supabase · smndtrl · Aug 21, 2024 · Aug 21, 2024 · Aug 21, 2024 · Aug 21, 2024
@@ -258,7 +258,7 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 		})
 
 		r.Route("/sso", func(r *router) {
-			r.Use(api.requireSAMLEnabled)
+			r.Use(api.requireSSOEnabled)
 			r.With(api.limitHandler(
 				// Allow requests at the specified rate per 5 minutes.
 				tollbooth.NewLimiter(api.config.RateLimitSso/(60*5), &limiter.ExpirableOptions{
@@ -267,6 +267,7 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 			)).With(api.verifyCaptcha).Post("/", api.SingleSignOn)
 
 			r.Route("/saml", func(r *router) {
+				r.Use(api.requireSSOSAMLEnabled)
 				r.Get("/metadata", api.SAMLMetadata)
 
 				r.With(api.limitHandler(
@@ -276,6 +277,18 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 					}).SetBurst(30),
 				)).Post("/acs", api.SamlAcs)
 			})
+
+			r.Route("/oidc", func(r *router) {
+				r.Use(api.requireSSOOIDCEnabled)
+				r.Route("/callback", func(r *router) {
+					r.Use(api.isValidExternalHost)
+					r.Use(api.loadSSOOIDCFlowState)
+
+					r.Get("/", api.ExternalProviderCallback)
+					r.Post("/", api.ExternalProviderCallback)
+				})
+			})
+
 		})
 
 		r.Route("/admin", func(r *router) {
@@ -320,6 +333,19 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 						r.Put("/", api.adminSSOProvidersUpdate)
 						r.Delete("/", api.adminSSOProvidersDelete)
 					})
+
+					r.Route("/oidc", func(r *router) {
+						r.Get("/", api.adminOIDCSSOProvidersList)
+						r.Post("/", api.adminOIDCSSOProvidersCreate)
+
+						r.Route("/{idp_id}", func(r *router) {
+							r.Use(api.loadOIDCSSOProvider)
+
+							r.Get("/", api.adminOIDCSSOProvidersGet)
+							// r.Put("/", api.adminOIDCSSOProvidersUpdate)
+							r.Delete("/", api.adminOIDCSSOProvidersDelete)
+						})
+					})
 				})
 			})
 

@@ -5,6 +5,7 @@ import (
 	"net/url"
 
 	jwt "github.com/golang-jwt/jwt/v5"
+	"github.com/supabase/auth/internal/conf"
 	"github.com/supabase/auth/internal/models"
 )
 
@@ -15,22 +16,23 @@ func (c contextKey) String() string {
 }
 
 const (
-	tokenKey                = contextKey("jwt")
-	inviteTokenKey          = contextKey("invite_token")
-	signatureKey            = contextKey("signature")
-	externalProviderTypeKey = contextKey("external_provider_type")
-	userKey                 = contextKey("user")
-	targetUserKey           = contextKey("target_user")
-	factorKey               = contextKey("factor")
-	sessionKey              = contextKey("session")
-	externalReferrerKey     = contextKey("external_referrer")
-	functionHooksKey        = contextKey("function_hooks")
-	adminUserKey            = contextKey("admin_user")
-	oauthTokenKey           = contextKey("oauth_token") // for OAuth1.0, also known as request token
-	oauthVerifierKey        = contextKey("oauth_verifier")
-	ssoProviderKey          = contextKey("sso_provider")
-	externalHostKey         = contextKey("external_host")
-	flowStateKey            = contextKey("flow_state_id")
+	tokenKey                 = contextKey("jwt")
+	inviteTokenKey           = contextKey("invite_token")
+	signatureKey             = contextKey("signature")
+	externalProviderTypeKey  = contextKey("external_provider_type")
+	userKey                  = contextKey("user")
+	targetUserKey            = contextKey("target_user")
+	factorKey                = contextKey("factor")
+	sessionKey               = contextKey("session")
+	externalReferrerKey      = contextKey("external_referrer")
+	functionHooksKey         = contextKey("function_hooks")
+	adminUserKey             = contextKey("admin_user")
+	oauthTokenKey            = contextKey("oauth_token") // for OAuth1.0, also known as request token
+	oauthVerifierKey         = contextKey("oauth_verifier")
+	ssoProviderKey           = contextKey("sso_provider")
+	externalHostKey          = contextKey("external_host")
+	flowStateKey             = contextKey("flow_state_id")
+	genericProviderConfigKey = contextKey("generic_provider_config")
 )
 
 // withToken adds the JWT token to the context.
@@ -241,3 +243,16 @@ func getExternalHost(ctx context.Context) *url.URL {
 	}
 	return obj.(*url.URL)
 }
+
+func withGenericProviderConfig(ctx context.Context, token *conf.GenericOAuthProviderConfiguration) context.Context {
+	return context.WithValue(ctx, genericProviderConfigKey, token)
+}
+
+func getGenericProviderConfig(ctx context.Context) *conf.GenericOAuthProviderConfiguration {
+	obj := ctx.Value(genericProviderConfigKey)
+	if obj == nil {
+		return nil
+	}
+
+	return obj.(*conf.GenericOAuthProviderConfiguration)
+}
@@ -578,6 +578,9 @@ func (a *API) Provider(ctx context.Context, name string, scopes string) (provide
 		return provider.NewWorkOSProvider(config.External.WorkOS)
 	case "zoom":
 		return provider.NewZoomProvider(config.External.Zoom)
+	case "sso/oidc":
+		config := getGenericProviderConfig(ctx)
+		return provider.NewGenericProvider(*config, scopes)
 	default:
 		return nil, fmt.Errorf("Provider %s could not be found", name)
 	}

@@ -65,6 +65,7 @@ func getBodyBytes(req *http.Request) ([]byte, error) {
 type RequestParams interface {
 	AdminUserParams |
 		CreateSSOProviderParams |
+		CreateOIDCSSOProviderParams |
 		EnrollFactorParams |
 		GenerateLinkParams |
 		IdTokenGrantParams |

@@ -223,14 +223,30 @@ func (a *API) isValidExternalHost(w http.ResponseWriter, req *http.Request) (con
 	return withExternalHost(ctx, u), nil
 }
 
-func (a *API) requireSAMLEnabled(w http.ResponseWriter, req *http.Request) (context.Context, error) {
+func (a *API) requireSSOSAMLEnabled(w http.ResponseWriter, req *http.Request) (context.Context, error) {
 	ctx := req.Context()
 	if !a.config.SAML.Enabled {
 		return nil, notFoundError(ErrorCodeSAMLProviderDisabled, "SAML 2.0 is disabled")
 	}
 	return ctx, nil
 }
 
+func (a *API) requireSSOOIDCEnabled(w http.ResponseWriter, req *http.Request) (context.Context, error) {
+	ctx := req.Context()
+	if !a.config.OIDC.Enabled {
+		return nil, notFoundError(ErrorCodeSAMLProviderDisabled, "OIDC is disabled")
+	}
+	return ctx, nil
+}
+
+func (a *API) requireSSOEnabled(w http.ResponseWriter, req *http.Request) (context.Context, error) {
+	ctx := req.Context()
+	if !(a.config.OIDC.Enabled || a.config.SAML.Enabled) {
+		return nil, notFoundError(ErrorCodeSAMLProviderDisabled, "Either SAML or OIDC for SSO need to be enabled")
+	}
+	return ctx, nil
+}
+
 func (a *API) requireManualLinkingEnabled(w http.ResponseWriter, req *http.Request) (context.Context, error) {
 	ctx := req.Context()
 	if !a.config.Security.ManualLinkingEnabled {

@@ -287,7 +287,7 @@ func (ts *MiddlewareTestSuite) TestRequireSAMLEnabled() {
 			req := httptest.NewRequest("GET", "http://localhost", nil)
 			w := httptest.NewRecorder()
 
-			_, err := ts.API.requireSAMLEnabled(w, req)
+			_, err := ts.API.requireSSOSAMLEnabled(w, req)
 			require.Equal(ts.T(), c.expectedErr, err)
 		})
 	}