feat: implement disabling oidc issuer checks (#13991)

* use DANGEROUS prefix and drop a warning log
2025-07-09 11:45:56 +00:00 · 2024-07-24 11:45:47 -10:00
parent 652827f0e8
commit 4f01372179
14 changed files with 272 additions and 22 deletions
--- a/coderd/apidoc/docs.go
+++ b/coderd/apidoc/docs.go
@ -10533,6 +10533,9 @@ const docTemplate = `{
                "signups_disabled_text": {
                    "type": "string"
                },
+                "skip_issuer_checks": {
+                    "type": "boolean"
+                },
                "user_role_field": {
                    "type": "string"
                },
--- a/coderd/apidoc/swagger.json
+++ b/coderd/apidoc/swagger.json
@ -9480,6 +9480,9 @@
        "signups_disabled_text": {
          "type": "string"
        },
+        "skip_issuer_checks": {
+          "type": "boolean"
+        },
        "user_role_field": {
          "type": "string"
        },
--- a/coderd/coderdtest/oidctest/idp.go
+++ b/coderd/coderdtest/oidctest/idp.go
@ -97,6 +97,9 @@ type FakeIDP struct {
 	deviceCode *syncmap.Map[string, deviceFlow]

 	// hooks
+	// hookWellKnown allows mutating the returned .well-known/configuration JSON.
+	// Using this can break the IDP configuration, so be careful.
+	hookWellKnown func(r *http.Request, j *ProviderJSON) error
 	// hookValidRedirectURL can be used to reject a redirect url from the
 	// IDP -> Application. Almost all IDPs have the concept of
 	// "Authorized Redirect URLs". This can be used to emulate that.
@ -151,6 +154,12 @@ func WithMiddlewares(mws ...func(http.Handler) http.Handler) func(*FakeIDP) {
 	}
 }

+func WithHookWellKnown(hook func(r *http.Request, j *ProviderJSON) error) func(*FakeIDP) {
+	return func(f *FakeIDP) {
+		f.hookWellKnown = hook
+	}
+}
+
 // WithRefresh is called when a refresh token is used. The email is
 // the email of the user that is being refreshed assuming the claims are correct.
 func WithRefresh(hook func(email string) error) func(*FakeIDP) {
@ -753,7 +762,16 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
 	mux.Get("/.well-known/openid-configuration", func(rw http.ResponseWriter, r *http.Request) {
 		f.logger.Info(r.Context(), "http OIDC config", slogRequestFields(r)...)

-		_ = json.NewEncoder(rw).Encode(f.provider)
+		cpy := f.provider
+		if f.hookWellKnown != nil {
+			err := f.hookWellKnown(r, &cpy)
+			if err != nil {
+				http.Error(rw, err.Error(), http.StatusInternalServerError)
+				return
+			}
+		}
+
+		_ = json.NewEncoder(rw).Encode(cpy)
 	})

 	// Authorize is called when the user is redirected to the IDP to login.
@ -1371,8 +1389,11 @@ func (f *FakeIDP) AppCredentials() (clientID string, clientSecret string) {
 	return f.clientID, f.clientSecret
 }

-// OIDCConfig returns the OIDC config to use for Coderd.
-func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig {
+func (f *FakeIDP) PublicKey() crypto.PublicKey {
+	return f.key.Public()
+}
+
+func (f *FakeIDP) OauthConfig(t testing.TB, scopes []string) *oauth2.Config {
 	t.Helper()

 	if len(scopes) == 0 {
@ -1391,22 +1412,50 @@ func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *co
 		RedirectURL: "https://redirect.com",
 		Scopes:      scopes,
 	}
+	f.cfg = oauthCfg

-	ctx := oidc.ClientContext(context.Background(), f.HTTPClient(nil))
+	return oauthCfg
+}
+
+func (f *FakeIDP) OIDCConfigSkipIssuerChecks(t testing.TB, scopes []string, opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig {
+	ctx := oidc.InsecureIssuerURLContext(context.Background(), f.issuer)
+
+	return f.internalOIDCConfig(ctx, t, scopes, func(config *oidc.Config) {
+		config.SkipIssuerCheck = true
+	}, opts...)
+}
+
+func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig {
+	return f.internalOIDCConfig(context.Background(), t, scopes, nil, opts...)
+}
+
+// OIDCConfig returns the OIDC config to use for Coderd.
+func (f *FakeIDP) internalOIDCConfig(ctx context.Context, t testing.TB, scopes []string, verifierOpt func(config *oidc.Config), opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig {
+	t.Helper()
+
+	oauthCfg := f.OauthConfig(t, scopes)
+
+	ctx = oidc.ClientContext(ctx, f.HTTPClient(nil))
 	p, err := oidc.NewProvider(ctx, f.provider.Issuer)
 	require.NoError(t, err, "failed to create OIDC provider")
+
+	verifierConfig := &oidc.Config{
+		ClientID: oauthCfg.ClientID,
+		SupportedSigningAlgs: []string{
+			"RS256",
+		},
+		// Todo: add support for Now()
+	}
+	if verifierOpt != nil {
+		verifierOpt(verifierConfig)
+	}
+
 	cfg := &coderd.OIDCConfig{
 		OAuth2Config: oauthCfg,
 		Provider:     p,
 		Verifier: oidc.NewVerifier(f.provider.Issuer, &oidc.StaticKeySet{
 			PublicKeys: []crypto.PublicKey{f.key.Public()},
-		}, &oidc.Config{
-			ClientID: oauthCfg.ClientID,
-			SupportedSigningAlgs: []string{
-				"RS256",
-			},
-			// Todo: add support for Now()
-		}),
+		}, verifierConfig),
 		UsernameField: "preferred_username",
 		EmailField:    "email",
 		AuthURLParams: map[string]string{"access_type": "offline"},
@ -1419,13 +1468,12 @@ func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *co
 		opt(cfg)
 	}

-	f.cfg = oauthCfg
 	return cfg
 }

 func (f *FakeIDP) getClaims(m *syncmap.Map[string, jwt.MapClaims], key string) (jwt.MapClaims, bool) {
 	v, ok := m.Load(key)
-	if !ok {
+	if !ok || v == nil {
 		if f.defaultIDClaims != nil {
 			return f.defaultIDClaims, true
 		}
--- a/coderd/coderdtest/oidctest/idp_test.go
+++ b/coderd/coderdtest/oidctest/idp_test.go
@ -2,19 +2,22 @@ package oidctest_test

 import (
 	"context"
+	"crypto"
 	"net/http"
-	"net/http/httptest"
 	"testing"
 	"time"

 	"github.com/golang-jwt/jwt/v4"
 	"github.com/stretchr/testify/assert"
+	"golang.org/x/xerrors"

 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/oauth2"

+	"github.com/coder/coder/v2/coderd"
 	"github.com/coder/coder/v2/coderd/coderdtest/oidctest"
+	"github.com/coder/coder/v2/testutil"
 )

 // TestFakeIDPBasicFlow tests the basic flow of the fake IDP.
@ -27,12 +30,6 @@ func TestFakeIDPBasicFlow(t *testing.T) {
 		oidctest.WithLogging(t, nil),
 	)

-	var handler http.Handler
-	srv := httptest.NewServer(http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		handler.ServeHTTP(w, r)
-	})))
-	defer srv.Close()
-
 	cfg := fake.OIDCConfig(t, nil)
 	cli := fake.HTTPClient(nil)
 	ctx := oidc.ClientContext(context.Background(), cli)
@ -71,3 +68,84 @@ func TestFakeIDPBasicFlow(t *testing.T) {
 	require.NoError(t, err, "failed to refresh token")
 	require.NotEmpty(t, refreshed.AccessToken, "access token is empty on refresh")
 }
+
+// TestIDPIssuerMismatch emulates a situation where the IDP issuer url does
+// not match the one in the well-known config and claims.
+// This can happen in some edge cases and in some azure configurations.
+//
+// This test just makes sure a fake IDP can set up this scenario.
+func TestIDPIssuerMismatch(t *testing.T) {
+	t.Parallel()
+
+	const proxyURL = "https://proxy.com"
+	const primaryURL = "https://primary.com"
+
+	fake := oidctest.NewFakeIDP(t,
+		oidctest.WithIssuer(proxyURL),
+		oidctest.WithDefaultIDClaims(jwt.MapClaims{
+			"iss": primaryURL,
+		}),
+		oidctest.WithHookWellKnown(func(r *http.Request, j *oidctest.ProviderJSON) error {
+			// host should be proxy.com, but we return the primaryURL
+			if r.Host != "proxy.com" {
+				return xerrors.Errorf("unexpected host: %s", r.Host)
+			}
+			j.Issuer = primaryURL
+			return nil
+		}),
+		oidctest.WithLogging(t, nil),
+	)
+
+	ctx := testutil.Context(t, testutil.WaitMedium)
+	// Do not use real network requests
+	cli := fake.HTTPClient(nil)
+	ctx = oidc.ClientContext(ctx, cli)
+
+	// Allow the issuer mismatch
+	verifierContext := oidc.InsecureIssuerURLContext(ctx, "this field does not matter")
+	p, err := oidc.NewProvider(verifierContext, "https://proxy.com")
+	require.NoError(t, err, "failed to create OIDC provider")
+
+	oauthConfig := fake.OauthConfig(t, nil)
+	cfg := &coderd.OIDCConfig{
+		OAuth2Config: oauthConfig,
+		Provider:     p,
+		Verifier: oidc.NewVerifier(fake.WellknownConfig().Issuer, &oidc.StaticKeySet{
+			PublicKeys: []crypto.PublicKey{fake.PublicKey()},
+		}, &oidc.Config{
+			SkipIssuerCheck: true,
+			ClientID:        oauthConfig.ClientID,
+			SupportedSigningAlgs: []string{
+				"RS256",
+			},
+		}),
+		UsernameField: "preferred_username",
+		EmailField:    "email",
+		AuthURLParams: map[string]string{"access_type": "offline"},
+	}
+
+	const expectedState = "random-state"
+	var token *oauth2.Token
+
+	fake.SetCoderdCallbackHandler(func(w http.ResponseWriter, r *http.Request) {
+		// Emulate OIDC flow
+		code := r.URL.Query().Get("code")
+		state := r.URL.Query().Get("state")
+		assert.Equal(t, expectedState, state, "state mismatch")
+
+		oauthToken, err := cfg.Exchange(ctx, code)
+		if assert.NoError(t, err, "failed to exchange code") {
+			assert.NotEmpty(t, oauthToken.AccessToken, "access token is empty")
+			assert.NotEmpty(t, oauthToken.RefreshToken, "refresh token is empty")
+		}
+		token = oauthToken
+	})
+
+	//nolint:bodyclose
+	resp := fake.OIDCCallback(t, expectedState, nil) // Use default claims
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+
+	idToken, err := cfg.Verifier.Verify(ctx, token.Extra("id_token").(string))
+	require.NoError(t, err)
+	require.Equal(t, primaryURL, idToken.Issuer)
+}
--- a/coderd/userauth_test.go
+++ b/coderd/userauth_test.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto"
 	"fmt"
+	"io"
 	"net/http"
 	"net/http/cookiejar"
 	"net/url"
@ -884,6 +885,7 @@ func TestUserOIDC(t *testing.T) {
 		EmailDomain         []string
 		AssertUser          func(t testing.TB, u codersdk.User)
 		StatusCode          int
+		AssertResponse      func(t testing.TB, resp *http.Response)
 		IgnoreEmailVerified bool
 		IgnoreUserInfo      bool
 	}{
@ -1224,6 +1226,21 @@ func TestUserOIDC(t *testing.T) {
 			AllowSignups: true,
 			StatusCode:   http.StatusOK,
 		},
+		{
+			Name: "IssuerMismatch",
+			IDTokenClaims: jwt.MapClaims{
+				"iss":            "https://mismatch.com",
+				"email":          "user@domain.tld",
+				"email_verified": true,
+			},
+			AllowSignups: true,
+			StatusCode:   http.StatusBadRequest,
+			AssertResponse: func(t testing.TB, resp *http.Response) {
+				data, err := io.ReadAll(resp.Body)
+				require.NoError(t, err)
+				require.Contains(t, string(data), "id token issued by a different provider")
+			},
+		},
 	} {
 		tc := tc
 		t.Run(tc.Name, func(t *testing.T) {
@ -1255,6 +1272,9 @@ func TestUserOIDC(t *testing.T) {
 			client, resp := fake.AttemptLogin(t, owner, tc.IDTokenClaims)
 			numLogs++ // add an audit log for login
 			require.Equal(t, tc.StatusCode, resp.StatusCode)
+			if tc.AssertResponse != nil {
+				tc.AssertResponse(t, resp)
+			}

 			ctx := testutil.Context(t, testutil.WaitLong)

@ -1532,6 +1552,51 @@ func TestUserLogout(t *testing.T) {
 	}
 }

+// TestOIDCSkipIssuer verifies coderd can run without checking the issuer url
+// in the OIDC exchange. This means the CODER_OIDC_ISSUER_URL does not need
+// to match the id_token `iss` field, or the value returned in the well-known
+// config.
+//
+// So this test has:
+// - OIDC at http://localhost:<port>
+// - well-known config with issuer https://primary.com
+// - JWT with issuer https://secondary.com
+//
+// Without this security check disabled, all three above would have to match.
+func TestOIDCSkipIssuer(t *testing.T) {
+	t.Parallel()
+	const primaryURLString = "https://primary.com"
+	const secondaryURLString = "https://secondary.com"
+	primaryURL := must(url.Parse(primaryURLString))
+
+	fake := oidctest.NewFakeIDP(t,
+		oidctest.WithServing(),
+		oidctest.WithDefaultIDClaims(jwt.MapClaims{}),
+		oidctest.WithHookWellKnown(func(r *http.Request, j *oidctest.ProviderJSON) error {
+			assert.NotEqual(t, r.URL.Host, primaryURL.Host, "request went to wrong host")
+			j.Issuer = primaryURLString
+			return nil
+		}),
+	)
+
+	owner := coderdtest.New(t, &coderdtest.Options{
+		OIDCConfig: fake.OIDCConfigSkipIssuerChecks(t, nil, func(cfg *coderd.OIDCConfig) {
+			cfg.AllowSignups = true
+		}),
+	})
+
+	// User can login and use their token.
+	ctx := testutil.Context(t, testutil.WaitShort)
+	//nolint:bodyclose
+	userClient, _ := fake.Login(t, owner, jwt.MapClaims{
+		"iss":   secondaryURLString,
+		"email": "alice@coder.com",
+	})
+	found, err := userClient.User(ctx, "me")
+	require.NoError(t, err)
+	require.Equal(t, found.LoginType, codersdk.LoginTypeOIDC)
+}
+
 func oauth2Callback(t *testing.T, client *codersdk.Client) *http.Response {
 	client.HTTPClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
 		return http.ErrUseLastResponse