oidc: implement redirects

lovasoa · lovasoa · commit d5fd55446261 · 2025-04-26T03:18:47.000+02:00
- Add `host` configuration option for specifying the application's web address in configuration.md and app_config.rs.
- Update docker-compose.yaml to include SQLPAGE_HOST and SQLPAGE_OIDC_ISSUER_URL environment variables.
- Enhance OIDC middleware to utilize the new `host` setting for redirect URLs and improve cookie handling in oidc.rs.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/configuration.md b/configuration.md
@@ -13,6 +13,7 @@ Here are the available configuration options and their default values:
 | `database_password`                            |         | Database password. If set, this will override any password specified in the `database_url`. This allows you to keep the password separate from the connection string for better security. |
 | `port`                                        | 8080                                                        | Like listen_on, but specifies only the port.                                                                                                                                                                                                           |
 | `unix_socket`                                 |                                                             | Path to a UNIX socket to listen on instead of the TCP port. If specified, SQLPage will accept HTTP connections only on this socket and not on any TCP port. This option is mutually exclusive with `listen_on` and `port`.
+| `host`                                        |                                                             | The web address where your application is accessible (e.g., "myapp.example.com"). Used for login redirects with OIDC. |
 | `max_database_pool_connections`               | PostgreSQL: 50<BR>  MySql: 75<BR> SQLite: 16<BR> MSSQL: 100 | How many simultaneous database connections to open at most                                                                                                                                                                                             |
 | `database_connection_idle_timeout_seconds`    | SQLite: None<BR> All other: 30 minutes                      | Automatically close database connections after this period of inactivity                                                                                                                                                                               |
 | `database_connection_max_lifetime_seconds`    | SQLite: None<BR> All other: 60 minutes                      | Always close database connections after this amount of time                                                                                                                                                                                            |
@@ -95,6 +96,23 @@ To set up OIDC, you'll need to:
 1. Register your application with an OIDC provider
 2. Configure the provider's details in SQLPage
 
+#### Setting Your Application's Address
+
+When users log in through an OIDC provider, they need to be sent back to your application afterward. For this to work correctly, you need to tell SQLPage where your application is located online:
+
+- Use the `host` setting to specify your application's web address (for example, "myapp.example.com")
+- If you already have the `https_domain` setting set (to fetch https certificates for your site), then you don't need to duplicate it into `host`.
+
+Example configuration:
+```json
+{
+  "oidc_issuer_url": "https://accounts.google.com",
+  "oidc_client_id": "your-client-id",
+  "oidc_client_secret": "your-client-secret",
+  "host": "myapp.example.com"
+}
+```
+
 #### Cloud Identity Providers
 
 - **Google**
diff --git a/examples/single sign on/docker-compose.yaml b/examples/single sign on/docker-compose.yaml
@@ -14,6 +14,8 @@ services:
       - ./sqlpage:/etc/sqlpage
     environment:
       # OIDC configuration
+      - SQLPAGE_HOST=localhost:8080
+      - SQLPAGE_OIDC_ISSUER_URL=http://localhost:8181/realms/sqlpage_demo
       - OIDC_AUTHORIZATION_ENDPOINT=http://localhost:8181/realms/sqlpage_demo/protocol/openid-connect/auth
       - OIDC_TOKEN_ENDPOINT=http://localhost:8181/realms/sqlpage_demo/protocol/openid-connect/token
       - OIDC_USERINFO_ENDPOINT=http://localhost:8181/realms/sqlpage_demo/protocol/openid-connect/userinfo
@@ -28,6 +30,9 @@ services:
       # SQLPage configuration
       - RUST_LOG=sqlpage=debug
     network_mode: host
+    depends_on:
+      keycloak:
+        condition: service_healthy
 
   keycloak:
     build:
@@ -39,3 +44,9 @@ services:
     volumes:
       - ./keycloak-configuration.json:/opt/keycloak/data/import/realm.json
     network_mode: host
+    healthcheck:
+      test: ["CMD-SHELL", "/opt/keycloak/bin/kcadm.sh get realms/sqlpage_demo --server http://localhost:8181 --realm master --user admin --password admin || exit 1"]
+      interval: 10s
+      timeout: 2s
+      retries: 5
+      start_period: 5s
diff --git a/src/app_config.rs b/src/app_config.rs
@@ -222,6 +222,10 @@ pub struct AppConfig {
     /// and will automatically request a certificate from Let's Encrypt
     /// using the ACME protocol (requesting a TLS-ALPN-01 challenge).
     pub https_domain: Option<String>,
+    
+    /// The hostname where your application is publicly accessible (e.g., "myapp.example.com").
+    /// This is used for OIDC redirect URLs. If not set, https_domain will be used instead.
+    pub host: Option<String>,
 
     /// The email address to use when requesting a certificate from Let's Encrypt.
     /// Defaults to `contact@<https_domain>`.
diff --git a/src/webserver/oidc.rs b/src/webserver/oidc.rs
@@ -4,37 +4,55 @@ use crate::{app_config::AppConfig, AppState};
 use actix_web::{
     dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
     middleware::Condition,
-    web, Error,
+    web, Error, HttpResponse,
 };
-use anyhow::anyhow;
+use anyhow::{anyhow, Context};
 use awc::Client;
-use openidconnect::{AsyncHttpClient, IssuerUrl};
+use openidconnect::{
+    core::{CoreAuthDisplay, CoreAuthenticationFlow},
+    AsyncHttpClient, CsrfToken, EmptyAdditionalClaims, EndpointMaybeSet, EndpointNotSet,
+    EndpointSet, IssuerUrl, Nonce, RedirectUrl, Scope,
+};
 
 use super::http_client::make_http_client;
 
+const SQLPAGE_AUTH_COOKIE_NAME: &str = "sqlpage_auth";
+const SQLPAGE_REDIRECT_URI: &str = "/sqlpage/oidc_callback";
+
 #[derive(Clone, Debug)]
 pub struct OidcConfig {
     pub issuer_url: IssuerUrl,
     pub client_id: String,
     pub client_secret: String,
-    pub scopes: String,
+    pub app_host: String,
+    pub scopes: Vec<Scope>,
 }
 
 impl TryFrom<&AppConfig> for OidcConfig {
     type Error = Option<&'static str>;
 
     fn try_from(config: &AppConfig) -> Result<Self, Self::Error> {
         let issuer_url = config.oidc_issuer_url.as_ref().ok_or(None)?;
-        let client_secret = config
-            .oidc_client_secret
+        let client_secret = config.oidc_client_secret.as_ref().ok_or(Some(
+            "The \"oidc_client_secret\" setting is required to authenticate with the OIDC provider",
+        ))?;
+
+        let app_host = config
+            .host
             .as_ref()
-            .ok_or(Some("Missing oidc_client_secret"))?;
+            .or_else(|| config.https_domain.as_ref())
+            .ok_or(Some("The \"host\" or \"https_domain\" setting is required to build the OIDC redirect URL"))?;
 
         Ok(Self {
             issuer_url: issuer_url.clone(),
             client_id: config.oidc_client_id.clone(),
             client_secret: client_secret.clone(),
-            scopes: config.oidc_scopes.clone(),
+            scopes: config
+                .oidc_scopes
+                .split_whitespace()
+                .map(|s| Scope::new(s.to_string()))
+                .collect(),
+            app_host: app_host.clone(),
         })
     }
 }
@@ -80,13 +98,12 @@ async fn discover_provider_metadata(
     Ok(provider_metadata)
 }
 
-impl<S, B> Transform<S, ServiceRequest> for OidcMiddleware
+impl<S> Transform<S, ServiceRequest> for OidcMiddleware
 where
-    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,
+    S: Service<ServiceRequest, Response = ServiceResponse<BoxBody>, Error = Error> + 'static,
     S::Future: 'static,
-    B: 'static,
 {
-    type Response = ServiceResponse<B>;
+    type Response = ServiceResponse<BoxBody>;
     type Error = Error;
     type InitError = ();
     type Transform = OidcService<S>;
@@ -115,7 +132,7 @@ pub struct OidcService<S> {
     service: S,
     app_state: web::Data<AppState>,
     config: Arc<OidcConfig>,
-    provider_metadata: openidconnect::core::CoreProviderMetadata,
+    client: OidcClient,
 }
 
 impl<S> OidcService<S> {
@@ -125,40 +142,80 @@ impl<S> OidcService<S> {
         config: Arc<OidcConfig>,
     ) -> anyhow::Result<Self> {
         let issuer_url = config.issuer_url.clone();
+        let provider_metadata = discover_provider_metadata(&app_state.config, issuer_url).await?;
+        let client: OidcClient = make_oidc_client(&config, provider_metadata)?;
         Ok(Self {
             service,
             app_state: web::Data::clone(app_state),
             config,
-            provider_metadata: discover_provider_metadata(&app_state.config, issuer_url).await?,
+            client,
         })
     }
+
+    fn build_auth_url(&self, request: &ServiceRequest) -> String {
+        let (auth_url, csrf_token, nonce) = self
+            .client
+            .authorize_url(
+                CoreAuthenticationFlow::AuthorizationCode,
+                CsrfToken::new_random,
+                Nonce::new_random,
+            )
+            // Set the desired scopes.
+            .add_scopes(self.config.scopes.iter().cloned())
+            .url();
+        auth_url.to_string()
+    }
 }
 
 type LocalBoxFuture<T> = Pin<Box<dyn Future<Output = T> + 'static>>;
+use actix_web::body::BoxBody;
 
-impl<S, B> Service<ServiceRequest> for OidcService<S>
+impl<S> Service<ServiceRequest> for OidcService<S>
 where
-    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
+    S: Service<ServiceRequest, Response = ServiceResponse<BoxBody>, Error = Error>,
     S::Future: 'static,
-    B: 'static,
 {
-    type Response = ServiceResponse<B>;
+    type Response = ServiceResponse<BoxBody>;
     type Error = Error;
     type Future = LocalBoxFuture<Result<Self::Response, Self::Error>>;
 
     forward_ready!(service);
 
     fn call(&self, request: ServiceRequest) -> Self::Future {
         log::debug!("Started OIDC middleware with config: {:?}", self.config);
-        let future = self.service.call(request);
+        match get_sqlpage_auth_cookie(&request) {
+            Some(cookie) => {
+                log::trace!("Found SQLPage auth cookie: {cookie}");
+            }
+            None => {
+                log::trace!("No SQLPage auth cookie found, redirecting to login");
+                let auth_url = self.build_auth_url(&request);
 
+                return Box::pin(async move {
+                    Ok(request.into_response(build_redirect_response(auth_url)))
+                });
+            }
+        }
+        let future = self.service.call(request);
         Box::pin(async move {
             let response = future.await?;
             Ok(response)
         })
     }
 }
 
+fn build_redirect_response(auth_url: String) -> HttpResponse {
+    HttpResponse::TemporaryRedirect()
+        .append_header(("Location", auth_url))
+        .body("Redirecting to the login page.")
+}
+
+fn get_sqlpage_auth_cookie(request: &ServiceRequest) -> Option<String> {
+    let cookie = request.cookie(SQLPAGE_AUTH_COOKIE_NAME)?;
+    log::error!("TODO: actually check the validity of the cookie");
+    Some(cookie.value().to_string())
+}
+
 pub struct AwcHttpClient {
     client: Client,
 }
@@ -226,5 +283,43 @@ impl std::fmt::Display for StringError {
         std::fmt::Display::fmt(&self.0, f)
     }
 }
-
+type OidcClient = openidconnect::core::CoreClient<
+    EndpointSet,
+    EndpointNotSet,
+    EndpointNotSet,
+    EndpointNotSet,
+    EndpointMaybeSet,
+    EndpointMaybeSet,
+>;
 impl std::error::Error for StringError {}
+
+fn make_oidc_client(
+    config: &Arc<OidcConfig>,
+    provider_metadata: openidconnect::core::CoreProviderMetadata,
+) -> anyhow::Result<OidcClient> {
+    let client_id = openidconnect::ClientId::new(config.client_id.clone());
+    let client_secret = openidconnect::ClientSecret::new(config.client_secret.clone());
+
+    let local_hosts = ["localhost", "127.0.0.1", "::1"];
+    let is_localhost = local_hosts.iter().any(|host| {
+        config.app_host.starts_with(host)
+            && config
+                .app_host
+                .get(host.len()..(host.len() + 1))
+                .is_none_or(|c| c == ":")
+    });
+    let redirect_url = RedirectUrl::new(format!(
+        "{}://{}{}",
+        if is_localhost { "http" } else { "https" },
+        config.app_host,
+        SQLPAGE_REDIRECT_URI,
+    ))?;
+    let client = openidconnect::core::CoreClient::from_provider_metadata(
+        provider_metadata,
+        client_id,
+        Some(client_secret),
+    )
+    .set_redirect_uri(redirect_url);
+
+    Ok(client)
+}
