Merge pull request #60 from andrewheberle/crewjam

Bump version and no longer user rancher version

Author: andrewheberle

README.md

@@ -9,7 +9,7 @@ This service combines some basic functionality of [Authelia](https://www.autheli
 The process for login is:
 
 1. A reverse proxy, such as HAProxy, gets a HTTP request from a user
-2. This proxy performs a process to verify the authentiction of the user via a HTTP sub-requet to `/api/authz/forward-auth`
+2. This proxy verifies the authentication of the user via a HTTP sub-requet to `/api/authz/forward-auth`
 3. If the user is already authenticated the `/api/authz/forward-auth` returns a `HTTP 200 OK` response along with HTTP headers the proxy may use to identify the user
 4. If no valid session is available, a redirect is returned to the proxy which should be returned to the user, which will start the SAML login process
 
@@ -46,6 +46,7 @@ AUTH_IDP_METADATA=https://idp.example.net/metadata \
       --listen string                     Listen address (default "127.0.0.1:9091")
       --sp-cert string                    Service Provider Certificate
       --sp-claim-mapping stringToString   Mapping of claims to headers (default [remote-user=urn:oasis:names:tc:SAML:attribute:subject-id,remote-email=mail,remote-name=displayName,remote-groups=role])
+      --sp-cookie                         Cookie Name set by Service Provider (default "token")
       --sp-key string                     Service Provider Key
       --sp-url string                     Service Provider URL (default "http://localhost:9091")
 ```
@@ -60,10 +61,16 @@ For this reason, the token only contains minimal data with the rest contained se
 
 By default this store is a basic in-memory store, which means it cannot be shared among multiple instances of this service and also will be lost on restart. The loss of this data on restart is not particularly problematic as the only result will be that the SP will not be able to validate the user is signed in and force the login flow to the IdP.
 
+If using muliple nodes however, using the in-memory store will cause unexpected re-authentiations if requests are handled by different instances.
+
 When using multiple instances, it is possible to use a PostgreSQL database to store this content.
 
 ### Using the same database for multiple deployments
 
 All instances of the same Service Provider should share the same configuration options, including the database store, however if seperate service providers are configured using the same database there is the chance incorrect claims may be returned.
 
 To allow sharing of the same database between seperate Service Providers, the `db-prefix` option will ensure this data is stored in seperate tables.
+
+### Cookie Name
+
+The login "token" is stored as a JWT in a cookie named "token" by default. It is important to ensure that seperate SP's use distinct cookie names to ensure JWT's are correctly validated and not overwritten.

docs/architecture.svg

@@ -4,13 +4,11 @@ go 1.24.0
 
 toolchain go1.24.2
 
-replace github.com/crewjam/saml v0.4.14 => github.com/rancher/saml v0.4.14-rancher3
-
 require (
 	github.com/andrewheberle/simplecommand v0.3.0
 	github.com/bep/simplecobra v0.6.0
 	github.com/cloudflare/certinel v0.4.1
-	github.com/crewjam/saml v0.4.14
+	github.com/crewjam/saml v0.5.1
 	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/jackc/pgx/v5 v5.6.0
 	github.com/karlseguin/ccache/v3 v3.0.6
@@ -20,8 +18,7 @@ require (
 
 require (
 	github.com/andrewheberle/simpleviper v1.1.1 // indirect
-	github.com/beevik/etree v1.2.0 // indirect
-	github.com/crewjam/httperr v0.2.0 // indirect
+	github.com/beevik/etree v1.5.0 // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -31,7 +28,6 @@ require (
 	github.com/jonboulle/clockwork v0.4.0 // indirect
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/sagikazarmark/locafero v0.7.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.12.0 // indirect
@@ -42,9 +38,9 @@ require (
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
-	golang.org/x/crypto v0.32.0 // indirect
-	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.29.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/crypto v0.33.0 // indirect
+	golang.org/x/sync v0.11.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.mod

@@ -3,16 +3,16 @@ github.com/andrewheberle/simplecommand v0.3.0/go.mod h1:D9L/jnIotmn3rxyAYIKAAd9r
 github.com/andrewheberle/simpleviper v1.1.1 h1:9cgJDjcQZoQD1OrgjdMgWP4oFVlFGaHXzxVOsJz0abE=
 github.com/andrewheberle/simpleviper v1.1.1/go.mod h1:xMIWZmEaiCzd86Pq1YNb0PQ/4Fz5thKInTscmfUvUmw=
 github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
-github.com/beevik/etree v1.2.0 h1:l7WETslUG/T+xOPs47dtd6jov2Ii/8/OjCldk5fYfQw=
-github.com/beevik/etree v1.2.0/go.mod h1:aiPf89g/1k3AShMVAzriilpcE4R/Vuor90y83zVZWFc=
+github.com/beevik/etree v1.5.0 h1:iaQZFSDS+3kYZiGoc9uKeOkUY3nYMXOKLl6KIJxiJWs=
+github.com/beevik/etree v1.5.0/go.mod h1:gPNJNaBGVZ9AwsidazFZyygnd+0pAU38N4D+WemwKNs=
 github.com/bep/simplecobra v0.6.0 h1:PpY/0PvYp6jt4OC/9SGoNPi6HzvpYzu8IPogVV6Xk90=
 github.com/bep/simplecobra v0.6.0/go.mod h1:q0ecBAefJZYpzgkbPbQ901hzA98g3ZvCZWZRhzNtB5o=
 github.com/cloudflare/certinel v0.4.1 h1:b0nGqKxEjCe6aS3SoZf0HwjkzfCCAqGzZj8iB9ZJGW0=
 github.com/cloudflare/certinel v0.4.1/go.mod h1:hcx0SA3fmeMzo6egeOzN/29/xfA4+bhZttHvR20a4YA=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo=
-github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4=
+github.com/crewjam/saml v0.5.1 h1:g+mfp0CrLuLRZCK793PgJcZeg5dS/0CDwoeAX2zcwNI=
+github.com/crewjam/saml v0.5.1/go.mod h1:r0fDkmFe5URDgPrmtH0IYokva6fac3AUdstiPhyEolQ=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -57,13 +57,10 @@ github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DV
 github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
 github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rancher/saml v0.4.14-rancher3 h1:2NN6cPqm9FJeiT25x8+gLHWGdulsEak33cHRkGaJ5v0=
-github.com/rancher/saml v0.4.14-rancher3/go.mod h1:S4+611dxnKt8z/ulbvaJzcgSHsuhjVc1QHNTcr1R7Fw=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
@@ -88,7 +85,6 @@ github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4=
 github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
@@ -99,20 +95,19 @@ go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI=
 go.uber.org/multierr v1.9.0/go.mod h1:X2jQV1h+kxSjClGpnseKVIxpmcjrj7MNnI0bnlfKTVQ=
-golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
-golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

go.sum

@@ -28,6 +28,7 @@ type rootCommand struct {
 	debug  bool
 
 	// sp flags
+	spCookie       string
 	spCert         string
 	spKey          string
 	spUrl          string
@@ -61,6 +62,7 @@ func (c *rootCommand) Init(cd *simplecobra.Commandeer) error {
 	cmd.Flags().BoolVar(&c.debug, "debug", false, "Enable debug logging")
 
 	// sp command line flags
+	cmd.Flags().StringVar(&c.spCookie, "sp-cookie", "token", "Cookie Name set by Service Provider")
 	cmd.Flags().StringVar(&c.spCert, "sp-cert", "", "Service Provider Certificate")
 	cmd.Flags().StringVar(&c.spKey, "sp-key", "", "Service Provider Key")
 	cmd.MarkFlagsRequiredTogether("sp-cert", "sp-key")
@@ -107,6 +109,7 @@ type serviceProvider struct {
 	ServiceProviderClaimMapping map[string]string `mapstructure:"sp-claim-mapping"`
 	ServiceProviderCertificate  string            `mapstructure:"sp-cert"`
 	ServiceProviderKey          string            `mapstructure:"sp-key"`
+	ServiceProviderCookieName   string            `mapstructure:"sp-cookie"`
 	IdPMetadata                 string            `mapstructure:"idp-metadata"`
 	IdPIssuer                   string            `mapstructure:"idp-issuer"`
 	IdPSSOEndpoint              string            `mapstructure:"idp-sso-endpoint"`
@@ -127,6 +130,7 @@ func (c *rootCommand) Run(ctx context.Context, cd *simplecobra.Commandeer, args
 		// use global values as a fallback if some values are not set
 		spConfig.ServiceProviderCertificate = fallback(spConfig.ServiceProviderCertificate, c.spCert)
 		spConfig.ServiceProviderKey = fallback(spConfig.ServiceProviderKey, c.spKey)
+		spConfig.ServiceProviderCookieName = fallback(spConfig.ServiceProviderCookieName, c.spCookie)
 
 		// show config in debug mode
 		c.logger.Debug("setting up service provider",
@@ -146,6 +150,7 @@ func (c *rootCommand) Run(ctx context.Context, cd *simplecobra.Commandeer, args
 		// set up service provider options
 		opts := []sp.ServiceProviderOption{
 			sp.WithClaimMapping(spConfig.ServiceProviderClaimMapping),
+			sp.WithCookieName(spConfig.ServiceProviderCookieName),
 		}
 
 		// handle metadata
@@ -302,6 +307,7 @@ func (c *rootCommand) serviceProviders() []serviceProvider {
 				ServiceProviderClaimMapping: c.spClaimMapping,
 				ServiceProviderCertificate:  c.spCert,
 				ServiceProviderKey:          c.spKey,
+				ServiceProviderCookieName:   c.spCookie,
 				IdPMetadata:                 c.idpMetadata,
 				IdPIssuer:                   c.idpIssuer,
 				IdPSSOEndpoint:              c.idpSSOEndpoint,
@@ -320,6 +326,7 @@ func (c *rootCommand) serviceProviders() []serviceProvider {
 				ServiceProviderClaimMapping: c.spClaimMapping,
 				ServiceProviderCertificate:  c.spCert,
 				ServiceProviderKey:          c.spKey,
+				ServiceProviderCookieName:   c.spCookie,
 				IdPMetadata:                 c.idpMetadata,
 				IdPIssuer:                   c.idpIssuer,
 				IdPSSOEndpoint:              c.idpSSOEndpoint,

internal/pkg/cmd/cmd.go

@@ -67,6 +67,12 @@ func WithMetadataRefreshInterval(d time.Duration) ServiceProviderOption {
 	}
 }
 
+func WithCookieName(name string) ServiceProviderOption {
+	return func(s *ServiceProvider) {
+		s.cookieName = name
+	}
+}
+
 func WithName(name string) ServiceProviderOption {
 	return func(s *ServiceProvider) {
 		s.name = name

pkg/sp/options.go

@@ -29,6 +29,7 @@ type ServiceProvider struct {
 	store                      AttributeStore
 	opts                       samlsp.Options
 	name                       string
+	cookieName                 string
 	onerror                    func(w http.ResponseWriter, r *http.Request, err error)
 }
 
@@ -77,6 +78,7 @@ func NewServiceProvider(cert, key string, root *url.URL, options ...ServiceProvi
 		EntityID:          root.String(),
 		Key:               keyPair.PrivateKey.(*rsa.PrivateKey),
 		Certificate:       keyPair.Leaf,
+		CookieName:        serviceProvider.cookieName,
 		IDPMetadata:       serviceProvider.idpMetadata,
 		AllowIDPInitiated: true,
 		SignRequest:       true,

pkg/sp/sp.go

@@ -15,7 +15,7 @@ import (
 func DefaultRequestTracker(opts samlsp.Options, serviceProvider *saml.ServiceProvider) CookieRequestTracker {
 	return CookieRequestTracker{
 		ServiceProvider: serviceProvider,
-		NamePrefix:      "saml_",
+		NamePrefix:      fmt.Sprintf("saml_%s_", opts.CookieName),
 		Codec:           samlsp.DefaultTrackedRequestCodec(opts),
 		MaxAge:          saml.MaxIssueDelay,
 		RelayStateFunc:  opts.RelayStateFunc,