bitly / oauth2_proxy

A reverse proxy that provides authentication with Google, Github or other provider
MIT License
5.1k stars 1.21k forks source link

Outdated Google Endpoints can prevent authentication and token refresh #632

Open bcorijn opened 6 years ago

bcorijn commented 6 years ago

Hi,

I set up a proxy yesterday, as a backend behind a internal Traefik proxy to transparently handle Google OIDC authentication to the Kubernetes Dashboard. After some searching and using the fork discussed in https://github.com/bitly/oauth2_proxy/pull/621 to provide the Authentication Bearer header to the dashboard, I managed to get the token into the Kubernetes dashboard. However, it gave me an "Unauthorized error". Decoding the JWT, I noticed that the token provided by the oauth2_proxy had a payload with "iss": "accounts.google.com" while the Kubernetes API was expecting an issuer with value https://accounts.google.com. (Kubernetes does not allow you to set issuers with a non-https scheme, nor is it supported in the OIDC spec I learned afterwards). Setting my Issuer URL manually to -oidc-issuer-url=https://accounts.google.com fixed this and made the authentication work seamlessly.

I noticed throughout the day though that once my token expired, I would have to fully refresh the page to get a new login screen, similar to what was discussed in https://github.com/bitly/oauth2_proxy/issues/218. I started digging and noticed that in my logs, it looked like the refresh of the token never happened, nor that my session even had a refresh token. My log looked like this:

2018/07/17 15:06:14 oauthproxy.go:727: 100.96.11.156:53926 ("100.96.11.1") refreshing 1h16m18s old session cookie for Session{email:bruno@example.com user:bruno token:true id_token:true expires:2018-07-17 14:49:55 +0000 UTC} (refresh after 1h0m0s)
2018/07/17 15:06:15 oauthproxy.go:741: 100.96.11.156:53926 ("100.96.11.1") removing session. token expired Session{email:bruno@example.com user:bruno token:true id_token:true expires:2018-07-17 14:49:55 +0000 UTC}

Note the absence of refresh_token:true, something you can also see in several logs posted in issue 218. Digging further, I realized that by overriding the issuer-url, the login URL also switched to the auto-discovered one (https://github.com/bitly/oauth2_proxy/blob/master/options.go#L152-L161) which lacks the access_type=offline necessary for Google to provide a refresh token (https://github.com/bitly/oauth2_proxy/blob/master/providers/google.go#L37-L38).

Doing some searches online, it looks like Google did not stick to the OIDC spec very closely with their endpoints:

However, the latest endpoints have this fixed:

So a few issues:

I am happy to open a PR to update the endpoints, but wanted to get some eyes on my findings first.