Merge e2b34fff62ba7c2e642b07e5d00d7525aaab1f03 into 2855ac71e3fc3fb2859f4c75f97f97e99f131f1b

pkg/auth/auth.go

@@ -50,8 +50,7 @@ func NewAuthVerifier(cfg v1.AuthServerConfig) (authVerifier Verifier) {
 	case v1.AuthMethodToken:
 		authVerifier = NewTokenAuth(cfg.AdditionalScopes, cfg.Token)
 	case v1.AuthMethodOIDC:
-		tokenVerifier := NewTokenVerifier(cfg.OIDC)
+		authVerifier = NewOidcAuthVerifier(cfg.AdditionalScopes, cfg.OIDC)
-		authVerifier = NewOidcAuthVerifier(cfg.AdditionalScopes, tokenVerifier)
 	}
 	return authVerifier
 }

pkg/auth/oidc.go

@@ -87,18 +87,14 @@ func (auth *OidcAuthProvider) SetNewWorkConn(newWorkConnMsg *msg.NewWorkConn) (e
 	return err
 }
 
-type TokenVerifier interface {
-	Verify(context.Context, string) (*oidc.IDToken, error)
-}
-
 type OidcAuthConsumer struct {
 	additionalAuthScopes []v1.AuthScope
 
-	verifier          TokenVerifier
+	verifier         *oidc.IDTokenVerifier
-	subjectsFromLogin []string
+	subjectFromLogin string
 }
 
-func NewTokenVerifier(cfg v1.AuthOIDCServerConfig) TokenVerifier {
+func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCServerConfig) *OidcAuthConsumer {
 	provider, err := oidc.NewProvider(context.Background(), cfg.Issuer)
 	if err != nil {
 		panic(err)
@@ -109,14 +105,9 @@ func NewTokenVerifier(cfg v1.AuthOIDCServerConfig) TokenVerifier {
 		SkipExpiryCheck:   cfg.SkipExpiryCheck,
 		SkipIssuerCheck:   cfg.SkipIssuerCheck,
 	}
-	return provider.Verifier(&verifierConf)
-}
-
-func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, verifier TokenVerifier) *OidcAuthConsumer {
 	return &OidcAuthConsumer{
 		additionalAuthScopes: additionalAuthScopes,
-		verifier:             verifier,
+		verifier:             provider.Verifier(&verifierConf),
-		subjectsFromLogin:    []string{},
 	}
 }
 
@@ -125,9 +116,7 @@ func (auth *OidcAuthConsumer) VerifyLogin(loginMsg *msg.Login) (err error) {
 	if err != nil {
 		return fmt.Errorf("invalid OIDC token in login: %v", err)
 	}
-	if !slices.Contains(auth.subjectsFromLogin, token.Subject) {
+	auth.subjectFromLogin = token.Subject
-		auth.subjectsFromLogin = append(auth.subjectsFromLogin, token.Subject)
-	}
 	return nil
 }
 
@@ -136,11 +125,11 @@ func (auth *OidcAuthConsumer) verifyPostLoginToken(privilegeKey string) (err err
 	if err != nil {
 		return fmt.Errorf("invalid OIDC token in ping: %v", err)
 	}
-	if !slices.Contains(auth.subjectsFromLogin, token.Subject) {
+	if token.Subject != auth.subjectFromLogin {
 		return fmt.Errorf("received different OIDC subject in login and ping. "+
-			"original subjects: %s, "+
+			"original subject: %s, "+
 			"new subject: %s",
-			auth.subjectsFromLogin, token.Subject)
+			auth.subjectFromLogin, token.Subject)
 	}
 	return nil
 }

pkg/auth/oidc_test.go

@@ -1,64 +0,0 @@
-package auth_test
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/stretchr/testify/require"
-
-	"github.com/fatedier/frp/pkg/auth"
-	v1 "github.com/fatedier/frp/pkg/config/v1"
-	"github.com/fatedier/frp/pkg/msg"
-)
-
-type mockTokenVerifier struct{}
-
-func (m *mockTokenVerifier) Verify(ctx context.Context, subject string) (*oidc.IDToken, error) {
-	return &oidc.IDToken{
-		Subject: subject,
-	}, nil
-}
-
-func TestPingWithEmptySubjectFromLoginFails(t *testing.T) {
-	r := require.New(t)
-	consumer := auth.NewOidcAuthVerifier([]v1.AuthScope{v1.AuthScopeHeartBeats}, &mockTokenVerifier{})
-	err := consumer.VerifyPing(&msg.Ping{
-		PrivilegeKey: "ping-without-login",
-		Timestamp:    time.Now().UnixMilli(),
-	})
-	r.Error(err)
-	r.Contains(err.Error(), "received different OIDC subject in login and ping")
-}
-
-func TestPingAfterLoginWithNewSubjectSucceeds(t *testing.T) {
-	r := require.New(t)
-	consumer := auth.NewOidcAuthVerifier([]v1.AuthScope{v1.AuthScopeHeartBeats}, &mockTokenVerifier{})
-	err := consumer.VerifyLogin(&msg.Login{
-		PrivilegeKey: "ping-after-login",
-	})
-	r.NoError(err)
-
-	err = consumer.VerifyPing(&msg.Ping{
-		PrivilegeKey: "ping-after-login",
-		Timestamp:    time.Now().UnixMilli(),
-	})
-	r.NoError(err)
-}
-
-func TestPingAfterLoginWithDifferentSubjectFails(t *testing.T) {
-	r := require.New(t)
-	consumer := auth.NewOidcAuthVerifier([]v1.AuthScope{v1.AuthScopeHeartBeats}, &mockTokenVerifier{})
-	err := consumer.VerifyLogin(&msg.Login{
-		PrivilegeKey: "login-with-first-subject",
-	})
-	r.NoError(err)
-
-	err = consumer.VerifyPing(&msg.Ping{
-		PrivilegeKey: "ping-with-different-subject",
-		Timestamp:    time.Now().UnixMilli(),
-	})
-	r.Error(err)
-	r.Contains(err.Error(), "received different OIDC subject in login and ping")
-}