Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement oidc #628

Open
wants to merge 25 commits into
base: master
Choose a base branch
from
Open

Implement oidc #628

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
604fa65
Implement oidc
Jeidnx Jun 18, 2023
375ee58
Better Error handling for oidc config
Jeidnx Jun 19, 2023
143711c
Save redirect in state
Jeidnx Jun 19, 2023
18d9317
Show warning message before oidc login
Jeidnx Jun 19, 2023
f4b9dff
Only show warning when not redirecting to configured frontend
Jeidnx Jun 27, 2023
53d9b9d
Merge branch 'master' into oidc
Jeidnx Jul 4, 2023
97889f3
Merge remote-tracking branch 'origin/master' into oidc
FireMasterK Aug 5, 2023
847f80c
Simplify config handling.
FireMasterK Aug 5, 2023
946ac45
Add missing newline.
FireMasterK Aug 5, 2023
0eb2351
Format all code.
FireMasterK Aug 5, 2023
9b7246a
Merge branch 'master' into oidc
Jeidnx Oct 24, 2023
e7f2187
Implement account deletion and cleanup some code
Jeidnx Oct 25, 2023
c1fde37
Refactor oidc logic into UserHandlers
Jeidnx Oct 26, 2023
024435f
Add database migration for username length change.
FireMasterK Oct 26, 2023
470efd8
Revert "Add database migration for username length change."
Jeidnx Oct 29, 2023
5f6a83a
Add code from the meeting.
FireMasterK Oct 29, 2023
868103c
Merge branch 'master' into oidc
Jeidnx Nov 6, 2024
074e4bc
chore: properly implement oidc
Jeidnx Nov 12, 2024
580eb7f
Simplify oidc hash generation.
FireMasterK Nov 17, 2024
9520a3c
Simplify error handling code a little.
FireMasterK Nov 17, 2024
b0725f8
Remove debug code and format.
FireMasterK Nov 17, 2024
74a6751
Move OidcData to db + some cleanup
Jeidnx Nov 20, 2024
f76f8e0
randomize username
Jeidnx Nov 20, 2024
e4ba195
add redirect to oidc delete; more cleanup
Jeidnx Nov 20, 2024
77cd736
explicitly reject empty hashes
Jeidnx Nov 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ dependencies {
implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
implementation 'com.github.FireMasterK.NewPipeExtractor:NewPipeExtractor:48beff184a9792c4787cfa05fce577c3adf89f56'
implementation 'com.github.FireMasterK:nanojson:9f4af3b739cc13f3d0d9d4b758bbe2b2ae7119d7'
implementation 'com.nimbusds:oauth2-oidc-sdk:11.5'
implementation 'com.fasterxml.jackson.core:jackson-core:2.15.2'
implementation 'com.fasterxml.jackson.core:jackson-annotations:2.15.2'
implementation 'com.fasterxml.jackson.core:jackson-databind:2.15.2'
Expand Down
8 changes: 8 additions & 0 deletions config.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,3 +82,11 @@ hibernate.connection.password:changeme
# Frontend configuration
#frontend.statusPageUrl:https://kavin.rocks
#frontend.donationUrl:https://kavin.rocks

# Oidc configuration
#oidc.provider.INSERT_HERE.name:INSERT_HERE
#oidc.provider.INSERT_HERE.clientId:INSERT_HERE
#oidc.provider.INSERT_HERE.clientSecret:INSERT_HERE
#oidc.provider.INSERT_HERE.authUri:INSERT_HERE
#oidc.provider.INSERT_HERE.tokenUri:INSERT_HERE
#oidc.provider.INSERT_HERE.userinfoUri:INSERT_HERE
41 changes: 39 additions & 2 deletions src/main/java/me/kavin/piped/consts/Constants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,15 @@
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.json.JsonMapper;
import com.fasterxml.jackson.databind.node.ArrayNode;
import com.fasterxml.jackson.databind.node.JsonNodeFactory;
import com.fasterxml.jackson.databind.node.ObjectNode;
import io.minio.MinioClient;
import it.unimi.dsi.fastutil.objects.Object2ObjectOpenHashMap;
import it.unimi.dsi.fastutil.objects.ObjectArrayList;
import me.kavin.piped.utils.PageMixin;
import me.kavin.piped.utils.RequestUtils;
import me.kavin.piped.utils.obj.OidcProvider;
import me.kavin.piped.utils.resp.ListLinkHandlerMixin;
import okhttp3.OkHttpClient;
import okhttp3.brotli.BrotliInterceptor;
Expand All @@ -23,9 +26,8 @@

import java.io.File;
import java.io.FileReader;
import java.net.InetSocketAddress;
import java.net.ProxySelector;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.regex.Pattern;

Expand Down Expand Up @@ -102,6 +104,7 @@ public class Constants {
public static final String YOUTUBE_COUNTRY;

public static final String VERSION;
public static final List<OidcProvider> OIDC_PROVIDERS;

public static final ObjectMapper mapper = JsonMapper.builder()
.addMixIn(Page.class, PageMixin.class)
Expand Down Expand Up @@ -168,12 +171,37 @@ public class Constants {
MATRIX_SERVER = getProperty(prop, "MATRIX_SERVER", "https://matrix-client.matrix.org");
MATRIX_TOKEN = getProperty(prop, "MATRIX_TOKEN");
GEO_RESTRICTION_CHECKER_URL = getProperty(prop, "GEO_RESTRICTION_CHECKER_URL");

OIDC_PROVIDERS = new ObjectArrayList<>();

Map<String, Map<String, String>> oidcProviderConfig = new Object2ObjectOpenHashMap<>();
ArrayNode providerNames = frontendProperties.putArray("oidcProviders");
prop.forEach((_key, _value) -> {
String key = String.valueOf(_key), value = String.valueOf(_value);
if (key.startsWith("hibernate"))
hibernateProperties.put(key, value);
else if (key.startsWith("frontend."))
frontendProperties.put(StringUtils.substringAfter(key, "frontend."), value);
else if (key.startsWith("oidc.provider")) {
String[] split = key.split("\\.");
if (split.length != 4) return;
oidcProviderConfig
.computeIfAbsent(split[2], k -> new Object2ObjectOpenHashMap<>())
.put(split[3], value);
}
});
oidcProviderConfig.forEach((provider, config) -> {
ObjectNode providerNode = frontendProperties.putObject(provider);
OIDC_PROVIDERS.add(new OidcProvider(
getRequiredMapValue(config, "name"),
getRequiredMapValue(config, "clientId"),
getRequiredMapValue(config, "clientSecret"),
getRequiredMapValue(config, "authUri"),
getRequiredMapValue(config, "tokenUri"),
getRequiredMapValue(config, "userinfoUri")
));
providerNames.add(provider);
config.forEach(providerNode::put);
});
frontendProperties.put("imageProxyUrl", IMAGE_PROXY_PART);
frontendProperties.putArray("countries").addAll(
Expand Down Expand Up @@ -230,4 +258,13 @@ private static String getProperty(final Properties prop, String key, String def)

return prop.getProperty(key, def);
}

private static String getRequiredMapValue(final Map<?, String> map, Object key) {
String value = map.get(key);
if (StringUtils.isBlank(value)) {
System.err.println("Missing '" + key + "' in sub-configuration");
System.exit(1);
}
return value;
}
}
176 changes: 175 additions & 1 deletion src/main/java/me/kavin/piped/server/ServerLauncher.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,13 @@

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.JsonNode;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.oauth2.sdk.*;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.openid.connect.sdk.*;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import com.rometools.rome.feed.synd.SyndFeed;
import com.rometools.rome.io.SyndFeedInput;
import io.activej.config.Config;
Expand All @@ -18,8 +25,11 @@
import me.kavin.piped.server.handlers.auth.FeedHandlers;
import me.kavin.piped.server.handlers.auth.StorageHandlers;
import me.kavin.piped.server.handlers.auth.UserHandlers;
import me.kavin.piped.utils.ErrorResponse;
import me.kavin.piped.utils.*;
import me.kavin.piped.utils.obj.MatrixHelper;
import me.kavin.piped.utils.obj.OidcData;
import me.kavin.piped.utils.obj.OidcProvider;
import me.kavin.piped.utils.obj.federation.FederatedVideoInfo;
import me.kavin.piped.utils.resp.*;
import org.apache.commons.lang3.StringUtils;
Expand All @@ -33,7 +43,9 @@

import java.io.ByteArrayInputStream;
import java.net.InetSocketAddress;
import java.util.List;
import java.net.URI;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.Executor;
import java.util.concurrent.TimeUnit;
Expand All @@ -49,6 +61,7 @@ public class ServerLauncher extends MultithreadedHttpServerLauncher {

private static final HttpHeader FILE_NAME = HttpHeaders.of("x-file-name");
private static final HttpHeader LAST_ETAG = HttpHeaders.of("x-last-etag");
private static final Map<String, OidcData> PENDING_OIDC = new HashMap<>();

@Provides
Executor executor() {
Expand Down Expand Up @@ -268,6 +281,147 @@ AsyncServlet mainServlet(Executor executor) {
LoginRequest.class);
return getJsonResponse(UserHandlers.registerResponse(body.username, body.password),
"private");
} catch (Exception e) {
return getErrorResponse(e, request.getPath());
}
})).map(GET, "/oidc/:provider/:function", AsyncServlet.ofBlocking(executor, request -> {
try {
String function = request.getPathParameter("function");
OidcProvider provider = getOidcProvider(request.getPathParameter("provider"));
if (provider == null)
return HttpResponse.ofCode(500).withHtml("Can't find the provider on the server");

URI callback = new URI(Constants.PUBLIC_URL + "/oidc/" + provider.name + "/callback");

switch (function) {
case "login" -> {
String redirectUri = request.getQueryParameter("redirect");

if (StringUtils.isBlank(redirectUri)) {
return HttpResponse.ofCode(400).withHtml("redirect is a required parameter");
}

OidcData data = new OidcData(redirectUri);
String state = data.getState();

PENDING_OIDC.put(state, data);

AuthenticationRequest oidcRequest = new AuthenticationRequest.Builder(
new ResponseType("code"),
new Scope("openid"),
provider.clientID, callback).endpointURI(provider.authUri)
.state(new State(state)).nonce(data.nonce).build();

if (redirectUri.equals(Constants.FRONTEND_URL + "/login")) {
return HttpResponse.redirect302(oidcRequest.toURI().toString());
}
return HttpResponse.ok200().withHtml(
"<!DOCTYPE html><html style=\"color-scheme: dark light;\"><body>" +
"<h3>Warning:</h3> You are trying to give <pre style=\"font-size: 1.2rem;\">" +
redirectUri +
"</pre> access to your Piped account. If you wish to continue click " +
"<a style=\"text-decoration: underline;color: inherit;\"href=\"" +
oidcRequest.toURI().toString() +
"\">here</a></body></html>");
}
case "callback" -> {
ClientAuthentication clientAuth = new ClientSecretBasic(provider.clientID, provider.clientSecret);

AuthenticationSuccessResponse sr = parseOidcUri(URI.create(request.getFullUrl()));

OidcData data = PENDING_OIDC.get(sr.getState().toString());
if (data == null) {
return HttpResponse.ofCode(400).withHtml(
"Your oidc provider sent invalid state data. Try again or contact your oidc admin"
);
}
AuthorizationCode code = sr.getAuthorizationCode();
AuthorizationGrant codeGrant = new AuthorizationCodeGrant(code, callback);


TokenRequest tr = new TokenRequest(provider.tokenUri, clientAuth, codeGrant);
OIDCTokenResponse tokenResponse = (OIDCTokenResponse) OIDCTokenResponseParser.parse(tr.toHTTPRequest().send());

if (!tokenResponse.indicatesSuccess()) {
TokenErrorResponse errorResponse = tokenResponse.toErrorResponse();
return HttpResponse.ofCode(500).withHtml("Failure while trying to request token:\n\n" + errorResponse.getErrorObject().getDescription());
}

OIDCTokenResponse successResponse = tokenResponse.toSuccessResponse();

if (data.isInvalidNonce((String) successResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaim("nonce"))) {
return HttpResponse.ofCode(400).withHtml(
"Your oidc provider sent an invalid nonce. Try again or contact your oidc admin"
);
}

UserInfoRequest ur = new UserInfoRequest(provider.userinfoUri, successResponse.getOIDCTokens().getBearerAccessToken());
UserInfoResponse userInfoResponse = UserInfoResponse.parse(ur.toHTTPRequest().send());

if (!userInfoResponse.indicatesSuccess()) {
System.out.println(userInfoResponse.toErrorResponse().getErrorObject().getCode());
System.out.println(userInfoResponse.toErrorResponse().getErrorObject().getDescription());
return HttpResponse.ofCode(500).withHtml("Failed to query userInfo:\n\n" + userInfoResponse.toErrorResponse().getErrorObject().getDescription());
}

UserInfo userInfo = userInfoResponse.toSuccessResponse().getUserInfo();

String sessionId = UserHandlers.oidcCallbackResponse(provider.name, userInfo.getSubject().toString());
return HttpResponse.redirect302(data.data + "?session=" + sessionId);
}
case "delete" -> {
ClientAuthentication clientAuth = new ClientSecretBasic(provider.clientID, provider.clientSecret);

AuthenticationSuccessResponse sr = parseOidcUri(URI.create(request.getFullUrl()));

OidcData data = UserHandlers.PENDING_OIDC.get(sr.getState().toString());
if (data == null) {
return HttpResponse.ofCode(400).withHtml(
"Your oidc provider sent invalid state data. Try again or contact your oidc admin"
);
}

long start = Long.parseLong(data.data.split("\\|")[1]);
String session = data.data.split("\\|")[0];

AuthorizationCode code = sr.getAuthorizationCode();
AuthorizationGrant codeGrant = new AuthorizationCodeGrant(code, new URI(Constants.PUBLIC_URL + request.getPath()));


TokenRequest tr = new TokenRequest(provider.tokenUri, clientAuth, codeGrant);
TokenResponse tokenResponse = OIDCTokenResponseParser.parse(tr.toHTTPRequest().send());

if (!tokenResponse.indicatesSuccess()) {
TokenErrorResponse errorResponse = tokenResponse.toErrorResponse();
return HttpResponse.ofCode(500).withHtml("Failure while trying to request token:\n\n" + errorResponse.getErrorObject().getDescription());
}

OIDCTokenResponse successResponse = (OIDCTokenResponse) tokenResponse.toSuccessResponse();

JWTClaimsSet claims = successResponse.getOIDCTokens().getIDToken().getJWTClaimsSet();

if (data.isInvalidNonce((String) claims.getClaim("nonce"))) {
return HttpResponse.ofCode(400).withHtml(
"Your oidc provider sent an invalid nonce. Please try again or contact your oidc admin."
);
}

long authTime = (long) claims.getClaim("auth_time");

if (authTime < start) {
return HttpResponse.ofCode(500).withHtml(
"Your oidc provider didn't verify your identity. Please try again or contact your oidc admin."
);
}

return HttpResponse.redirect302(Constants.FRONTEND_URL + "/preferences?deleted=" + UserHandlers.deleteOidcUserResponse(session));
}
default -> {
return HttpResponse.ofCode(500).withHtml("Invalid function `" + function + "`");
}
}


} catch (Exception e) {
return getErrorResponse(e, request.getPath());
}
Expand Down Expand Up @@ -517,6 +671,26 @@ AsyncServlet mainServlet(Executor executor) {
return new CustomServletDecorator(router);
}

private static OidcProvider getOidcProvider(String provider) {
for (int i = 0; i < Constants.OIDC_PROVIDERS.size(); i++) {
OidcProvider curr = Constants.OIDC_PROVIDERS.get(i);
if (curr == null || !curr.name.equals(provider)) continue;
return curr;
}
return null;
}

private static AuthenticationSuccessResponse parseOidcUri(URI uri) throws Exception {
AuthenticationResponse response = AuthenticationResponseParser.parse(uri);

if (response instanceof AuthenticationErrorResponse) {
// The OpenID provider returned an error
System.err.println(response.toErrorResponse().getErrorObject());
throw new Exception(response.toErrorResponse().getErrorObject().toString());
}
return response.toSuccessResponse();
}

private static String[] getArray(String s) {

if (s == null) {
Expand Down
Loading