sso-auth: Azure AD provider

go.mod

@@ -4,18 +4,22 @@ require (
 	github.com/18F/hmacauth v0.0.0-20151013130326-9232a6386b73
 	github.com/benbjohnson/clock v0.0.0-20161215174838-7dc76406b6d3
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
+	github.com/coreos/go-oidc v2.0.0+incompatible
 	github.com/datadog/datadog-go v0.0.0-20180822151419-281ae9f2d895
+	github.com/hashicorp/golang-lru v0.5.1
 	github.com/imdario/mergo v0.3.7
 	github.com/kelseyhightower/envconfig v1.3.0
 	github.com/mccutchen/go-httpbin v1.1.1
 	github.com/micro/go-micro v1.5.0
 	github.com/miscreant/miscreant-go v0.0.0-20181010193435-325cbd69228b
 	github.com/mitchellh/mapstructure v1.1.2
+	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
 	github.com/rakyll/statik v0.1.6
 	github.com/sirupsen/logrus v1.4.2
 	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
 	golang.org/x/sync v0.0.0-20190423024810-112230192c58
 	golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522
 	google.golang.org/api v0.5.0
+	gopkg.in/square/go-jose.v2 v2.3.1
 	gopkg.in/yaml.v2 v2.2.2
 )

go.sum

@@ -43,6 +43,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/containerd/continuity v0.0.0-20181203112020-004b46473808/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
+github.com/coreos/go-oidc v2.0.0+incompatible h1:+RStIopZ8wooMx+Vs5Bt8zMXxV1ABl5LbakNExNmZIg=
+github.com/coreos/go-oidc v2.0.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/datadog/datadog-go v0.0.0-20180822151419-281ae9f2d895 h1:VTq58gB0MvQpLAz2kfeSBchIAi9+zGRMTh+pyfXEoGs=
 github.com/datadog/datadog-go v0.0.0-20180822151419-281ae9f2d895/go.mod h1:Mo2ZYXXA9Kp6qoXibOPpsSwkwZ67pcianic5+LKUZvY=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -218,6 +220,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
 github.com/posener/complete v1.2.1/go.mod h1:6gapUrK/U1TAN7ciCoNRIdVC5sbdBTUh1DKN0g6uH7E=
+github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 h1:J9b7z+QKAmPf4YLrFg6oQUotqHQeUNWwkvo7jZp1GLU=
+github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
@@ -275,6 +279,7 @@ golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5 h1:8dUaAV7K4uHsF56JQWkprecIQKdPHtR9jCHF5nB8uzc=
 golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -389,6 +394,8 @@ gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/go-playground/validator.v9 v9.29.0/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ=
 gopkg.in/redis.v3 v3.6.4/go.mod h1:6XeGv/CrsUFDU9aVbUdNykN7k1zVmoeg83KC9RbQfiU=
+gopkg.in/square/go-jose.v2 v2.3.1 h1:SK5KegNXmKmqE342YYN2qPHEnUYeoMiXXl1poUlI+o4=
+gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/src-d/go-billy.v4 v4.2.1/go.mod h1:tm33zBoOwxjYHZIE+OV8bxTWFMJLrconzFMd38aARFk=
 gopkg.in/src-d/go-billy.v4 v4.3.0/go.mod h1:tm33zBoOwxjYHZIE+OV8bxTWFMJLrconzFMd38aARFk=
 gopkg.in/src-d/go-git-fixtures.v3 v3.1.1/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g=

internal/auth/authenticator.go

@@ -108,7 +108,7 @@ func (p *Authenticator) newMux() http.Handler {
 	serviceMux.HandleFunc("/start", p.withMethods(p.OAuthStart, "GET"))
 	serviceMux.HandleFunc("/sign_in", p.withMethods(p.validateClientID(p.validateRedirectURI(p.validateSignature(p.SignIn))), "GET"))
 	serviceMux.HandleFunc("/sign_out", p.withMethods(p.validateRedirectURI(p.validateSignature(p.SignOut)), "GET", "POST"))
-	serviceMux.HandleFunc("/callback", p.withMethods(p.OAuthCallback, "GET"))
+	serviceMux.HandleFunc("/callback", p.withMethods(p.OAuthCallback, "GET", "POST"))
 	serviceMux.HandleFunc("/profile", p.withMethods(p.validateClientID(p.validateClientSecret(p.GetProfile)), "GET"))
 	serviceMux.HandleFunc("/validate", p.withMethods(p.validateClientID(p.validateClientSecret(p.ValidateToken)), "GET"))
 	serviceMux.HandleFunc("/redeem", p.withMethods(p.validateClientID(p.validateClientSecret(p.Redeem)), "POST"))
@@ -460,8 +460,8 @@ func (p *Authenticator) OAuthStart(rw http.ResponseWriter, req *http.Request) {
 	// Here we validate the redirect that is nested within the redirect_uri.
 	// `authRedirectURL` points to step D, `proxyRedirectURL` points to step E.
 	//
-	//    A*       B             C               D              E
-	// /start -> Google -> auth /callback -> /sign_in -> proxy /callback
+	// A*        B             C                 D           E
+	// /start -> IdProvider -> auth /callback -> /sign_in -> proxy /callback
 	//
 	// * you are here
 	proxyRedirectURL, err := url.Parse(authRedirectURL.Query().Get("redirect_uri"))
@@ -485,7 +485,7 @@ func (p *Authenticator) OAuthStart(rw http.ResponseWriter, req *http.Request) {
 
 func (p *Authenticator) redeemCode(host, code string) (*sessions.SessionState, error) {
 	// The authenticator redeems `code` for an access token, and uses the token to request user
-	// info from the provider (Google).
+	// info from the provider.
 
 	redirectURI := p.GetRedirectURI(host)
 	// see providers/google.go#Redeem for more info
@@ -501,7 +501,7 @@ func (p *Authenticator) redeemCode(host, code string) (*sessions.SessionState, e
 }
 
 func (p *Authenticator) getOAuthCallback(rw http.ResponseWriter, req *http.Request) (string, error) {
-	// After the provider (Google) redirects back to the sso proxy, the proxy uses this
+	// After the provider redirects back to the sso proxy, the proxy uses this
 	// endpoint to set up auth cookies.
 	logger := log.NewLogEntry()
 

internal/auth/configuration.go

@@ -182,7 +182,9 @@ type ProviderConfig struct {
 	Scope        string       `mapstructure:"scope"`
 
 	// provider specific
+	AzureProviderConfig  AzureProviderConfig  `mapstructure:"azure"`
 	GoogleProviderConfig GoogleProviderConfig `mapstructure:"google"`
+	OIDCProviderConfig   OIDCProviderConfig   `mapstructure:"oidc"`
 	OktaProviderConfig   OktaProviderConfig   `mapstructure:"okta"`
 
 	// caching
@@ -225,6 +227,22 @@ func (pc ProviderConfig) Validate() error {
 	return nil
 }
 
+type AzureProviderConfig struct {
+	Tenant         string `mapstructure:"tenant"`
+	ApprovalPrompt string `mapstructure:"prompt"`
+}
+
+func (apc AzureProviderConfig) Validate() error {
+	if apc.Tenant == "" {
+		return xerrors.New("must specify tenant ID")
+	}
+
+	if apc.ApprovalPrompt == "" {
+		apc.ApprovalPrompt = "consent"
+	}
+	return nil
+}
+
 type GoogleProviderConfig struct {
 	Credentials    string `mapstructure:"credentials"`
 	Impersonate    string `mapstructure:"impersonate"`
@@ -250,6 +268,18 @@ func (gpc GoogleProviderConfig) Validate() error {
 	return nil
 }
 
+type OIDCProviderConfig struct {
+	DiscoveryURL string `mapstructure:"discovery"`
+}
+
+func (opc OIDCProviderConfig) Validate() error {
+	if opc.DiscoveryURL == "" {
+		return xerrors.New("must specify discovery URL")
+	}
+
+	return nil
+}
+
 type OktaProviderConfig struct {
 	ServerID string `mapstructure:"server"`
 	OrgURL   string `mapstructure:"url"`

internal/auth/options.go

@@ -25,7 +25,15 @@ func newProvider(pc ProviderConfig, sc SessionConfig) (providers.Provider, error
 
 	var singleFlightProvider providers.Provider
 	switch pc.ProviderType {
-	case providers.GoogleProviderName: // Google
+	case providers.AzureProviderName:
+		apc := pc.AzureProviderConfig
+		azureProvider, err := providers.NewAzureV2Provider(p)
+		if err != nil {
+			return nil, err
+		}
+		azureProvider.Configure(apc.Tenant)
+		singleFlightProvider = providers.NewSingleFlightProvider(azureProvider)
+	case providers.GoogleProviderName:
 		gpc := pc.GoogleProviderConfig
 		googleProvider, err := providers.NewGoogleProvider(p,
 			gpc.ApprovalPrompt,
@@ -41,6 +49,13 @@ func newProvider(pc ProviderConfig, sc SessionConfig) (providers.Provider, error
 		googleProvider.GroupsCache = cache
 
 		singleFlightProvider = providers.NewSingleFlightProvider(googleProvider)
+	case providers.OIDCProviderName:
+		opc := pc.OIDCProviderConfig
+		oidcProvider, err := providers.NewOIDCProvider(p, opc.DiscoveryURL)
+		if err != nil {
+			return nil, err
+		}
+		singleFlightProvider = providers.NewSingleFlightProvider(oidcProvider)
 	case providers.OktaProviderName:
 		opc := pc.OktaProviderConfig
 		oktaProvider, err := providers.NewOktaProvider(p, opc.OrgURL, opc.ServerID)