[PR #4660] [CLOSED] OIDC support for raw tokens and claim verification #5021

New issue

Closed

opened 2026-05-05 14:53:12 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 14:53:12 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/fatedier/frp/pull/4660
Author: @foresturquhart
Created: 2/6/2025
Status: ❌ Closed

Base: dev ← Head: feature/oidc-raw-token-hd-claim

📝 Commits (3)

cda2cb1 Implement OIDC raw token and hd claim verification
b499412 Wrap new VerifyLogin logic in allowedHostedDomains length check
f62cd91 Change from verifying hosted domains to verifying claims

📊 Changes

5 files changed (+80 additions, -5 deletions)

View changed files

📝 pkg/auth/auth.go (+1 -1)
📝 pkg/auth/oidc.go (+64 -1)
📝 pkg/auth/oidc_test.go (+3 -3)
📝 pkg/config/v1/client.go (+3 -0)
📝 pkg/config/v1/server.go (+9 -0)

📄 Description

Description

This pull request implements OIDC support for raw tokens and claim verification, as discussed in issue #4659.

This allows users to authenticate with frpc using pre-existing OIDC tokens (e.g., obtained from gcloud auth print-identity-token) and enables frps to restrict access to clients belonging to a specific Google Workspace. This is useful for scenarios like creating internal, organization-restricted tunneling services. This isn't Google-specific, but I've only tested the functionality with Google.

Changes

Added a rawToken field to AuthOIDCClientConfig (client-side).
Modified generateAccessToken to use rawToken if provided, bypassing the client credentials flow.
Added an allowedClaims field to AuthOIDCServerConfig (server-side).
Modified VerifyLogin to decode the JWT payload, extract claims, and compare them against allowedClaims before signature verification.

Closes #4659

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fatedier/frp/pull/4660 **Author:** [@foresturquhart](https://github.com/foresturquhart) **Created:** 2/6/2025 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `feature/oidc-raw-token-hd-claim` --- ### 📝 Commits (3) - [`cda2cb1`](https://github.com/fatedier/frp/commit/cda2cb151e6126fd2c7e0278505c870291c9a92e) Implement OIDC raw token and hd claim verification - [`b499412`](https://github.com/fatedier/frp/commit/b499412aee00f709bb71b50b65f4272fec2b9897) Wrap new VerifyLogin logic in allowedHostedDomains length check - [`f62cd91`](https://github.com/fatedier/frp/commit/f62cd91f09cc975f88660a2cd70232cf1533c353) Change from verifying hosted domains to verifying claims ### 📊 Changes **5 files changed** (+80 additions, -5 deletions) <details> <summary>View changed files</summary> 📝 `pkg/auth/auth.go` (+1 -1) 📝 `pkg/auth/oidc.go` (+64 -1) 📝 `pkg/auth/oidc_test.go` (+3 -3) 📝 `pkg/config/v1/client.go` (+3 -0) 📝 `pkg/config/v1/server.go` (+9 -0) </details> ### 📄 Description ## Description This pull request implements OIDC support for raw tokens and claim verification, as discussed in issue #4659. This allows users to authenticate with `frpc` using pre-existing OIDC tokens (e.g., obtained from `gcloud auth print-identity-token`) and enables `frps` to restrict access to clients belonging to a specific Google Workspace. This is useful for scenarios like creating internal, organization-restricted tunneling services. This isn't Google-specific, but I've only tested the functionality with Google. ## Changes * Added a `rawToken` field to `AuthOIDCClientConfig` (client-side). * Modified `generateAccessToken` to use `rawToken` if provided, bypassing the client credentials flow. * Added an `allowedClaims` field to `AuthOIDCServerConfig` (server-side). * Modified `VerifyLogin` to decode the JWT payload, extract claims, and compare them against `allowedClaims` before signature verification. ## Related Issue Closes #4659 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>