Fix #36069: send (updated) OpenID tokens as headers

Author: LEDfan

pom.xml

@@ -5,7 +5,7 @@
 
     <groupId>eu.openanalytics</groupId>
     <artifactId>containerproxy</artifactId>
-    <version>1.2.3</version>
+    <version>1.3.0-SNAPSHOT</version>
     <name>ContainerProxy</name>
     <packaging>jar</packaging>
     <inceptionYear>2016</inceptionYear>

src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java

@@ -24,9 +24,12 @@
 import eu.openanalytics.containerproxy.auth.impl.msgraph.MicrosoftGraphGroupFetcher;
 import eu.openanalytics.containerproxy.auth.impl.oidc.AccessTokenDecoder;
 import eu.openanalytics.containerproxy.auth.impl.oidc.OpenIdReAuthorizeFilter;
+import eu.openanalytics.containerproxy.model.runtime.Proxy;
 import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext;
 import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;
 import eu.openanalytics.containerproxy.util.ContextPathHelper;
+import io.undertow.util.HeaderMap;
+import io.undertow.util.HttpString;
 import net.minidev.json.JSONArray;
 import net.minidev.json.parser.JSONParser;
 import net.minidev.json.parser.ParseException;
@@ -41,6 +44,7 @@
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
@@ -50,9 +54,11 @@
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestCustomizers;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.OAuth2RefreshToken;
 import org.springframework.security.oauth2.core.oidc.OidcIdToken;
 import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
 import org.springframework.security.oauth2.core.oidc.StandardClaimAccessor;
@@ -83,11 +89,22 @@ public class OpenIDAuthenticationBackend implements IAuthenticationBackend {
     public static final String NAME = "openid";
 
     private static final String ENV_TOKEN_NAME = "SHINYPROXY_OIDC_ACCESS_TOKEN";
+    private static final String PROP_SEND_ACCESS_TOKEN_HEADER = "proxy.openid.add-access-token-header";
+    private static final String PROP_SEND_REFRESH_TOKEN_HEADER = "proxy.openid.add-refresh-token-header";
+    private static final String PROP_SEND_ID_TOKEN_HEADER = "proxy.openid.add-id-token-header";
+    private static final HttpString HEADER_ACCESS_TOKEN_NAME = new HttpString("X-SP-OpenId-Access-Token");
+    private static final HttpString HEADER_REFRESH_TOKEN_NAME = new HttpString("X-SP-OpenId-Refresh-Token");
+    private static final HttpString HEADER_ID_TOKEN_NAME = new HttpString("X-SP-OpenId-Id-Token");
+
     private static OAuth2AuthorizedClientService oAuth2AuthorizedClientService;
     private static AccessTokenDecoder accessTokenDecoder;
     private static final Logger log = LogManager.getLogger(OpenIDAuthenticationBackend.class);
-    @Inject
-    private Environment environment;
+
+    private static Boolean sendAccessTokenHeader = false;
+    private static Boolean sendRefreshTokenHeader = false;
+    private static Boolean sendIdTokenHeader = false;
+    private static Environment environment;
+
     @Inject
     private ClientRegistrationRepository clientRegistrationRepo;
     @Inject
@@ -180,7 +197,7 @@ public Set<GrantedAuthority> parseClaims(StandardClaimAccessor standardClaimAcce
         return mappedAuthorities;
     }
 
-    private static OAuth2AuthorizedClient refreshClient(String principalName) {
+    public static OAuth2AuthorizedClient refreshClient(String principalName) {
         return oAuth2AuthorizedClientService.loadAuthorizedClient(REG_ID, principalName);
     }
 
@@ -194,6 +211,14 @@ public void setOAuth2AuthorizedClientService(OAuth2AuthorizedClientService oAuth
         OpenIDAuthenticationBackend.oAuth2AuthorizedClientService = oAuth2AuthorizedClientService;
     }
 
+    @Autowired
+    public void setEnvironment(Environment environment) {
+        OpenIDAuthenticationBackend.environment = environment;
+        OpenIDAuthenticationBackend.sendAccessTokenHeader = environment.getProperty(PROP_SEND_ACCESS_TOKEN_HEADER, Boolean.class, false);
+        OpenIDAuthenticationBackend.sendRefreshTokenHeader = environment.getProperty(PROP_SEND_REFRESH_TOKEN_HEADER, Boolean.class, false);
+        OpenIDAuthenticationBackend.sendIdTokenHeader = environment.getProperty(PROP_SEND_ID_TOKEN_HEADER, Boolean.class, false);
+    }
+
     @Override
     public String getName() {
         return NAME;
@@ -350,6 +375,38 @@ public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2Authenticatio
         };
     }
 
+    public static HeaderMap addHeaders(Proxy proxy) {
+        HeaderMap result = new HeaderMap();
+        if (sendAccessTokenHeader || sendRefreshTokenHeader) {
+            OAuth2AuthorizedClient client = refreshClient(proxy.getUserId());
+            if (client != null) {
+                if (sendAccessTokenHeader) {
+                    OAuth2AccessToken accessToken = client.getAccessToken();
+                    if (accessToken != null) {
+                        result.put(HEADER_ACCESS_TOKEN_NAME, accessToken.getTokenValue());
+                    }
+                }
+                if (sendRefreshTokenHeader) {
+                    OAuth2RefreshToken refreshToken = client.getRefreshToken();
+                    if (refreshToken != null) {
+                        result.put(HEADER_REFRESH_TOKEN_NAME, refreshToken.getTokenValue());
+                    }
+                }
+            }
+        }
+        if (sendIdTokenHeader) {
+            Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+            if (auth.getPrincipal() instanceof CustomNameOidcUser) {
+                OidcIdToken idToken = ((CustomNameOidcUser) auth.getPrincipal()).getIdToken();
+                if (idToken != null) {
+                    result.put(HEADER_ID_TOKEN_NAME, idToken.getTokenValue());
+                }
+            }
+        }
+
+        return result;
+    }
+
     public static class CustomNameOidcUser extends DefaultOidcUser {
 
         private static final long serialVersionUID = 7563253562760236634L;

src/main/java/eu/openanalytics/containerproxy/model/runtime/runtimevalues/HttpHeaders.java

@@ -22,12 +22,13 @@
 
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonValue;
+import eu.openanalytics.containerproxy.auth.impl.OpenIDAuthenticationBackend;
+import eu.openanalytics.containerproxy.model.runtime.Proxy;
 import io.undertow.util.HeaderMap;
 import io.undertow.util.HttpString;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.nio.charset.CharsetEncoder;
 import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.Map;
@@ -53,7 +54,8 @@ public HttpHeaders(Map<String, String> headers) {
         this.headers = filteredHeaders;
     }
 
-    public HeaderMap getUndertowHeaderMap() {
+    public HeaderMap getUndertowHeaderMap(Proxy proxy) {
+        undertowHeaderMap.putAll(OpenIDAuthenticationBackend.addHeaders(proxy));
         return undertowHeaderMap;
     }
 

src/main/java/eu/openanalytics/containerproxy/util/ProxyMappingManager.java

@@ -258,7 +258,7 @@ public void dispatchAsync(Proxy proxy, String mapping, HttpServletRequest reques
 
         // add headers
         HttpHeaders headers = proxy.getRuntimeObject(HttpHeadersKey.inst);
-        exchange.getRequestHeaders().putAll(headers.getUndertowHeaderMap());
+        exchange.getRequestHeaders().putAll(headers.getUndertowHeaderMap(proxy));
 
         exchange.addResponseWrapper((f, exchange1) -> {
             proxyCacheHeadersService.addAppCacheHeaders(proxy, exchange1);