[feature] frp_oidc requires a parameter to use auth0 OIDC

StarryVoid commented 2 years ago

Bug Description

Hi I just tested the linkage between auth0 and frp_oidc, and it is very similar to the configuration #2814 used, but an error is reported

The Log is

2022/03/02 13:43:33 [W] [service.go:105] login to server failed: couldn't generate OIDC token for login: oauth2: cannot fetch token: 403 Forbidden
Response: {"error":"access_denied","error_description":"No audience parameter was provided, and no default audience has been configured"}
couldn't generate OIDC token for login: oauth2: cannot fetch token: 403 Forbidden
Response: {"error":"access_denied","error_description":"No audience parameter was provided, and no default audience has been configured"}

The failed request (curl) (audience="")

 curl --request POST   --url https://dev-xxx.jp.auth0.com/oauth/token   --header 'content-type: application/json'   --data '{"client_id":"IDXXXXXXXX","client_secret":"SXXXXXXXX","audience":"","grant_type":"client_credentials"}'

{"error":"access_denied","error_description":"No audience parameter was provided, and no default audience has been configured"}

The successful request (curl) (Have audience)

 curl --request POST   --url https://dev-xxx.jp.auth0.com/oauth/token   --header 'content-type: application/json'   --data '{"client_id":"IDXXXXXXXX","client_secret":"SXXXXXXXX","audience":"https://dev-xxx.jp.auth0.com/","grant_type":"client_credentials"}'

{
  "access_token":"XXXXXXXX",
  "scope":"read:client_grants create:client_grants delete:client_grants update:client_grants read:clients update:clients delete:clients create:clients read:client_keys update:client_keys delete:client_keys create:client_keys",
  "expires_in":86400,
  "token_type":"Bearer"
}

The Config is

frps.ini
authentication_method = oidc
oidc_issuer = https://dev-xxx.jp.auth0.com/
oidc_audience = https://dev-xxx.jp.auth0.com/api/v2/

frpc.ini
authentication_method = oidc
oidc_client_id = "IDXXXXXXXX"
oidc_client_secret = "SXXXXXXXX"
#oidc_audience = ""
oidc_audience = "https://dev-xxx.jp.auth0.com/api/v2/"
oidc_token_endpoint_url = "https://dev-xxx.jp.auth0.com/oauth/token/"
oidc_additional_audience = "https://dev-xxx.jp.auth0.com/api/v2/"

The Auth0 Config

User -> Applications -> Applications -> Create Applications -> Name=Demo-FRP & Machine to Machine Applications -> Select "Auth0 Management API" & Permissions Search "client" + Select "ALL" -> Finish
User -> Applications -> APIs -> Auth0 Management API Settings -> Test -> Select "Demo-FRP" -> Select "Curl" -> Copy "URL" "client_id" "client_secret" "audience"

Auth0 && FRP_OIDC

"client_id" ==> oidc_client_id
"client_secret" ==> oidc_client_secret
"audience" ==> oidc_audience
"System API Identifier" ==> oidc_audience & oidc_additional_audience
"Curl url" ==> oidc_token_endpoint_url

I think the problem is the same as #2814 .

我在网络上查找关于 OIDC 相关的内容，检索到了 Auth0 这个服务原本想使用 github 的 oidc 服务，但并没有找到相关的详细文档 [ URL / URL2 ] 本项目中涉及到相关问题的是 #2814 望解决

frpc Version

0.39.1

frps Version

0.39.1

System Architecture

linux/amd64

Configurations

frps.ini authentication_method = oidc oidc_issuer = https://dev-xxx.jp.auth0.com/ oidc_audience = https://dev-xxx.jp.auth0.com/api/v2/

frpc.ini authentication_method = oidc oidc_client_id = "IDXXXXXXXX" oidc_client_secret = "SXXXXXXXX" oidc_token_endpoint_url = "https://dev-xxx.jp.auth0.com/oauth/token/" oidc_additional_audience = "https://dev-xxx.jp.auth0.com/api/v2/"

Logs

2022/03/02 13:43:33 [W] [service.go:105] login to server failed: couldn't generate OIDC token for login: oauth2: cannot fetch token: 403 Forbidden Response: {"error":"access_denied","error_description":"No audience parameter was provided, and no default audience has been configured"} couldn't generate OIDC token for login: oauth2: cannot fetch token: 403 Forbidden Response: {"error":"access_denied","error_description":"No audience parameter was provided, and no default audience has been configured"}

Steps to reproduce

...

Affected area

[X] Docs
[ ] Installation
[ ] Performance and Scalability
[ ] Security
[ ] User Experience
[ ] Test and Release
[ ] Developer Infrastructure
[ ] Client Plugin
[ ] Server Plugin
[X] Extensions
[ ] Others

blizard863 commented 2 years ago

https://github.com/fatedier/frp/pull/2814/files

Maybe a solution.

StarryVoid commented 2 years ago

Thx . i think it's great

https://github.com/fatedier/frp/pull/2814/files

And i want to know how to associate the service provider api to the frp_oidc configuration parameter.and no documentation to explain what's going on.

1、"frpc_oidc_client_id / oidc_client_secret ' i think it's need to be manually generated ,no need to say.
2、"frpc_oidc_token_endpoint_url" i guess it's the same as "oauth to get access_token". like Auth0 Azure Github
3、"frpc_oidc_additional_audience" I don't know if the configuration is correct or wrong
4、 "frps_oidc_issuer" i guess it's the same as "openid-connect-discovery". like Azure Github Auth0 . but the configuration is truncated prefix ".well-known/openid-configuration"
5、frps_oidc_audience I don't know if the configuration is correct or wrong

Consult documentation https://docs.microsoft.com/zh-cn/azure/active-directory/develop/v2-protocols-oidc https://docs.microsoft.com/zh-cn/azure/active-directory/develop/access-tokens https://docs.microsoft.com/zh-cn/azure/active-directory/develop/id-tokens https://auth0.com/docs/get-started/applications https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps

Auth0 (wrong) (Need audience="***" )

frps.ini
authentication_method = oidc
oidc_issuer = https://dev-xxx.jp.auth0.com/
oidc_audience = https://dev-xxx.jp.auth0.com/api/v2/

frpc.ini
authentication_method = oidc
oidc_client_id = "IDXXXXXXXX"
oidc_client_secret = "SXXXXXXXX"
oidc_token_endpoint_url = "https://dev-xxx.jp.auth0.com/oauth/token/"
oidc_additional_audience = "https://dev-xxx.jp.auth0.com/api/v2/"

Github (wrong) (I think Github doesn't support oidc)

frps.ini
authentication_method = oidc
oidc_issuer = https://token.actions.githubusercontent.com
oidc_audience = https://github.com/login/oauth/access_token

frpc.ini
authentication_method = oidc
oidc_client_id = "IDXXXXXXXX"
oidc_client_secret = "SXXXXXXXX"
oidc_token_endpoint_url = "https://github.com/login/oauth/access_token/"
oidc_additional_audience = "https://github.com/login/oauth/"

Azure (wrong)

frps.ini
authentication_method = oidc
oidc_issuer = https://login.microsoftonline.com/common/v2.0/
oidc_audience = https://graph.microsoft.com/

frpc.ini
authentication_method = oidc
oidc_client_id = "IDXXXXXXXX"
oidc_client_secret = "SXXXXXXXX"
oidc_token_endpoint_url = "https://login.microsofto…sumers/oauth2/v2.0/token"
oidc_additional_audience = "https://graph.microsoft.com/"

blizard863 commented 2 years ago

Hello @StarryVoid , this is an interesting question, I want to give my understand, maybe it's wrong but I want to discuss with you.

oidc_additional_xxx params is not support in frp release version but in my PR, maybe this PR will be merged. I test my PR by auth0, authing services, you can pull my code and build it, I guess it will be success in auth0 service.
OAuth 2.0 support some grant_types, such as Authorization Code, Password, Client Credentials and so on. frp use the Client Credentials, this is a standard usage. By the way I search github document by key words "client credentials", there is no related documentation. So I guess github is not support this grant_type ?
I also read the Azure document, https://docs.microsoft.com/zh-cn/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow, you can try this. Hope to hear your good news.

reference: https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps https://datatracker.ietf.org/doc/html/rfc6749#section-4.1

blizard863 commented 2 years ago

frp_oidc document is few, it's really necessary to explain every params. I will do a series of usage documents against this document https://datatracker.ietf.org/doc/html/rfc6749.

github-actions[bot] commented 2 years ago

Issues go stale after 30d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.

Tongzhongren commented 2 years ago

你好@StarryVoid，这是一个有趣的问题，我想给出我的理解，也许它是错误的但我想和你讨论。

oidc_additional_xxx 参数在 frp 发布版本中不支持，但在我的 PR 中，也许这个 PR 将被合并。我通过 auth0 测试我的 PR，authing services，你可以拉我的代码并构建它，我想它会在 auth0 服务中成功。

OAuth 2.0 支持一些授权类型，例如授权码、密码、客户端凭据等。frp 使用客户端凭据，这是标准用法。顺便说一句，我通过关键词“客户端凭据”搜索 github 文档，没有相关文档。所以我猜github不支持这个grant_type？

我也看了 Azure 文档，https://docs.microsoft.com/zh-cn/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow，你可以试试这个。希望听到你的好消息。

参考： https ://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps https://datatracker.ietf.org/doc/html/rfc6749#section-4.1

您好，我想知道OIDC 认证的时候 oidc_issuer oidc_audience oidc_client_id oidc_client_secret oidc_audience oidc_token_endpoint_url 说明是什么

StarryVoid commented 2 years ago

你好。@Tongzhongren 我不是开发者，这个东西是开发者早期根据其他人写的代码合并进来的，并且还不完善，文档也缺失其次这个问题在上面我已经阐述了对应关系 https://github.com/fatedier/frp/issues/2822#issuecomment-1057654887 相关名称均为参数名接着如果你想了解OIDC，我觉得你可以去了解Auth0的相关文档最后上文中讨论的修复，仅适配了 auth0 等类似的 OIDC 认证方式，而实际上非标OIDC有许多验证条件，FRP只是提取了部分验证条件加以使用，在对接非标OIDC时都会在验证中失败。解决的部分问题只是让普通用户能在标准OIDC的验证流程中正常使用，且已经PR完毕，目前应该不会再次出现此issue的问题（未验证）

fatedier / frp