Fixed broken oauth2 login for operator (#1217)

This PR includes many fixes and refactors for oauth2 authentication and login endpoints, ie: - Invalid login returns `403` instead of `500` error - Removed the session token from console/operator `user credentials login`, `oauth flow login` and `change-password` api responses - Removed session token from localStorage - Added styles for oauth_callback page and display more descriptive errors for debugging - Success logins returns `204` instead of `200` - Removed unused swagger apis and code from both, operator and console projects - Operator `Oauth2` login flow was not validating anything, now it does Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
2021-11-11 14:46:14 -08:00
parent 0086aa8f64
commit 34dc51a579
33 changed files with 439 additions and 1462 deletions
--- a/pkg/auth/idp.go
+++ b/pkg/auth/idp.go
@@ -20,8 +20,8 @@ import (
 	"context"

 	"github.com/minio/console/pkg/auth/idp/oauth2"
-
 	"github.com/minio/minio-go/v7/pkg/credentials"
+	xoauth2 "golang.org/x/oauth2"
 )

 // IdentityProviderI interface with all functions to be implemented
@@ -29,6 +29,7 @@ import (
 // that are used within this project.
 type IdentityProviderI interface {
 	VerifyIdentity(ctx context.Context, code, state string) (*credentials.Credentials, error)
+	VerifyIdentityForOperator(ctx context.Context, code, state string) (*xoauth2.Token, error)
 	GenerateLoginURL() string
 }

@@ -45,6 +46,11 @@ func (c IdentityProvider) VerifyIdentity(ctx context.Context, code, state string
 	return c.Client.VerifyIdentity(ctx, code, state)
 }

+// VerifyIdentityForOperator will verify the user identity against the idp using the authorization code flow
+func (c IdentityProvider) VerifyIdentityForOperator(ctx context.Context, code, state string) (*xoauth2.Token, error) {
+	return c.Client.VerifyIdentityForOperator(ctx, code, state)
+}
+
 // GenerateLoginURL returns a new URL used by the user to login against the idp
 func (c IdentityProvider) GenerateLoginURL() string {
 	return c.Client.GenerateLoginURL()
--- a/pkg/auth/idp/oauth2/provider.go
+++ b/pkg/auth/idp/oauth2/provider.go
@@ -181,7 +181,8 @@ type User struct {
 	Username          string                 `json:"username"`
 }

-// VerifyIdentity will contact the configured IDP and validate the user identity based on the authorization code
+// VerifyIdentity will contact the configured IDP to the user identity based on the authorization code and state
+// if the user is valid, then it will contact MinIO to get valid sts credentials based on the identity provided by the IDP
 func (client *Provider) VerifyIdentity(ctx context.Context, code, state string) (*credentials.Credentials, error) {
 	// verify the provided state is valid (prevents CSRF attacks)
 	if err := validateOauth2State(state); err != nil {
@@ -232,6 +233,23 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state string)
 	return sts, nil
 }

+// VerifyIdentityForOperator will contact the configured IDP and validate the user identity based on the authorization code and state
+func (client *Provider) VerifyIdentityForOperator(ctx context.Context, code, state string) (*xoauth2.Token, error) {
+	// verify the provided state is valid (prevents CSRF attacks)
+	if err := validateOauth2State(state); err != nil {
+		return nil, err
+	}
+	customCtx := context.WithValue(ctx, oauth2.HTTPClient, client.provHTTPClient)
+	oauth2Token, err := client.oauth2Config.Exchange(customCtx, code)
+	if err != nil {
+		return nil, err
+	}
+	if !oauth2Token.Valid() {
+		return nil, errors.New("invalid token")
+	}
+	return oauth2Token, nil
+}
+
 // validateOauth2State validates the provided state was originated using the same
 // instance (or one configured using the same secrets) of Console, this is basically used to prevent CSRF attacks
 // https://security.stackexchange.com/questions/20187/oauth2-cross-site-request-forgery-and-state-parameter