github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 08:05:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[GH-ISSUE #4659] [Feature Request] OIDC support for raw tokens and claim verification #3681

New issue
Closed
opened 2026-05-05 14:21:40 -06:00 by gitea-mirror · 6 comments
gitea-mirror commented 2026-05-05 14:21:40 -06:00
Owner
Copy link

Originally created by @foresturquhart on GitHub (Feb 6, 2025).
Original GitHub issue: https://github.com/fatedier/frp/issues/4659

Originally assigned to: @blizard863 on GitHub.

Describe the feature request

On the client, I propose adding a rawToken field to the AuthOIDCClientConfig struct. The generateAccessToken function in pkg/auth/oidc.go would be modified to use this rawToken if provided, bypassing the client credentials flow.

On the server, I propose adding an allowedClaims field to the AuthOIDCServerConfig struct. The VerifyLogin function in pkg/auth/oidc.go would be modified to decode the JWT payload, extract any claims, and compare them against the allowed claims before performing signature verification.

Describe alternatives you've considered

No response

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Client Plugin
  • Server Plugin
  • Extensions
  • Others
Originally created by @foresturquhart on GitHub (Feb 6, 2025). Original GitHub issue: https://github.com/fatedier/frp/issues/4659 Originally assigned to: @blizard863 on GitHub. ### Describe the feature request On the client, I propose adding a `rawToken` field to the `AuthOIDCClientConfig` struct. The `generateAccessToken` function in `pkg/auth/oidc.go` would be modified to use this `rawToken` if provided, bypassing the client credentials flow. On the server, I propose adding an `allowedClaims` field to the `AuthOIDCServerConfig` struct. The `VerifyLogin` function in `pkg/auth/oidc.go` would be modified to decode the JWT payload, extract any claims, and compare them against the allowed claims before performing signature verification. ### Describe alternatives you've considered _No response_ ### Affected area - [ ] Docs - [ ] Installation - [ ] Performance and Scalability - [ ] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others
gitea-mirror 2026-05-05 14:21:40 -06:00
  • closed this issue
  • added the
    proposal
         label
gitea-mirror commented 2026-05-05 14:21:44 -06:00
Author
Owner
Copy link

@blizard863 commented on GitHub (Feb 7, 2025):

I don't think that's the standard for oidc, looks like it's unique to Google ?
I didn't find the definition in the RFC document for oidc.

@foresturquhart

<!-- gh-comment-id:2642552964 --> @blizard863 commented on GitHub (Feb 7, 2025): I don't think that's the standard for oidc, looks like it's unique to Google ? I didn't find the definition in the RFC document for oidc. @foresturquhart
gitea-mirror commented 2026-05-05 14:21:44 -06:00
Author
Owner
Copy link

@foresturquhart commented on GitHub (Feb 7, 2025):

I didn't consider that originally, but yes, it does seem to be unique to Google. If I'd realised it was Google-specific I'd have made that clearer in the proposal.

My goal is to enable users to restrict access based on Google Workspace membership, and the hd claim is the most direct and reliable way to do that when Google is the OIDC provider. I can see the problem, though, with introducing a Google-specific check.

Maybe instead it could have a configuration option of allowedClaims, which could work like auth.oidc.allowedClaims = { "hd" = "workspace-domain.com" }? That would allow it to filter based on other types of claim, making it a bit more generic?

<!-- gh-comment-id:2642600184 --> @foresturquhart commented on GitHub (Feb 7, 2025): I didn't consider that originally, but yes, it does seem to be unique to Google. If I'd realised it was Google-specific I'd have made that clearer in the proposal. My goal is to enable users to restrict access based on Google Workspace membership, and the `hd` claim is the most direct and reliable way to do that when Google is the OIDC provider. I can see the problem, though, with introducing a Google-specific check. Maybe instead it could have a configuration option of `allowedClaims`, which could work like `auth.oidc.allowedClaims = { "hd" = "workspace-domain.com" }`? That would allow it to filter based on other types of claim, making it a bit more generic?
gitea-mirror commented 2026-05-05 14:21:46 -06:00
Author
Owner
Copy link

@foresturquhart commented on GitHub (Feb 7, 2025):

@blizard863 I've amended my feature request, and also made the corresponding change to my PR.

<!-- gh-comment-id:2642632425 --> @foresturquhart commented on GitHub (Feb 7, 2025): @blizard863 I've amended my feature request, and also made the corresponding change to my PR.
gitea-mirror commented 2026-05-05 14:21:47 -06:00
Author
Owner
Copy link

@blizard863 commented on GitHub (Feb 7, 2025):

I don't think this is a standard practice, it's a violation of the semantics of oidc.I looked at your code carefully and it seems that you need to configure a token string on the client side and allowedClaims on the server side to perform Google's special checks before oidc normalization checks.

If so, it seems to me to be a breach of the oidc protocol.I suggest you consider token authentication + metadata + server plugin or oidc authentication + metadata + server plugin.

Did I get it wrong? Or you could go into more detail about your scenario.

https://github.com/fatedier/frp/blob/dev/doc/server_plugin.md

<!-- gh-comment-id:2642958834 --> @blizard863 commented on GitHub (Feb 7, 2025): I don't think this is a standard practice, it's a violation of the semantics of oidc.I looked at your code carefully and it seems that you need to configure a token string on the client side and allowedClaims on the server side to perform Google's special checks before oidc normalization checks. If so, it seems to me to be a breach of the oidc protocol.I suggest you consider token authentication + metadata + server plugin or oidc authentication + metadata + server plugin. Did I get it wrong? Or you could go into more detail about your scenario. https://github.com/fatedier/frp/blob/dev/doc/server_plugin.md
gitea-mirror commented 2026-05-05 14:21:47 -06:00
Author
Owner
Copy link

@foresturquhart commented on GitHub (Feb 7, 2025):

@blizard863 It's quite possible I've made a mistake, I'm not an expert on OIDC. The scenario was that we wanted to operate a single FRP server instance, and enable multiple local clients (developers) to connect to the FRP server. We wanted to make use of the OIDC token created by gcloud auth print-identity-token to streamline the process and make it easy to use.

The idea behind my implementation was to use that token as the rawToken, and then the server would verify it was a valid Google Cloud token, and verify it was associated with the correct workspace/organisation/domain. The reason I didn't use a server plugin was because I thought it still needed to be able to pass a raw token from the client, so unless I could create a client plugin, I felt I'd have to patch the code to enable the behaviour.

I spent a while trying to make this work in other ways before I made the patch and feature request, but I am absolutely more than happy if you have a better way! As I say, I haven't extensively worked with OIDC.

<!-- gh-comment-id:2642978104 --> @foresturquhart commented on GitHub (Feb 7, 2025): @blizard863 It's quite possible I've made a mistake, I'm not an expert on OIDC. The scenario was that we wanted to operate a single FRP server instance, and enable multiple local clients (developers) to connect to the FRP server. We wanted to make use of the OIDC token created by `gcloud auth print-identity-token` to streamline the process and make it easy to use. The idea behind my implementation was to use that token as the rawToken, and then the server would verify it was a valid Google Cloud token, and verify it was associated with the correct workspace/organisation/domain. The reason I didn't use a server plugin was because I thought it still needed to be able to pass a raw token from the client, so unless I could create a client plugin, I felt I'd have to patch the code to enable the behaviour. I spent a while trying to make this work in other ways before I made the patch and feature request, but I am absolutely more than happy if you have a better way! As I say, I haven't extensively worked with OIDC.
gitea-mirror commented 2026-05-05 14:21:47 -06:00
Author
Owner
Copy link

@blizard863 commented on GitHub (Feb 8, 2025):

I don't know why your patch code can work, I think your scenario is like this:

Image

But OIDC work like this:

Image

So I think your scene might not be standard oidc? More like token authentication?

<!-- gh-comment-id:2644449734 --> @blizard863 commented on GitHub (Feb 8, 2025): I don't know why your patch code can work, I think your scenario is like this: <img width="1089" alt="Image" src="https://github.com/user-attachments/assets/35d34ad8-95e7-42b3-b148-09c997c36d6e" /> But OIDC work like this: <img width="815" alt="Image" src="https://github.com/user-attachments/assets/c318c7ab-03c9-40de-81ff-114b8d4328cf" /> --- So I think your scene might not be standard oidc? More like token authentication?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#3681
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?