Support custom OIDC auth scenarios

temporalio · Mar 3, 2022 · bc9e6f8 · bc9e6f8
1 parent 30fc10f
commit bc9e6f8
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 17 deletions.
diff --git a/config/development.yaml b/config/development.yaml
@@ -17,9 +17,12 @@ auth:
         - openid
         - profile
         - email
-      audience:
       callbackUrl: http://localhost:8080/auth/sso/callback
       passIdToken: false
+      options: # added as URL query params when redirecting to auth provider
+        audience: myorg-dev
+        organization: org_xxxxxxxxxxxx
+        invitation:
 tls:
   caFile:
   certFile:

diff --git a/docker/config_template.yaml b/docker/config_template.yaml
@@ -31,5 +31,4 @@ auth:
         - openid
         - profile
         - email
-      audience:
       passIdToken: false
diff --git a/server/config/config.go b/server/config/config.go
@@ -67,15 +67,15 @@ type (
 	}
 
 	AuthProvider struct {
-		Label        string   `yaml:"label"`
-		Type         string   `yaml:"type"`
-		ProviderUrl  string   `yaml:"providerUrl"`
-		ClientID     string   `yaml:"clientId"`
-		ClientSecret string   `yaml:"clientSecret"`
-		Scopes       []string `yaml:"scopes"`
-		Audience     string   `yaml:"audience"`
-		CallbackURL  string   `yaml:"callbackUrl"`
-		PassIDToken  bool     `yaml:"passIdToken"`
+		Label        string                 `yaml:"label"`
+		Type         string                 `yaml:"type"`
+		ProviderUrl  string                 `yaml:"providerUrl"`
+		ClientID     string                 `yaml:"clientId"`
+		ClientSecret string                 `yaml:"clientSecret"`
+		Scopes       []string               `yaml:"scopes"`
+		CallbackURL  string                 `yaml:"callbackUrl"`
+		PassIDToken  bool                   `yaml:"passIdToken"`
+		Options      map[string]interface{} `yaml:"options"`
 	}
 )
 

diff --git a/server/routes/auth.go b/server/routes/auth.go
@@ -84,15 +84,13 @@ func SetAuthRoutes(e *echo.Echo, cfgProvider *config.ConfigProviderWithRefresh)
 	}
 
 	api := e.Group("/auth")
-	opts := []oauth2.AuthCodeOption{
-		oauth2.SetAuthURLParam("audience", providerCfg.Audience),
-	}
-	api.GET("/sso", authenticate(&config, opts))
+
+	api.GET("/sso", authenticate(&config, providerCfg.Options))
 	api.GET("/sso/callback", authenticateCb(ctx, &config, provider))
 	api.GET("/logout", logout)
 }
 
-func authenticate(config *oauth2.Config, opts []oauth2.AuthCodeOption) func(echo.Context) error {
+func authenticate(config *oauth2.Config, options map[string]interface{}) func(echo.Context) error {
 	return func(c echo.Context) error {
 		state, err := randString()
 		if err != nil {
@@ -105,7 +103,25 @@ func authenticate(config *oauth2.Config, opts []oauth2.AuthCodeOption) func(echo
 		setCallbackCookie(c, "state", state)
 		setCallbackCookie(c, "nonce", nonce)
 
-		opts = append(opts, oidc.Nonce(nonce))
+		opts := []oauth2.AuthCodeOption{
+			oidc.Nonce(nonce),
+		}
+		for k, v := range options {
+			var value string
+			if vStr, ok := v.(string); ok {
+				value = vStr
+			}
+
+			// Some options, ex Auth0 invitation code, may be undefined in config as they are unknowns beforehand
+			// These may come from outside, ex in an invitation email
+			vOverride := c.QueryParam(k)
+			if vOverride != "" {
+				value = vOverride
+			}
+
+			opts = append(opts, oauth2.SetAuthURLParam(k, value))
+		}
+
 		url := config.AuthCodeURL(state, opts...)
 
 		return c.Redirect(http.StatusFound, url)
-Original file line number
+Diff line change
@@ Expand Up / @@ -31,5 +31,4 @@ auth: @@
             - openid
             - profile
             - email
-          audience:
           passIdToken: false