support skipping issuer url verification in OIDC authentication

2025-11-02 01:37:52 +08:00
parent f42ee9cf67
commit bb84e8af13
3 changed files with 25 additions and 11 deletions
--- a/conf/ezbookkeeping.ini
+++ b/conf/ezbookkeeping.ini
@@ -316,9 +316,12 @@ oauth2_proxy = system
 # For "oauth2" authentication only, set to true to skip tls verification when request OAuth 2.0 api
 oauth2_skip_tls_verify = false

-# For "oauth2" authentication and "oidc" OAuth 2.0 provider only, OIDC provider base url. Make sure the ".well-known" directory is available under this path. For example, if it's set to "https://auth.example.com/", the discovery URL should be "https://auth.example.com/.well-known/openid-configuration".
+# For "oauth2" authentication and "oidc" OAuth 2.0 provider only, OIDC provider issuer url. Make sure the ".well-known" directory is available under this path. For example, if it's set to "https://auth.example.com", the discovery URL should be "https://auth.example.com/.well-known/openid-configuration".
 oidc_provider_base_url =

+# For "oauth2" authentication and "oidc" OAuth 2.0 provider only, set to true to check whether the issuer url in the discovery response matches the above "oidc_provider_base_url"
+oidc_provider_check_issuer_url = true
+
 # For "oauth2" authentication and "oidc" OAuth 2.0 provider only, set to true to replace the text "Connect ID" in the "Log in with Connect ID" button with the below custom provider name
 enable_oidc_display_name = false

--- a/pkg/auth/oauth2/provider/oidc/oidc_provider.go
+++ b/pkg/auth/oauth2/provider/oidc/oidc_provider.go
@@ -1,7 +1,7 @@
 package oidc

 import (
-	"strings"
+	"context"

 	"golang.org/x/oauth2"

@@ -25,7 +25,8 @@ type OIDCClaims struct {
 // OIDCProvider represents OIDC provider
 type OIDCProvider struct {
 	provider.OAuth2Provider
-	oidcBaseUrl        string
+	oidcIssuerURL      string
+	oidcCheckIssuerURL bool
 	redirectUrl        string
 	oauth2ClientID     string
 	oauth2ClientSecret string
@@ -130,14 +131,23 @@ func (p *OIDCProvider) getOAuth2Config(c core.Context) (*oauth2.Config, error) {
 		return p.oauth2Config, nil
 	}

-	oidcProvider, err := oidc.NewProvider(c, p.oidcBaseUrl)
+	var ctx context.Context = c
+
+	if !p.oidcCheckIssuerURL {
+		ctx = oidc.InsecureIssuerURLContext(c, p.oidcIssuerURL)
+	}
+
+	oidcProvider, err := oidc.NewProvider(ctx, p.oidcIssuerURL)

 	if err != nil {
 		log.Errorf(c, "[oidc_provider.getOAuth2Config] failed to create oidc provider, because %s", err.Error())
 		return nil, err
 	}

-	oidcVerifier := oidcProvider.Verifier(&oidc.Config{ClientID: p.oauth2ClientID})
+	oidcVerifier := oidcProvider.Verifier(&oidc.Config{
+		ClientID:        p.oauth2ClientID,
+		SkipIssuerCheck: !p.oidcCheckIssuerURL,
+	})

 	oauth2Config := &oauth2.Config{
 		ClientID:     p.oauth2ClientID,
@@ -155,14 +165,13 @@ func (p *OIDCProvider) getOAuth2Config(c core.Context) (*oauth2.Config, error) {

 // NewOIDCProvider returns a new OIDC provider
 func NewOIDCProvider(config *settings.Config, redirectUrl string) (*OIDCProvider, error) {
-	if len(config.OAuth2OIDCProviderBaseUrl) < 1 {
+	if len(config.OAuth2OIDCProviderIssuerURL) < 1 {
 		return nil, errs.ErrInvalidOAuth2Config
 	}

-	baseUrl := strings.TrimSuffix(config.OAuth2OIDCProviderBaseUrl, "/")
-
 	return &OIDCProvider{
-		oidcBaseUrl:        baseUrl,
+		oidcIssuerURL:      config.OAuth2OIDCProviderIssuerURL,
+		oidcCheckIssuerURL: config.OAuth2OIDCProviderCheckIssuerURL,
 		redirectUrl:        redirectUrl,
 		oauth2ClientID:     config.OAuth2ClientID,
 		oauth2ClientSecret: config.OAuth2ClientSecret,
--- a/pkg/settings/setting.go
+++ b/pkg/settings/setting.go
@@ -377,7 +377,8 @@ type Config struct {
 	OAuth2RequestTimeout              uint32
 	OAuth2Proxy                       string
 	OAuth2SkipTLSVerify               bool
-	OAuth2OIDCProviderBaseUrl         string
+	OAuth2OIDCProviderIssuerURL       string
+	OAuth2OIDCProviderCheckIssuerURL  bool
 	OAuth2OIDCCustomDisplayNameConfig MultiLanguageContentConfig
 	OAuth2NextcloudBaseUrl            string
 	OAuth2GiteaBaseUrl                string
@@ -1032,7 +1033,8 @@ func loadAuthConfiguration(config *Config, configFile *ini.File, sectionName str
 	config.OAuth2RequestTimeout = getConfigItemUint32Value(configFile, sectionName, "oauth2_request_timeout", defaultOAuth2RequestTimeout)
 	config.OAuth2SkipTLSVerify = getConfigItemBoolValue(configFile, sectionName, "oauth2_skip_tls_verify", false)

-	config.OAuth2OIDCProviderBaseUrl = getConfigItemStringValue(configFile, sectionName, "oidc_provider_base_url")
+	config.OAuth2OIDCProviderIssuerURL = getConfigItemStringValue(configFile, sectionName, "oidc_provider_base_url")
+	config.OAuth2OIDCProviderCheckIssuerURL = getConfigItemBoolValue(configFile, sectionName, "oidc_provider_check_issuer_url", true)
 	config.OAuth2OIDCCustomDisplayNameConfig = getMultiLanguageContentConfig(configFile, sectionName, "enable_oidc_display_name", "oidc_custom_display_name")
 	config.OAuth2NextcloudBaseUrl = getConfigItemStringValue(configFile, sectionName, "nextcloud_base_url")
 	config.OAuth2GiteaBaseUrl = getConfigItemStringValue(configFile, sectionName, "gitea_base_url")