Configurable email_verified OIDC Claim Requirement #2860
Conversation
|
Just checking in on this. Please let me know if I've gone about the process wrong. Think it's something we're interested in accepting? Really appreciate everything. |
Thx for your PR! I'll do some testing once 0.27.1 is out and we'll come back to this afterwards. |
|
No rush at all! Thanks a ton! |
nblock
left a comment
There was a problem hiding this comment.
Thanks for your PR!
The following behavior makes authorization and profile update consistent:
For oidc.email_verified_required: true (default), require the e-mail to be verified to do any processing on it (email_verified: true). This gives as two cases:
email_verified: true:- accept if the email matches the
oidc.allowed_usersfilter - accept if the domain matches the
oidc.allowed_domainsfilter - update the email in the user's profile
- accept if the email matches the
email_verified: false(or not provided):- reject even if the email would match the
oidc.allowed_usersfilter (breaking) - reject even if the domain would match the
oidc.allowed_domainsfilter (breaking) - don't update the email in the user's profile
- reject even if the email would match the
For oidc.email_verified_required: false, ignore the email_verified flag during processing. This results in:
- accept if the email matches the
oidc.allowed_usersfilter - accept if the domain matches the
oidcs.allowed_groupsfilter - update the email in the user's profile
|
So sorry for the delay on this! Got wrapped up in work and the holiday. I'll try to knock it out later today. Thanks! |
131b92b to
4e01aed
Compare
|
I fumbled the tests for a few minutes but everything should be in order now. I'm not sure why the test workflow says it's waiting for a "status to be reported" for the tests. Weird. If I've borked stuff, let me know and I'll fix it. |
|
Thanks for following up and implementing most of #2860 (review). It seems that the following cases are not implemented?
I tested it both cases ( Could you have a look at this? |
Checking into it but I have a question: As of now, OIDC authorization checks are AND'd. Shouldn't they be OR'd? Example: If both |
|
I refactored to OR authorization checks, cleaned stuff up, and added standalone tests for OIDC authorization. Some of the decisions are questionable. All tests are succeeding on my side. Still waiting to see if GitHub actions wreck me. I'm open to changes/rejection. Feel free to share your thoughts, and sorry if I'm making this more complicated than it has to be. |
This could be discussed as a possible follow-up to this PR, but let's don't change the current behavior in this PR and keep it focused (docs). (Feel free to rebase and squash as single commit.) |
e0ced73 to
7a78fcd
Compare
Ok, I reset to an earlier commit and saved those changes to another branch. I'll open another PR. Latest push still moves authorization to a distinct function for testing while preserving the authorization flow. |
|
Thx, will have a look soonish |
| trustEmail := !cfg.EmailVerifiedRequired || bool(claims.EmailVerified) | ||
| hasEmailTests := len(cfg.AllowedDomains) > 0 || len(cfg.AllowedUsers) > 0 | ||
| if !trustEmail && hasEmailTests { | ||
| return errOIDCUnverifiedEmail | ||
| } |
There was a problem hiding this comment.
An "internal server error" is raised when:
oidc.allowed_usersis configuredoidc.email_verified_enabledis enabled- A user with an unverified e-mail address tries to authenticate.
Logs: ERR http internal server error error="authenticated principal has an unverified email" code=500
Browser: internal server error
This should raise a http/401 instead, similar to:
Line 422 in 21ba197
Line 444 in 21ba197
Line 458 in 21ba197
7a78fcd to
c573dfd
Compare
nblock
left a comment
There was a problem hiding this comment.
Thx, did a quick rundown with the following testcases, looks good:
- evr unset: defaults to true?
- evr=true, ev=true: ack + email in profile
- evr=true, ev=false: ack + email not in profile
- evr=true, ev=true, oidc.allowed_users
- match+email in profile
- no match: reject?
- evr=true, ev=true, oidc.allowed_domains
- match+email in profile
- no match: reject?
- evr=true, ev=false, oidc.allowed_users
- always reject and never update profile?
- evr=true, ev=false, oidc.allowed_domains
- always reject and never update profile?
- evr=false, oidc.allowed_users
- accept if match + profile update
- evr=false, oidc.allowed_domains
- accept if match + profile update
@kradalby will have another look at the code.
Add test cases covering: - unverified email with allowed user filter - no filters configured with unverified email
Add test case that verifies a user in the second allowed group should be authorized. This test currently fails due to a bug where validateOIDCAllowedGroups returns error on first non-match.
Move error return outside the for loop so all allowed groups are checked before returning unauthorized. Previously, it would return error on first non-matching group instead of checking if any subsequent group matches.
beabaed to
d95e291
Compare
Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
When configured to use OIDC,
email_verified=trueis required to appear in ID token claims or user info before the email will be saved in a user's information. There are some scenarios where theemail_verifiedclaim cannot be sent/configured, such as when using Cloudflare One-time pin -- which doesn't support adding/modifying claims. This can make writing ACLs difficult or impossible.This PR adds a configuration that relaxes the
email_verified=truerequirement by:oidc.use_unverified_emailoidc.allowed_domainsduring authorizationUser.FromClaimRelated: #2655