Enhance OIDC Authentication: Dynamic Redirect URLs, Authentication State in Cookies, and Bearer Token Support

Dockerfile

@@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on make build
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot
+FROM gcr.io/distroless/base:nonroot
 WORKDIR /
 COPY --from=builder /workspace/bin/contour-authserver .
 USER nonroot:nonroot

config/oidc/configmap.yaml

@@ -5,7 +5,7 @@ metadata:
 data:
   auth-svr-config.yaml: |
     address: ":9443"
-    issuerURL: "http://dex.auth.app.192.168.10.134.nip.io:9080"
+    issuerURL: "https://keycloak.dev.gocno.io/realms/demo-realm"
     redirectURL: "https://echo.oidc.app.local:9443"
     redirectPath: "/callback"
     allowEmptyClientSecret: false

go.mod

@@ -1,18 +1,20 @@
 module github.com/projectcontour/contour-authserver
 
-go 1.23
+go 1.23.0
+
 toolchain go1.23.2
 
 require (
 	github.com/allegro/bigcache v1.2.1
 	github.com/coreos/go-oidc/v3 v3.12.0
 	github.com/envoyproxy/go-control-plane/envoy v1.32.4
 	github.com/go-logr/logr v1.4.2
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/mattn/go-isatty v0.0.20
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.10.0
 	github.com/tg123/go-htpasswd v1.2.3
-	golang.org/x/oauth2 v0.25.0
+	golang.org/x/oauth2 v0.26.0
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a
 	google.golang.org/grpc v1.70.0
 	gopkg.in/yaml.v2 v2.4.0

go.sum

@@ -47,6 +47,8 @@ github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1v
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
@@ -155,8 +157,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
 golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
-golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
-golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
+golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

main.go

@@ -18,6 +18,8 @@ import (
 	"fmt"
 	"os"
 
+	"log"
+
 	"github.com/projectcontour/contour-authserver/pkg/cli"
 	"github.com/projectcontour/contour-authserver/pkg/version"
 
@@ -38,11 +40,12 @@ func main() {
 		Short:   "Authentication server for the Envoy proxy",
 		Version: fmt.Sprintf("%s/%s, built %s", version.Version, version.Sha, version.BuildDate),
 	})
+	log.Println("debug version", version.Version)
 
 	root.AddCommand(cli.Defaults(cli.NewTestserverCommand()))
 	root.AddCommand(cli.Defaults(cli.NewHtpasswdCommand()))
 	root.AddCommand(cli.Defaults(cli.NewOIDCConnect()))
-
+	root.AddCommand(cli.Defaults(cli.NewHttokenCommand()))
 	if err := root.Execute(); err != nil {
 		if msg := err.Error(); msg != "" {
 			fmt.Fprintf(os.Stderr, "%s: %s\n", version.Progname, msg)

pkg/auth/httoken.go

@@ -0,0 +1,87 @@
+// Copyright Project Contour Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package auth
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"slices"
+	"strings"
+
+	"github.com/go-logr/logr"
+)
+
+// Httoken watches Secrets for httoken files and uses them for HTTP Basic Authentication.
+type Httoken struct {
+	Log         logr.Logger
+	StaticToken []string
+}
+
+var _ Checker = &Httoken{}
+
+// Check ...
+func (h *Httoken) Check(ctx context.Context, request *Request) (*Response, error) {
+	h.Log.Info("checking request",
+		"host", request.Request.Host,
+		"path", request.Request.URL.Path,
+		"id", request.ID,
+	)
+
+	// Check for Bearer token
+	auth := request.Request.Header.Get("Authorization")
+	var token string
+
+	if strings.HasPrefix(auth, "Bearer ") {
+		// Extract token
+		token = strings.TrimPrefix(auth, "Bearer ")
+	}
+
+	// If there's an "Authorization" header and we can verify
+	// it, succeed and inject some headers to tell the origin
+	//what  we did.
+	if slices.Contains(h.StaticToken, token) {
+		// TODO(jpeach) inject context attributes into the headers.
+		authorized := http.Response{
+			StatusCode: http.StatusOK,
+			Header: http.Header{
+				"Auth-Handler": {"httoken"},
+				"X-Auth-token": {token},
+			},
+		}
+
+		// Reflect the authorization check context into the response headers.
+		for k, v := range request.Context {
+			key := fmt.Sprintf("Auth-Context-%s", k)
+			key = http.CanonicalHeaderKey(key) // XXX(jpeach) this will not transform invalid characters
+
+			authorized.Header.Add(key, v)
+		}
+
+		return &Response{
+			Allow:    true,
+			Response: authorized,
+		}, nil
+	}
+
+	return &Response{
+		Allow: false,
+		Response: http.Response{
+			StatusCode: http.StatusUnauthorized,
+			Header: http.Header{
+				"WWW-Authenticate": {`Bearer realm="token", charset="UTF-8"`},
+			},
+		},
+	}, nil
+}