Add patch for buggy OIDC providers

guimard · Jan 8, 2025 · e075009 · e075009
1 parent fe2fca4
commit e075009
Show file tree

Hide file tree

Showing 10 changed files with 747 additions and 0 deletions.
diff --git a/Changes.md b/Changes.md
@@ -4,6 +4,7 @@
 * Add "Last-Modified" header for OIDC metadata
 * Add hook to modify refresh\_token
 * Fix offline sessions count
+* Add patch for buggy OIDC providers
 
 ## v2.20.1-1 _(2024-11-19)_
 * Update to 2.20.1

diff --git a/full/Dockerfile b/full/Dockerfile
@@ -27,6 +27,7 @@ RUN \
     echo patch globalLogout.patch && patch -p1 < globalLogout.patch && \
     echo patch metadata-ttl.patch && patch -p1 < metadata-ttl.patch && \
     echo patch fix-sessions-count.patch && patch -p1 <fix-sessions-count.patch && \
+    echo patch oidc-op-claims.patch && patch -p1 <oidc-op-claims.patch && \
     rm -f *.patch && \
     LLNG_DEFAULTCONFFILE=/etc/lemonldap-ng/lemonldap-ng.ini \
     perl -MLemonldap::NG::Manager::Build -e 'Lemonldap::NG::Manager::Build->run( \

diff --git a/full/oidc-op-claims.patch b/full/oidc-op-claims.patch
diff --git a/manager/Dockerfile b/manager/Dockerfile
@@ -34,6 +34,7 @@ RUN \
     echo patch globalLogout.patch && patch -p1 < globalLogout.patch && \
     echo patch metadata-ttl.patch && patch -p1 < metadata-ttl.patch && \
     echo patch fix-sessions-count.patch && patch -p1 <fix-sessions-count.patch && \
+    echo patch oidc-op-claims.patch && patch -p1 <oidc-op-claims.patch && \
     rm -f *.patch && \
     LLNG_DEFAULTCONFFILE=/etc/lemonldap-ng/lemonldap-ng.ini \
     perl -MLemonldap::NG::Manager::Build -e 'Lemonldap::NG::Manager::Build->run( \

diff --git a/manager/oidc-op-claims.patch b/manager/oidc-op-claims.patch
diff --git a/portal/Dockerfile b/portal/Dockerfile
@@ -38,6 +38,7 @@ RUN for p in appgrid.patch jwt-type.patch app-scope.patch ignorepollers.patch \
     fixedLogout.patch more-logs.patch \
     matrix-token.patch redirect-ajax.patch \
     metadata-ttl.patch getreftoken.patch \
+    oidc-op-claims.patch \
     ; do echo patch $p && patch -p1 < $p; done && \
     rm -f /*.patch && \
     echo "# Install nginx configuration files" && \

diff --git a/portal/oidc-op-claims.patch b/portal/oidc-op-claims.patch
@@ -0,0 +1,31 @@
+--- a/usr/share/perl5/Lemonldap/NG/Portal/UserDB/OpenIDConnect.pm
++++ b/usr/share/perl5/Lemonldap/NG/Portal/UserDB/OpenIDConnect.pm
+@@ -42,7 +42,27 @@ sub getUser {
+         return PE_ERROR;
+     }
+
+-    my $userinfo_content = $self->getUserInfo( $op, $access_token );
++    my $userinfo_content;
++    if ( $self->opOptions->{$op}->{oidcOPMetaDataOptionsIDTokenForceClaims} ) {
++        my ( undef, $tmp, undef ) = split /\./, $req->data->{id_token};
++        $userinfo_content =
++          eval { JSON::from_fson( MIME::Base64::decode_base64url($tmp) ) };
++        $self->logger->error("Unable to read ID token content: $@") if ($@);
++    }
++    if ( $self->opOptions->{$op}->{oidcOPMetaDataOptionsAccessTokenClaims} ) {
++        my ( undef, $tmp, undef ) = split /\./, $req->data->{access_token};
++        eval {
++            $tmp = JSON::from_fson( MIME::Base64::decode_base64url($tmp) );
++            $userinfo_content =
++              $userinfo_content
++              ? { %{ $userinfo_content || {} }, %{ $tmp || {} } }
++              : $tmp;
++        };
++        $self->logger->error("Unable to read ID token content: $@") if ($@);
++    }
++    unless ($userinfo_content) {
++        $userinfo_content = $self->getUserInfo( $op, $access_token );
++    }
+
+     unless ($userinfo_content) {
+         $self->logger->warn("No User Info content");
diff --git a/tmp/Dockerfile b/tmp/Dockerfile
@@ -0,0 +1,52 @@
+ARG DEBIANVERSION=bookworm
+
+FROM debian:${DEBIANVERSION}-slim as debian-backports-updated
+
+ENV DEBIAN_VERSION=bookworm
+
+RUN echo "# Install packages from ${DEBIAN_VERSION}" && \
+    apt-get -y update && \
+    apt-get -y install xz-utils && \
+    apt-get -y upgrade
+
+FROM debian-backports-updated as debian-with-lemon
+
+RUN apt-get -y --no-install-recommends install procps cron \
+    liblemonldap-ng-common-perl \
+    liblemonldap-ng-handler-perl \
+        lemonldap-ng-uwsgi-app \
+        liblemonldap-ng-portal-perl \
+	liblemonldap-ng-manager-perl \
+	apache2-utils \
+    libapache-session-browseable-perl libapache-session-ldap-perl \
+    libapache-session-mongodb-perl libapache-session-sqlite3-perl \
+    libapache-session-wrapper-perl \
+    libdbi-perl libdbd-pg-perl libnet-cidr-perl \
+    libhttp-parser-xs-perl liblwp-protocol-https-perl libstring-random-perl \
+    libconvert-base32-perl libnet-ldap-perl libxml-libxml-perl libxml-simple-perl \
+    libredis-perl libyaml-perl libencode-perl patch \
+        gsfonts patch libconvert-pem-perl \
+        libcrypt-u2f-server-perl libgeoip2-perl \
+        libglib-perl libgssapi-perl libhttp-browserdetect-perl \
+        libimage-magick-perl liblasso-perl libnet-facebook-oauth2-perl \
+        libnet-openid-consumer-perl libnet-openid-server-perl \
+        libnet-oauth-perl libsoap-lite-perl fonts-urw-base35 \
+        libauthen-webauthn-perl libcrypt-openssl-bignum-perl \
+        libconvert-base32-perl libio-string-perl libipc-run-perl \
+        libgd-securityimage-perl libmime-tools-perl libnet-ldap-perl \
+        libio-socket-timeout-perl libunicode-string-perl liblasso-perl \
+        libio-string-perl libemail-sender-perl libregexp-common-perl \
+        libcrypt-jwt-perl libdigest-hmac-perl libdata-password-zxcvbn-perl \
+        libhttp-browserdetect-perl libnet-dns-perl \
+        uwsgi uwsgi-plugin-psgi nginx libnginx-mod-http-lua
+
+RUN (echo ""; echo "daemon off;") >> /etc/nginx/nginx.conf && \
+    perl -i -pe 's#access_log .*;#access_log /dev/stdout;#; s#error_log .*;#error_log /dev/stdout info;#' /etc/nginx/nginx.conf
+
+COPY start /
+
+COPY install /
+
+CMD ["/usr/sbin/nginx"]
+
+ENTRYPOINT ["./start"]
diff --git a/uwsgi-portal/Dockerfile b/uwsgi-portal/Dockerfile
@@ -36,6 +36,7 @@ RUN for p in appgrid.patch jwt-type.patch app-scope.patch ignorepollers.patch \
     fixedLogout.patch more-logs.patch \
     matrix-token.patch redirect-ajax.patch \
     metadata-ttl.patch getreftoken.patch \
+    oidc-op-claims.patch \
     ; do echo patch $p && patch -p1 < $p; done && \
     rm -f /*.patch && \
     echo "# Install nginx configuration files" && \

diff --git a/uwsgi-portal/oidc-op-claims.patch b/uwsgi-portal/oidc-op-claims.patch
@@ -0,0 +1,31 @@
+--- a/usr/share/perl5/Lemonldap/NG/Portal/UserDB/OpenIDConnect.pm
++++ b/usr/share/perl5/Lemonldap/NG/Portal/UserDB/OpenIDConnect.pm
+@@ -42,7 +42,27 @@ sub getUser {
+         return PE_ERROR;
+     }
+
+-    my $userinfo_content = $self->getUserInfo( $op, $access_token );
++    my $userinfo_content;
++    if ( $self->opOptions->{$op}->{oidcOPMetaDataOptionsIDTokenForceClaims} ) {
++        my ( undef, $tmp, undef ) = split /\./, $req->data->{id_token};
++        $userinfo_content =
++          eval { JSON::from_fson( MIME::Base64::decode_base64url($tmp) ) };
++        $self->logger->error("Unable to read ID token content: $@") if ($@);
++    }
++    if ( $self->opOptions->{$op}->{oidcOPMetaDataOptionsAccessTokenClaims} ) {
++        my ( undef, $tmp, undef ) = split /\./, $req->data->{access_token};
++        eval {
++            $tmp = JSON::from_fson( MIME::Base64::decode_base64url($tmp) );
++            $userinfo_content =
++              $userinfo_content
++              ? { %{ $userinfo_content || {} }, %{ $tmp || {} } }
++              : $tmp;
++        };
++        $self->logger->error("Unable to read ID token content: $@") if ($@);
++    }
++    unless ($userinfo_content) {
++        $userinfo_content = $self->getUserInfo( $op, $access_token );
++    }
+
+     unless ($userinfo_content) {
+         $self->logger->warn("No User Info content");