fix: better error message if oauth2 provider with manual endpoints is…

… used (#269)
jkroepke · May 10, 2024 · 3a84758 · 3a84758
1 parent 7fcaa9c
commit 3a84758
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 7 deletions.
diff --git a/docs/Configuration.md b/docs/Configuration.md
@@ -153,11 +153,11 @@ Usage of openvpn-auth-oauth2:
   --oauth2.client.secret value
     	oauth2 client secret. If argument starts with file:// it reads the secret from a file. (env: CONFIG_OAUTH2_CLIENT_SECRET)
   --oauth2.endpoint.auth string
-    	custom oauth2 auth endpoint (env: CONFIG_OAUTH2_ENDPOINT_AUTH)
+    	The flag is used to specify a custom OAuth2 authorization endpoint. (env: CONFIG_OAUTH2_ENDPOINT_AUTH)
   --oauth2.endpoint.discovery string
-    	custom oauth2 discovery url (env: CONFIG_OAUTH2_ENDPOINT_DISCOVERY)
+    	The flag is used to set a custom OAuth2 discovery URL. This URL retrieves the provider's configuration details. (env: CONFIG_OAUTH2_ENDPOINT_DISCOVERY)
   --oauth2.endpoint.token string
-    	custom oauth2 token endpoint (env: CONFIG_OAUTH2_ENDPOINT_TOKEN)
+    	The flag is used to specify a custom OAuth2 token endpoint. (env: CONFIG_OAUTH2_ENDPOINT_TOKEN)
   --oauth2.issuer string
     	oauth2 issuer (env: CONFIG_OAUTH2_ISSUER)
   --oauth2.nonce

diff --git a/docs/FAQ.md b/docs/FAQ.md
@@ -47,4 +47,8 @@ A: Although openvpn-auth-oauth2 theoretically doesn't require client-side authen
 
 ## Q: Can a Remember Me function be implemented in openvpn-auth-oauth2?
 
-A: No, it is not feasible to implement a Remember Me function directly within openvpn-auth-oauth2 or OpenVPN. This limitation arises from the inability of openvpn-auth-oauth2 to store client cookies. While some OIDC providers like Keycloak offer a Remember Me feature, enabling automatic login would require implementation within the OIDC provider's settings rather than within openvpn-auth-oauth2 itself.
+A: No, it is not feasible to implement a Remember Me function directly within openvpn-auth-oauth2 or OpenVPN. This limitation arises from the inability of openvpn-auth-oauth2 to store client cookies. While some OIDC providers like Keycloak offer a Remember Me feature, enabling automatic login would require implementation within the OIDC provider's settings rather than within openvpn-auth-oauth2 itself.
+
+## Q: In logs, I see `Provider did not return a id_token. Validation of user data is not possible.`, but my provider is returning an id_token.
+
+A: This could happen, if `oauth2.endpoint.auth` and `oauth2.endpoint.token` are defined. In this case, the underlying works in OAUTH2 mode, and the id_token is not recognized. If you want to use the user validation, you should remove `oauth2.endpoint.auth` and `oauth2.endpoint.token` from your configuration.
diff --git a/internal/config/flags.go b/internal/config/flags.go
@@ -228,17 +228,17 @@ func flagSetOAuth2(flagSet *flag.FlagSet) {
 	flagSet.String(
 		"oauth2.endpoint.discovery",
 		Defaults.OAuth2.Endpoints.Discovery.String(),
-		"custom oauth2 discovery url",
+		"The flag is used to set a custom OAuth2 discovery URL. This URL retrieves the provider's configuration details.",
 	)
 	flagSet.String(
 		"oauth2.endpoint.auth",
 		Defaults.OAuth2.Endpoints.Auth.String(),
-		"custom oauth2 auth endpoint",
+		"The flag is used to specify a custom OAuth2 authorization endpoint.",
 	)
 	flagSet.String(
 		"oauth2.endpoint.token",
 		Defaults.OAuth2.Endpoints.Token.String(),
-		"custom oauth2 token endpoint",
+		"The flag is used to specify a custom OAuth2 token endpoint.",
 	)
 	flagSet.String(
 		"oauth2.client.id",

diff --git a/internal/oauth2/provider.go b/internal/oauth2/provider.go
@@ -103,6 +103,10 @@ func (p *Provider) Initialize(ctx context.Context, openvpn OpenVPN) error {
 			p.Provider.GetName(), providerConfig.AuthURL, providerConfig.TokenURL,
 		))
 
+		if p.Provider.GetName() == generic.Name {
+			p.logger.Warn("generic provider with manual configuration is used. Validation of user data is not possible.")
+		}
+
 		rpConfig := &oauth2.Config{
 			ClientID:     p.conf.OAuth2.Client.ID,
 			ClientSecret: p.conf.OAuth2.Client.Secret.String(),

diff --git a/internal/oauth2/providers/generic/user.go b/internal/oauth2/providers/generic/user.go
@@ -18,6 +18,11 @@ func (p *Provider) GetUser(_ context.Context, logger *slog.Logger, tokens *oidc.
 
 	if tokens.IDTokenClaims == nil {
 		if tokens.IDToken == "" {
+			// if tokens.Token.Extra("id_token") != nil {
+			// 	logger.Warn("The provider has returned an 'id_token', however, it was configured as an OAUTH2 provider. " +
+			// 		"As a result, user data validation cannot be performed. If you have defined endpoints in the configuration, please remove them and retry.")
+			// 	logger.Debug("id_token", "id_token", tokens.Token.Extra("id_token"))
+			// } else {
 			logger.Warn("provider did not return a id_token. Validation of user data is not possible.")
 		} else {
 			logger.Warn("provider did return a id_token, but it was not parsed correctly. Validation of user data is not possible." +