Migration to go-oidc from upstream v1

This change aims to make use of coreos/go-oidc. The generic adapter
aims to act as a sidecar, provide a way to SkipClientID is out of scope
for now.

That does not mean that we cannot revisit this in the near future.

Gopkg.toml

@@ -34,12 +34,12 @@
   version = "1.4.7"
 
 [[constraint]]
-  branch = "master"
-  name = "github.com/gambol99/go-oidc"
+  branch = "v1"
+  name = "github.com/coreos/go-oidc"
 
 [[constraint]]
   branch = "master"
-  name = "github.com/gambol99/goproxy"
+  name = "github.com/elazarl/goproxy"
 
 [[constraint]]
   name = "github.com/rs/cors"

doc.go

@@ -22,7 +22,7 @@ import (
 	"strconv"
 	"time"
 
-	"github.com/gambol99/go-oidc/jose"
+	"github.com/coreos/go-oidc/jose"
 	"github.com/prometheus/client_golang/prometheus"
 )
 
@@ -265,8 +265,6 @@ type Config struct {
 	TLSClientCertificate string `json:"tls-client-certificate" yaml:"tls-client-certificate" usage:"path to the client certificate for outbound connections in reverse and forwarding proxy modes"`
 	// SkipUpstreamTLSVerify skips the verification of any upstream tls
 	SkipUpstreamTLSVerify bool `json:"skip-upstream-tls-verify" yaml:"skip-upstream-tls-verify" usage:"skip the verification of any upstream TLS"`
-	// SkipClientID indicates we don't need to check the client id of the token
-	SkipClientID bool `json:"skip-client-id" yaml:"skip-client-id" usage:"skip the check on the client token"`
 
 	// CorsOrigins is a list of origins permitted
 	CorsOrigins []string `json:"cors-origins" yaml:"cors-origins" usage:"origins to add to the CORE origins control (Access-Control-Allow-Origin)"`

forwarding.go

@@ -20,8 +20,8 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/gambol99/go-oidc/jose"
-	"github.com/gambol99/go-oidc/oidc"
+	"github.com/coreos/go-oidc/jose"
+	"github.com/coreos/go-oidc/oidc"
 	"go.uber.org/zap"
 )
 

handlers.go

@@ -30,7 +30,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/gambol99/go-oidc/oauth2"
+	"github.com/coreos/go-oidc/oauth2"
 
 	"github.com/pressly/chi"
 	"go.uber.org/zap"

middleware.go

@@ -24,7 +24,7 @@ import (
 	"time"
 
 	"github.com/PuerkitoBio/purell"
-	"github.com/gambol99/go-oidc/jose"
+	"github.com/coreos/go-oidc/jose"
 	"github.com/go-chi/chi/middleware"
 	uuid "github.com/satori/go.uuid"
 	"github.com/unrolled/secure"

middleware_test.go

@@ -25,7 +25,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/gambol99/go-oidc/jose"
+	"github.com/coreos/go-oidc/jose"
 	"github.com/go-resty/resty"
 	"github.com/rs/cors"
 	"github.com/stretchr/testify/assert"

misc.go

@@ -23,7 +23,7 @@ import (
 	"path"
 	"time"
 
-	"github.com/gambol99/go-oidc/jose"
+	"github.com/coreos/go-oidc/jose"
 	"go.uber.org/zap"
 )
 

oauth.go

@@ -24,9 +24,9 @@ import (
 	"strings"
 	"time"
 
-	"github.com/gambol99/go-oidc/jose"
-	"github.com/gambol99/go-oidc/oauth2"
-	"github.com/gambol99/go-oidc/oidc"
+	"github.com/coreos/go-oidc/jose"
+	"github.com/coreos/go-oidc/oauth2"
+	"github.com/coreos/go-oidc/oidc"
 )
 
 // getOAuthClient returns a oauth2 client from the openid client

oauth_test.go

@@ -28,8 +28,8 @@ import (
 	"testing"
 	"time"
 
-	"github.com/gambol99/go-oidc/jose"
-	"github.com/gambol99/go-oidc/oauth2"
+	"github.com/coreos/go-oidc/jose"
+	"github.com/coreos/go-oidc/oauth2"
 	"github.com/pressly/chi"
 	"github.com/pressly/chi/middleware"
 	"github.com/stretchr/testify/assert"

server.go

@@ -37,8 +37,8 @@ import (
 	httplog "log"
 
 	proxyproto "github.com/armon/go-proxyproto"
-	"github.com/gambol99/go-oidc/oidc"
-	"github.com/gambol99/goproxy"
+	"github.com/coreos/go-oidc/oidc"
+	"github.com/elazarl/goproxy"
 	"github.com/pressly/chi"
 	"github.com/pressly/chi/middleware"
 	"github.com/prometheus/client_golang/prometheus"
@@ -703,11 +703,10 @@ func (r *oauthProxy) newOpenIDClient() (*oidc.Client, oidc.ProviderConfig, *http
 			ID:     r.config.ClientID,
 			Secret: r.config.ClientSecret,
 		},
-		HTTPClient:        hc,
-		RedirectURL:       fmt.Sprintf("%s/oauth/callback", r.config.RedirectionURL),
-		ProviderConfig:    config,
-		Scope:             append(r.config.Scopes, oidc.DefaultScope...),
-		SkipClientIDCheck: r.config.SkipClientID,
+		HTTPClient:     hc,
+		RedirectURL:    fmt.Sprintf("%s/oauth/callback", r.config.RedirectionURL),
+		ProviderConfig: config,
+		Scope:          append(r.config.Scopes, oidc.DefaultScope...),
 	})
 	if err != nil {
 		return nil, config, hc, err

server_test.go

@@ -26,7 +26,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/gambol99/go-oidc/jose"
+	"github.com/coreos/go-oidc/jose"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -351,44 +351,6 @@ func TestSkipClientIDDisabled(t *testing.T) {
 	p.RunTests(t, requests)
 }
 
-func TestSkipClientIDEnabled(t *testing.T) {
-	c := newFakeKeycloakConfig()
-	c.SkipClientID = true
-	p := newFakeProxy(c)
-	// create two token, one with a bad client id
-	bad := newTestToken(p.idp.getLocation())
-	bad.merge(jose.Claims{"aud": "bad_client_id"})
-	badSigned, _ := p.idp.signToken(bad.claims)
-	// and the good
-	good := newTestToken(p.idp.getLocation())
-	goodSigned, _ := p.idp.signToken(good.claims)
-	// bad issuer
-	badIssurer := newTestToken("http://someone_else")
-	badIssurer.merge(jose.Claims{"aud": "bad_client_id"})
-	badIssuerSigned, _ := p.idp.signToken(badIssurer.claims)
-
-	requests := []fakeRequest{
-		{
-			URI:           "/auth_all/test",
-			RawToken:      goodSigned.Encode(),
-			ExpectedProxy: true,
-			ExpectedCode:  http.StatusOK,
-		},
-		{
-			URI:           "/auth_all/test",
-			RawToken:      badSigned.Encode(),
-			ExpectedProxy: true,
-			ExpectedCode:  http.StatusOK,
-		},
-		{
-			URI:          "/auth_all/test",
-			RawToken:     badIssuerSigned.Encode(),
-			ExpectedCode: http.StatusForbidden,
-		},
-	}
-	p.RunTests(t, requests)
-}
-
 func TestAuthTokenHeaderEnabled(t *testing.T) {
 	p := newFakeProxy(nil)
 	token := newTestToken(p.idp.getLocation())

session.go

@@ -21,7 +21,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/gambol99/go-oidc/jose"
+	"github.com/coreos/go-oidc/jose"
 	"go.uber.org/zap"
 )
 

stores.go

@@ -19,7 +19,7 @@ import (
 	"fmt"
 	"net/url"
 
-	"github.com/gambol99/go-oidc/jose"
+	"github.com/coreos/go-oidc/jose"
 	"go.uber.org/zap"
 )
 

user_context.go

@@ -20,8 +20,8 @@ import (
 	"strings"
 	"time"
 
-	"github.com/gambol99/go-oidc/jose"
-	"github.com/gambol99/go-oidc/oidc"
+	"github.com/coreos/go-oidc/jose"
+	"github.com/coreos/go-oidc/oidc"
 )
 
 // extractIdentity parse the jwt token and extracts the various elements is order to construct
@@ -95,7 +95,7 @@ func extractIdentity(token jose.JWT) (*userContext, error) {
 	}, nil
 }
 
-// backported from https://github.com/gambol99/go-oidc/blob/master/oidc/verification.go#L28-L37
+// backported from https://github.com/coreos/go-oidc/blob/master/oidc/verification.go#L28-L37
 // I'll raise another PR to make it public in the go-oidc package so we can just use `oidc.ContainsString()`
 func containsString(needle string, haystack []string) bool {
 	for _, v := range haystack {

utils.go

@@ -44,7 +44,7 @@ import (
 	"unicode"
 	"unicode/utf8"
 
-	"github.com/gambol99/go-oidc/jose"
+	"github.com/coreos/go-oidc/jose"
 	"github.com/urfave/cli"
 	"gopkg.in/yaml.v2"
 )