From c3951d67c8c1c91b311c85f086774a3d0ce1f0c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= Date: Fri, 28 May 2021 14:59:17 +0000 Subject: [PATCH] forward basic auth to OpenID connect token authentication endpoint MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörn Friedrich Dreyer --- changelog/unreleased/oidc-token-basic-auth.md | 6 ++++++ proxy/pkg/middleware/basic_auth.go | 8 +++++++- 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 changelog/unreleased/oidc-token-basic-auth.md diff --git a/changelog/unreleased/oidc-token-basic-auth.md b/changelog/unreleased/oidc-token-basic-auth.md new file mode 100644 index 00000000000..0282bd6c462 --- /dev/null +++ b/changelog/unreleased/oidc-token-basic-auth.md @@ -0,0 +1,6 @@ +Bugfix: forward basic auth to OpenID connect token authentication endpoint + +When using `PROXY_ENABLE_BASIC_AUTH=true` we now forward request to the idp instead of trying to authenticate the request ourself. + +https://github.com/owncloud/ocis/issues/2095 +https://github.com/owncloud/ocis/issues/2094 \ No newline at end of file diff --git a/proxy/pkg/middleware/basic_auth.go b/proxy/pkg/middleware/basic_auth.go index 5acb89ae098..e6f000ac661 100644 --- a/proxy/pkg/middleware/basic_auth.go +++ b/proxy/pkg/middleware/basic_auth.go @@ -31,7 +31,7 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler { return func(next http.Handler) http.Handler { return http.HandlerFunc( func(w http.ResponseWriter, req *http.Request) { - if h.isPublicLink(req) || !h.isBasicAuth(req) { + if h.isPublicLink(req) || !h.isBasicAuth(req) || h.isOIDCTokenAuth(req) { if !h.isPublicLink(req) { userAgentAuthenticateLockIn(w, req, options.CredentialsByUserAgent, "basic") } @@ -107,6 +107,12 @@ func (m basicAuth) isPublicLink(req *http.Request) bool { return ok && login == "public" && strings.HasPrefix(req.URL.Path, publicFilesEndpoint) } +// The token auth endpoint uses basic auth for clients, see https://openid.net/specs/openid-connect-basic-1_0.html#TokenRequest +// > The Client MUST authenticate to the Token Endpoint using the HTTP Basic method, as described in 2.3.1 of OAuth 2.0. +func (m basicAuth) isOIDCTokenAuth(req *http.Request) bool { + return req.URL.Path == "/konnect/v1/token" +} + func (m basicAuth) isBasicAuth(req *http.Request) bool { _, _, ok := req.BasicAuth() return m.enabled && ok