Skip to content

Oauth additional claims2 #2725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
serg-bs wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Oauth additional claims2 #2725

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
045355a
OAUTH Additional claims
Apr 8, 2024
aa99c60
OAUTH Additional claims
Apr 9, 2024
b56cf27
OAUTH Additional claims
Apr 9, 2024
b3a5310
OAUTH Additional claims
Apr 15, 2024
4e1ca99
OAUTH Additional claims
May 14, 2025
aee583a
OAUTH Additional claims
serg-bs May 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions server/config/development.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ auth:
audience: myorg-dev
organization: org_xxxxxxxxxxxx
invitation:
additionalClaims:
group: "local"
tls:
caFile:
certFile:
Expand Down
1 change: 1 addition & 0 deletions server/config/docker.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ batchActionsDisabled: {{ env "TEMPORAL_BATCH_ACTIONS_DISABLED" | default "false"
startWorkflowDisabled: {{ env "TEMPORAL_START_WORKFLOW_DISABLED" | default "false" }}
hideWorkflowQueryErrors: {{ env "TEMPORAL_HIDE_WORKFLOW_QUERY_ERRORS" | default "false" }}
refreshWorkflowCountsDisabled: {{ env "TEMPORAL_REFRESH_WORKFLOW_COUNTS_DISABLED" | default "false" }}
additionalClaims: {{ env "TEMPORAL_OAUTH_ADDITIONAL_CLAIMS" | default "false" }}
cors:
cookieInsecure: {{ env "TEMPORAL_CSRF_COOKIE_INSECURE" | default "false" }}
allowOrigins:
Expand Down
1 change: 1 addition & 0 deletions server/docker/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ docker run \
-e TEMPORAL_TLS_KEY=../cluster.key \
-e TEMPORAL_TLS_ENABLE_HOST_VERIFICATION=true \
-e TEMPORAL_TLS_SERVER_NAME=tls-server \
-e TEMPORAL_OAUTH_ADDITIONAL_CLAIMS="group: \"mygroup\"" \
temporalio/ui:latest
```

Expand Down
34 changes: 33 additions & 1 deletion server/server/auth/oidc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ type Claims struct {
Picture string `json:"picture"`
}

func ExchangeCode(ctx context.Context, r *http.Request, config *oauth2.Config, provider *oidc.Provider) (*User, error) {
func ExchangeCode(ctx context.Context, r *http.Request, config *oauth2.Config, provider *oidc.Provider, additionalClaimsConfig map[string]string) (*User, error) {
state, err := r.Cookie("state")
if err != nil {
return nil, echo.NewHTTPError(http.StatusBadRequest, "State cookie is not set in request")
Expand Down Expand Up @@ -98,6 +98,17 @@ func ExchangeCode(ctx context.Context, r *http.Request, config *oauth2.Config, p
return nil, echo.NewHTTPError(http.StatusInternalServerError, err.Error())
}

if additionalClaimsConfig != nil {
var claimTokenValues map[string]interface{}
if err := idToken.Claims(&claimTokenValues); err != nil {
return nil, echo.NewHTTPError(http.StatusInternalServerError, "Error parse claims")
}

if err := VerifyAdditionalClaims(additionalClaimsConfig, claimTokenValues); err != nil {
return nil, echo.NewHTTPError(http.StatusInternalServerError, err.Error())
}
}

user := User{
OAuth2Token: oauth2Token,
IDToken: &IDToken{
Expand All @@ -108,3 +119,24 @@ func ExchangeCode(ctx context.Context, r *http.Request, config *oauth2.Config, p

return &user, nil
}

func VerifyAdditionalClaims(additionalClaims map[string]string, claimTokenValues map[string]interface{}) error {
for configClaimKey, configClaimValue := range additionalClaims {
claimValues := claimTokenValues[configClaimKey]
if claimValues != nil {
switch t := claimValues.(type) {
case string:
if t == configClaimValue {
return nil
}
case []interface{}:
for _, claimValue := range t {
if claimValue == configClaimValue {
return nil
}
}
}
}
}
return echo.NewHTTPError(http.StatusInternalServerError, "No additional Claims defined")
}
30 changes: 30 additions & 0 deletions server/server/auth/oidc_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
package auth

import (
"github.com/stretchr/testify/assert"
"testing"
)

func TestAdditionalClaimsError(t *testing.T) {
configAdditionalClaims := map[string]string{
"foo": "bar",
}
claimTokenValues := map[string]interface{}{
"foo": []interface{}{"value1", "value2", "value3"},
"group": []interface{}{"value1", "value2", "bar"},
}
err := VerifyAdditionalClaims(configAdditionalClaims, claimTokenValues)
assert.Error(t, err)
}

func TestAdditionalClaimsSuccess(t *testing.T) {
configAdditionalClaims := map[string]string{
"group": "bar",
}
claimTokenValues := map[string]interface{}{
"foo": []interface{}{"value1", "value2", "value3"},
"group": []interface{}{"value1", "value2", "bar"},
}
err := VerifyAdditionalClaims(configAdditionalClaims, claimTokenValues)
assert.NoError(t, err)
}
3 changes: 2 additions & 1 deletion server/server/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,8 @@ type (
// CallbackURL - URL for the callback URL, ex. https://localhost:8080/sso/callback
CallbackURL string `yaml:"callbackUrl"`
// Options added as URL query params when redirecting to auth provider. Can be used to configure custom auth flows such as Auth0 invitation flow.
Options map[string]interface{} `yaml:"options"`
Options map[string]interface{} `yaml:"options"`
AdditionalClaims map[string]string `yaml:"additionalClaims"`
}

Codec struct {
Expand Down
8 changes: 4 additions & 4 deletions server/server/route/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,8 +77,8 @@ func SetAuthRoutes(e *echo.Echo, cfgProvider *config.ConfigProviderWithRefresh)

api := e.Group("/auth")
api.GET("/sso", authenticate(&oauthCfg, providerCfg.Options))
api.GET("/sso/callback", authenticateCb(ctx, &oauthCfg, provider))
api.GET("/sso_callback", authenticateCb(ctx, &oauthCfg, provider)) // compatibility with UI v1
api.GET("/sso/callback", authenticateCb(ctx, &oauthCfg, provider, providerCfg.AdditionalClaims))
api.GET("/sso_callback", authenticateCb(ctx, &oauthCfg, provider, providerCfg.AdditionalClaims)) // compatibility with UI v1
}

func authenticate(config *oauth2.Config, options map[string]interface{}) func(echo.Context) error {
Expand Down Expand Up @@ -119,9 +119,9 @@ func authenticate(config *oauth2.Config, options map[string]interface{}) func(ec
}
}

func authenticateCb(ctx context.Context, oauthCfg *oauth2.Config, provider *oidc.Provider) func(echo.Context) error {
func authenticateCb(ctx context.Context, oauthCfg *oauth2.Config, provider *oidc.Provider, additionalClaims map[string]string) func(echo.Context) error {
return func(c echo.Context) error {
user, err := auth.ExchangeCode(ctx, c.Request(), oauthCfg, provider)
user, err := auth.ExchangeCode(ctx, c.Request(), oauthCfg, provider, additionalClaims)
if err != nil {
return err
}
Expand Down