpOnly: true, //kills js access
+        httpOnly: plugin.config.cookie.httpOnly, //kills js access
+        secure: plugin.config.cookie.secure,
         signed: true
       });
 
@@ -1051,6 +1052,9 @@ class OauthPlugin extends BaseOauthPlugin {
    * @param {*} config
    */
   constructor(server, config) {
+    config.custom_authorization_parameters =
+      config.custom_authorization_parameters || {};
+
     if (!config.cookie) {
       config.cookie = {};
     }
@@ -1067,6 +1071,14 @@ class OauthPlugin extends BaseOauthPlugin {
       config.cookie.path = "/";
     }
 
+    if (!config.cookie.hasOwnProperty("secure")) {
+      config.cookie.secure = false;
+    }
+
+    if (!config.cookie.hasOwnProperty("httpOnly")) {
+      config.cookie.httpOnly = true;
+    }
+
     if (!config.features) {
       config.features = {};
     }
@@ -1146,6 +1158,7 @@ class OauthPlugin extends BaseOauthPlugin {
     const plugin = this;
     const client = await plugin.get_client();
     const url = client.authorizationCode.authorizeURL({
+      ...plugin.config.custom_authorization_parameters,
       redirect_uri: authorization_redirect_uri,
       scope: plugin.config.scopes.join(" "),
       state: state
@@ -1348,6 +1361,9 @@ class OpenIdConnectPlugin extends BaseOauthPlugin {
    * @param {*} config
    */
   constructor(server, config) {
+    config.custom_authorization_parameters =
+      config.custom_authorization_parameters || {};
+
     if (!config.cookie) {
       config.cookie = {};
     }
@@ -1364,6 +1380,14 @@ class OpenIdConnectPlugin extends BaseOauthPlugin {
       config.cookie.path = "/";
     }
 
+    if (!config.cookie.hasOwnProperty("secure")) {
+      config.cookie.secure = false;
+    }
+
+    if (!config.cookie.hasOwnProperty("httpOnly")) {
+      config.cookie.httpOnly = true;
+    }
+
     if (!config.features) {
       config.features = {};
     }
@@ -1486,6 +1510,7 @@ class OpenIdConnectPlugin extends BaseOauthPlugin {
     const client = await plugin.get_client();
 
     const url = client.authorizationUrl({
+      ...plugin.config.custom_authorization_parameters,
       redirect_uri: authorization_redirect_uri,
       scope: plugin.config.scopes.join(" "),
       state: state

diff --git a/src/server.js b/src/server.js
@@ -237,10 +237,14 @@ verifyHandler = async (req, res, options = {}) => {
         configToken
       );
 
-      configToken = externalAuthServer.utils.decrypt(
-        externalAuthServer.secrets.config_token_encrypt_secret,
-        configToken
-      );
+      // server-side tokens can be stored encrypted or not
+      if (!externalAuthServer.utils.is_jwt(configToken)) {
+        configToken = externalAuthServer.utils.decrypt(
+          externalAuthServer.secrets.config_token_encrypt_secret,
+          configToken
+        );
+      }
+
       configToken = jwt.verify(
         configToken,
         externalAuthServer.secrets.config_token_sign_secret

diff --git a/src/utils.js b/src/utils.js
@@ -65,6 +65,13 @@ function generate_csrf_id() {
   return uuidv4();
 }
 
+function is_jwt(jwtString) {
+  const re = new RegExp(
+    /^[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*$/
+  );
+  return re.test(jwtString);
+}
+
 function get_parent_request_info(req) {
   const info = {};
   info.uri = get_parent_request_uri(req);
@@ -293,6 +300,7 @@ module.exports = {
   base64_decode,
   generate_session_id,
   generate_csrf_id,
+  is_jwt,
   get_parent_request_uri,
   get_parent_request_info,
   get_envoy_forwarded_uri,