auth/oidc: fix eager token fetch at startup, add validation and e2e tests (#5234)

2026-03-20 16:59:18 +08:00 · 2026-03-15 22:29:45 +08:00
parent 94a631fe9c
commit ff4ad2f907
12 changed files with 885 additions and 35 deletions
--- a/test/e2e/mock/server/oidcserver/oidcserver.go
+++ b/test/e2e/mock/server/oidcserver/oidcserver.go
@@ -0,0 +1,258 @@
+// Copyright 2026 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package oidcserver provides a minimal mock OIDC server for e2e testing.
+// It implements three endpoints:
+//   - /.well-known/openid-configuration (discovery)
+//   - /jwks (JSON Web Key Set)
+//   - /token (client_credentials grant)
+package oidcserver
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"math/big"
+	"net"
+	"net/http"
+	"strconv"
+	"sync/atomic"
+	"time"
+)
+
+type Server struct {
+	bindAddr string
+	bindPort int
+	l        net.Listener
+	hs       *http.Server
+
+	privateKey *rsa.PrivateKey
+	kid        string
+
+	clientID     string
+	clientSecret string
+	audience     string
+	subject      string
+	expiresIn    int // seconds; 0 means omit expires_in from token response
+
+	tokenRequestCount atomic.Int64
+}
+
+type Option func(*Server)
+
+func WithBindPort(port int) Option {
+	return func(s *Server) { s.bindPort = port }
+}
+
+func WithClientCredentials(id, secret string) Option {
+	return func(s *Server) {
+		s.clientID = id
+		s.clientSecret = secret
+	}
+}
+
+func WithAudience(aud string) Option {
+	return func(s *Server) { s.audience = aud }
+}
+
+func WithSubject(sub string) Option {
+	return func(s *Server) { s.subject = sub }
+}
+
+func WithExpiresIn(seconds int) Option {
+	return func(s *Server) { s.expiresIn = seconds }
+}
+
+func New(options ...Option) *Server {
+	s := &Server{
+		bindAddr:     "127.0.0.1",
+		kid:          "test-key-1",
+		clientID:     "test-client",
+		clientSecret: "test-secret",
+		audience:     "frps",
+		subject:      "test-service",
+		expiresIn:    3600,
+	}
+	for _, opt := range options {
+		opt(s)
+	}
+	return s
+}
+
+func (s *Server) Run() error {
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return fmt.Errorf("generate RSA key: %w", err)
+	}
+	s.privateKey = key
+
+	s.l, err = net.Listen("tcp", net.JoinHostPort(s.bindAddr, strconv.Itoa(s.bindPort)))
+	if err != nil {
+		return err
+	}
+	s.bindPort = s.l.Addr().(*net.TCPAddr).Port
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/.well-known/openid-configuration", s.handleDiscovery)
+	mux.HandleFunc("/jwks", s.handleJWKS)
+	mux.HandleFunc("/token", s.handleToken)
+
+	s.hs = &http.Server{
+		Handler:           mux,
+		ReadHeaderTimeout: time.Minute,
+	}
+	go func() { _ = s.hs.Serve(s.l) }()
+	return nil
+}
+
+func (s *Server) Close() error {
+	if s.hs != nil {
+		return s.hs.Close()
+	}
+	return nil
+}
+
+func (s *Server) BindAddr() string { return s.bindAddr }
+func (s *Server) BindPort() int    { return s.bindPort }
+
+func (s *Server) Issuer() string {
+	return fmt.Sprintf("http://%s:%d", s.bindAddr, s.bindPort)
+}
+
+func (s *Server) TokenEndpoint() string {
+	return s.Issuer() + "/token"
+}
+
+// TokenRequestCount returns the number of successful token requests served.
+func (s *Server) TokenRequestCount() int64 {
+	return s.tokenRequestCount.Load()
+}
+
+func (s *Server) handleDiscovery(w http.ResponseWriter, _ *http.Request) {
+	issuer := s.Issuer()
+	w.Header().Set("Content-Type", "application/json")
+	_ = json.NewEncoder(w).Encode(map[string]any{
+		"issuer":                                issuer,
+		"token_endpoint":                        issuer + "/token",
+		"jwks_uri":                              issuer + "/jwks",
+		"response_types_supported":              []string{"code"},
+		"subject_types_supported":               []string{"public"},
+		"id_token_signing_alg_values_supported": []string{"RS256"},
+	})
+}
+
+func (s *Server) handleJWKS(w http.ResponseWriter, _ *http.Request) {
+	pub := &s.privateKey.PublicKey
+	w.Header().Set("Content-Type", "application/json")
+	_ = json.NewEncoder(w).Encode(map[string]any{
+		"keys": []map[string]any{
+			{
+				"kty": "RSA",
+				"alg": "RS256",
+				"use": "sig",
+				"kid": s.kid,
+				"n":   base64.RawURLEncoding.EncodeToString(pub.N.Bytes()),
+				"e":   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(pub.E)).Bytes()),
+			},
+		},
+	})
+}
+
+func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+	if err := r.ParseForm(); err != nil {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(map[string]any{
+			"error": "invalid_request",
+		})
+		return
+	}
+
+	if r.FormValue("grant_type") != "client_credentials" {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		_ = json.NewEncoder(w).Encode(map[string]any{
+			"error": "unsupported_grant_type",
+		})
+		return
+	}
+
+	// Accept credentials from Basic Auth or form body.
+	clientID, clientSecret, ok := r.BasicAuth()
+	if !ok {
+		clientID = r.FormValue("client_id")
+		clientSecret = r.FormValue("client_secret")
+	}
+	if clientID != s.clientID || clientSecret != s.clientSecret {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusUnauthorized)
+		_ = json.NewEncoder(w).Encode(map[string]any{
+			"error": "invalid_client",
+		})
+		return
+	}
+
+	token, err := s.signJWT()
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	resp := map[string]any{
+		"access_token": token,
+		"token_type":   "Bearer",
+	}
+	if s.expiresIn > 0 {
+		resp["expires_in"] = s.expiresIn
+	}
+
+	s.tokenRequestCount.Add(1)
+	w.Header().Set("Content-Type", "application/json")
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
+func (s *Server) signJWT() (string, error) {
+	now := time.Now()
+	header, _ := json.Marshal(map[string]string{
+		"alg": "RS256",
+		"kid": s.kid,
+		"typ": "JWT",
+	})
+	claims, _ := json.Marshal(map[string]any{
+		"iss": s.Issuer(),
+		"sub": s.subject,
+		"aud": s.audience,
+		"iat": now.Unix(),
+		"exp": now.Add(1 * time.Hour).Unix(),
+	})
+
+	headerB64 := base64.RawURLEncoding.EncodeToString(header)
+	claimsB64 := base64.RawURLEncoding.EncodeToString(claims)
+	signingInput := headerB64 + "." + claimsB64
+
+	h := sha256.Sum256([]byte(signingInput))
+	sig, err := rsa.SignPKCS1v15(rand.Reader, s.privateKey, crypto.SHA256, h[:])
+	if err != nil {
+		return "", err
+	}
+	return signingInput + "." + base64.RawURLEncoding.EncodeToString(sig), nil
+}
--- a/test/e2e/v1/basic/oidc.go
+++ b/test/e2e/v1/basic/oidc.go
@@ -0,0 +1,192 @@
+// Copyright 2026 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package basic
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/onsi/ginkgo/v2"
+
+	"github.com/fatedier/frp/test/e2e/framework"
+	"github.com/fatedier/frp/test/e2e/framework/consts"
+	"github.com/fatedier/frp/test/e2e/mock/server/oidcserver"
+	"github.com/fatedier/frp/test/e2e/pkg/port"
+)
+
+var _ = ginkgo.Describe("[Feature: OIDC]", func() {
+	f := framework.NewDefaultFramework()
+
+	ginkgo.It("should work with OIDC authentication", func() {
+		oidcSrv := oidcserver.New(oidcserver.WithBindPort(f.AllocPort()))
+		f.RunServer("", oidcSrv)
+
+		portName := port.GenName("TCP")
+
+		serverConf := consts.DefaultServerConfig + fmt.Sprintf(`
+auth.method = "oidc"
+auth.oidc.issuer = "%s"
+auth.oidc.audience = "frps"
+`, oidcSrv.Issuer())
+
+		clientConf := consts.DefaultClientConfig + fmt.Sprintf(`
+auth.method = "oidc"
+auth.oidc.clientID = "test-client"
+auth.oidc.clientSecret = "test-secret"
+auth.oidc.tokenEndpointURL = "%s"
+
+[[proxies]]
+name = "tcp"
+type = "tcp"
+localPort = {{ .%s }}
+remotePort = {{ .%s }}
+`, oidcSrv.TokenEndpoint(), framework.TCPEchoServerPort, portName)
+
+		f.RunProcesses(serverConf, []string{clientConf})
+		framework.NewRequestExpect(f).PortName(portName).Ensure()
+	})
+
+	ginkgo.It("should authenticate heartbeats with OIDC", func() {
+		oidcSrv := oidcserver.New(oidcserver.WithBindPort(f.AllocPort()))
+		f.RunServer("", oidcSrv)
+
+		serverPort := f.AllocPort()
+		remotePort := f.AllocPort()
+
+		serverConf := fmt.Sprintf(`
+bindAddr = "0.0.0.0"
+bindPort = %d
+log.level = "trace"
+auth.method = "oidc"
+auth.additionalScopes = ["HeartBeats"]
+auth.oidc.issuer = "%s"
+auth.oidc.audience = "frps"
+`, serverPort, oidcSrv.Issuer())
+
+		clientConf := fmt.Sprintf(`
+serverAddr = "127.0.0.1"
+serverPort = %d
+loginFailExit = false
+log.level = "trace"
+auth.method = "oidc"
+auth.additionalScopes = ["HeartBeats"]
+auth.oidc.clientID = "test-client"
+auth.oidc.clientSecret = "test-secret"
+auth.oidc.tokenEndpointURL = "%s"
+transport.heartbeatInterval = 1
+
+[[proxies]]
+name = "tcp"
+type = "tcp"
+localPort = %d
+remotePort = %d
+`, serverPort, oidcSrv.TokenEndpoint(), f.PortByName(framework.TCPEchoServerPort), remotePort)
+
+		serverConfigPath := f.GenerateConfigFile(serverConf)
+		clientConfigPath := f.GenerateConfigFile(clientConf)
+
+		_, _, err := f.RunFrps("-c", serverConfigPath)
+		framework.ExpectNoError(err)
+		clientProcess, _, err := f.RunFrpc("-c", clientConfigPath)
+		framework.ExpectNoError(err)
+
+		// Wait for several authenticated heartbeat cycles instead of a fixed sleep.
+		err = clientProcess.WaitForOutput("send heartbeat to server", 3, 10*time.Second)
+		framework.ExpectNoError(err)
+
+		// Proxy should still work: heartbeat auth has not failed.
+		framework.NewRequestExpect(f).Port(remotePort).Ensure()
+	})
+
+	ginkgo.It("should work when token has no expires_in", func() {
+		oidcSrv := oidcserver.New(
+			oidcserver.WithBindPort(f.AllocPort()),
+			oidcserver.WithExpiresIn(0),
+		)
+		f.RunServer("", oidcSrv)
+
+		portName := port.GenName("TCP")
+
+		serverConf := consts.DefaultServerConfig + fmt.Sprintf(`
+auth.method = "oidc"
+auth.oidc.issuer = "%s"
+auth.oidc.audience = "frps"
+`, oidcSrv.Issuer())
+
+		clientConf := consts.DefaultClientConfig + fmt.Sprintf(`
+auth.method = "oidc"
+auth.additionalScopes = ["HeartBeats"]
+auth.oidc.clientID = "test-client"
+auth.oidc.clientSecret = "test-secret"
+auth.oidc.tokenEndpointURL = "%s"
+transport.heartbeatInterval = 1
+
+[[proxies]]
+name = "tcp"
+type = "tcp"
+localPort = {{ .%s }}
+remotePort = {{ .%s }}
+`, oidcSrv.TokenEndpoint(), framework.TCPEchoServerPort, portName)
+
+		_, clientProcesses := f.RunProcesses(serverConf, []string{clientConf})
+		framework.NewRequestExpect(f).PortName(portName).Ensure()
+
+		countAfterLogin := oidcSrv.TokenRequestCount()
+
+		// Wait for several heartbeat cycles instead of a fixed sleep.
+		// Each heartbeat fetches a fresh token in non-caching mode.
+		err := clientProcesses[0].WaitForOutput("send heartbeat to server", 3, 10*time.Second)
+		framework.ExpectNoError(err)
+
+		framework.NewRequestExpect(f).PortName(portName).Ensure()
+
+		// Each heartbeat should have fetched a new token (non-caching mode).
+		countAfterHeartbeats := oidcSrv.TokenRequestCount()
+		framework.ExpectTrue(
+			countAfterHeartbeats > countAfterLogin,
+			"expected additional token requests for heartbeats, got %d before and %d after",
+			countAfterLogin, countAfterHeartbeats,
+		)
+	})
+
+	ginkgo.It("should reject invalid OIDC credentials", func() {
+		oidcSrv := oidcserver.New(oidcserver.WithBindPort(f.AllocPort()))
+		f.RunServer("", oidcSrv)
+
+		portName := port.GenName("TCP")
+
+		serverConf := consts.DefaultServerConfig + fmt.Sprintf(`
+auth.method = "oidc"
+auth.oidc.issuer = "%s"
+auth.oidc.audience = "frps"
+`, oidcSrv.Issuer())
+
+		clientConf := consts.DefaultClientConfig + fmt.Sprintf(`
+auth.method = "oidc"
+auth.oidc.clientID = "test-client"
+auth.oidc.clientSecret = "wrong-secret"
+auth.oidc.tokenEndpointURL = "%s"
+
+[[proxies]]
+name = "tcp"
+type = "tcp"
+localPort = {{ .%s }}
+remotePort = {{ .%s }}
+`, oidcSrv.TokenEndpoint(), framework.TCPEchoServerPort, portName)
+
+		f.RunProcesses(serverConf, []string{clientConf})
+		framework.NewRequestExpect(f).PortName(portName).ExpectError(true).Ensure()
+	})
+})