feat(github): OAuth for GitHub

internal/cmd/auth.go

@@ -13,7 +13,9 @@ import (
 	"go.flipt.io/flipt/internal/containers"
 	"go.flipt.io/flipt/internal/gateway"
 	"go.flipt.io/flipt/internal/server/auth"
+	"go.flipt.io/flipt/internal/server/auth/method"
 	authkubernetes "go.flipt.io/flipt/internal/server/auth/method/kubernetes"
+	"go.flipt.io/flipt/internal/server/auth/method/oauth"
 	authoidc "go.flipt.io/flipt/internal/server/auth/method/oidc"
 	authtoken "go.flipt.io/flipt/internal/server/auth/method/token"
 	"go.flipt.io/flipt/internal/server/auth/public"
@@ -119,6 +121,15 @@ func authenticationGRPC(
 		logger.Debug("authentication method \"oidc\" server registered")
 	}
 
+	if authCfg.Methods.OAuth.Enabled {
+		oauthServer := oauth.NewServer(logger, store, authCfg)
+		register.Add(oauthServer)
+
+		authOpts = append(authOpts, auth.WithServerSkipsAuthentication(oauthServer))
+
+		logger.Debug("authentication method \"oauth\" registered")
+	}
+
 	if authCfg.Methods.Kubernetes.Enabled {
 		kubernetesServer, err := authkubernetes.New(logger, store, authCfg)
 		if err != nil {
@@ -212,15 +223,25 @@ func authenticationHTTPMount(
 	}
 
 	if cfg.Methods.OIDC.Enabled {
-		oidcmiddleware := authoidc.NewHTTPMiddleware(cfg.Session)
+		oidcmiddleware := method.NewHTTPMiddleware(cfg.Session)
 		muxOpts = append(muxOpts,
-			runtime.WithMetadata(authoidc.ForwardCookies),
+			runtime.WithMetadata(method.ForwardCookies),
 			runtime.WithForwardResponseOption(oidcmiddleware.ForwardResponseOption),
 			registerFunc(ctx, conn, rpcauth.RegisterAuthenticationMethodOIDCServiceHandler))
 
 		middleware = append(middleware, oidcmiddleware.Handler)
 	}
 
+	if cfg.Methods.OAuth.Enabled {
+		oauthmiddleware := method.NewHTTPMiddleware(cfg.Session)
+		muxOpts = append(muxOpts,
+			runtime.WithMetadata(method.ForwardCookies),
+			runtime.WithForwardResponseOption(oauthmiddleware.ForwardResponseOption),
+			registerFunc(ctx, conn, rpcauth.RegisterAuthenticationMethodOAuthServiceHandler))
+
+		middleware = append(middleware, oauthmiddleware.Handler)
+	}
+
 	if cfg.Methods.Kubernetes.Enabled {
 		muxOpts = append(muxOpts, registerFunc(ctx, conn, rpcauth.RegisterAuthenticationMethodKubernetesServiceHandler))
 	}

internal/config/authentication.go

@@ -192,6 +192,7 @@ type AuthenticationSessionCSRF struct {
 // method available for use within Flipt.
 type AuthenticationMethods struct {
 	Token      AuthenticationMethod[AuthenticationMethodTokenConfig]      `json:"token,omitempty" mapstructure:"token"`
+	OAuth      AuthenticationMethod[AuthenticationMethodOAuthConfig]      `json:"oauth,omitempty" mapstructure:"oauth"`
 	OIDC       AuthenticationMethod[AuthenticationMethodOIDCConfig]       `json:"oidc,omitempty" mapstructure:"oidc"`
 	Kubernetes AuthenticationMethod[AuthenticationMethodKubernetesConfig] `json:"kubernetes,omitempty" mapstructure:"kubernetes"`
 }
@@ -200,6 +201,7 @@ type AuthenticationMethods struct {
 func (a *AuthenticationMethods) AllMethods() []StaticAuthenticationMethodInfo {
 	return []StaticAuthenticationMethodInfo{
 		a.Token.info(),
+		a.OAuth.info(),
 		a.OIDC.info(),
 		a.Kubernetes.info(),
 	}
@@ -405,3 +407,49 @@ func (a AuthenticationMethodKubernetesConfig) info() AuthenticationMethodInfo {
 		SessionCompatible: false,
 	}
 }
+
+// AuthenticationMethodOAuthConfig maps an OAuth hosts to pieces of configuration
+// that will allow for completion of the OAuth flow.
+type AuthenticationMethodOAuthConfig struct {
+	Hosts map[string]AuthenticationMethodOAuthProvider `json:"hosts,omitempty" mapstructure:"hosts"`
+}
+
+func (a AuthenticationMethodOAuthConfig) setDefaults(defaults map[string]any) {}
+
+// info describes properties of the authentication method "oauth".
+func (a AuthenticationMethodOAuthConfig) info() AuthenticationMethodInfo {
+	c := AuthenticationMethodInfo{
+		Method:            auth.Method_METHOD_OAUTH,
+		SessionCompatible: false,
+	}
+
+	var (
+		metadata = make(map[string]any)
+		hosts    = make(map[string]any, len(a.Hosts))
+	)
+
+	// this ensures we expose the authorize and callback URL endpoint
+	// to the UI via the /auth/v1/method endpoint
+	for host := range a.Hosts {
+		hosts[host] = map[string]any{
+			"authorize_url": fmt.Sprintf("/auth/v1/method/oauth/%s/authorize", host),
+			"callback_url":  fmt.Sprintf("/auth/v1/method/oauth/%s/callback", host),
+		}
+	}
+
+	metadata["hosts"] = hosts
+
+	c.Metadata, _ = structpb.NewStruct(metadata)
+
+	return c
+}
+
+// AuthenticationMethodOAuthProvider holds all relevant configuration for providing the client
+// with an AuthorizeURL to use, and to issue back to the client an access token
+// for authorized requests on the relevant server.
+type AuthenticationMethodOAuthProvider struct {
+	ClientSecret    string   `json:"clientSecret,omitempty" mapstructure:"client_secret"`
+	ClientId        string   `json:"clientId,omitempty" mapstructure:"client_id"`
+	RedirectAddress string   `json:"redirectAddress,omitempty" mapstructure:"redirect_address"`
+	Scopes          []string `json:"scopes,omitempty" mapstructure:"scopes"`
+}

internal/server/auth/method/oidc/http.go → internal/server/auth/method/http.go

@@ -1,4 +1,4 @@
-package oidc
+package method
 
 import (
 	"context"
@@ -10,7 +10,6 @@ import (
 	"time"
 
 	"go.flipt.io/flipt/internal/config"
-	"go.flipt.io/flipt/rpc/flipt/auth"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/protobuf/proto"
 )
@@ -57,11 +56,16 @@ func ForwardCookies(ctx context.Context, req *http.Request) metadata.MD {
 // This ensures a secure browser session can be established.
 // The user-agent is then redirected to the root of the domain.
 func (m Middleware) ForwardResponseOption(ctx context.Context, w http.ResponseWriter, resp proto.Message) error {
-	r, ok := resp.(*auth.CallbackResponse)
+	type CallbackResponseCleaner interface {
+		GetClientToken() string
+		StripClientToken()
+	}
+
+	r, ok := resp.(CallbackResponseCleaner)
 	if ok {
 		cookie := &http.Cookie{
 			Name:     tokenCookieKey,
-			Value:    r.ClientToken,
+			Value:    r.GetClientToken(),
 			Domain:   m.config.Domain,
 			Path:     "/",
 			Expires:  time.Now().Add(m.config.TokenLifetime),
@@ -73,7 +77,7 @@ func (m Middleware) ForwardResponseOption(ctx context.Context, w http.ResponseWr
 		http.SetCookie(w, cookie)
 
 		// clear out token now that it is set via cookie
-		r.ClientToken = ""
+		r.StripClientToken()
 
 		w.Header().Set("Location", "/")
 		w.WriteHeader(http.StatusFound)
@@ -90,7 +94,7 @@ func (m Middleware) ForwardResponseOption(ctx context.Context, w http.ResponseWr
 // The payload is then also encoded as a http cookie which is bound to the callback path.
 func (m Middleware) Handler(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		provider, method, match := parts(r.URL.Path)
+		provider, method, prefix, match := parts(r.URL.Path)
 		if !match {
 			next.ServeHTTP(w, r)
 			return
@@ -126,7 +130,7 @@ func (m Middleware) Handler(next http.Handler) http.Handler {
 				Name:  stateCookieKey,
 				Value: encoded,
 				// bind state cookie to provider callback
-				Path:     "/auth/v1/method/oidc/" + provider + "/callback",
+				Path:     prefix + provider + "/callback",
 				Expires:  time.Now().Add(m.config.StateLifetime),
 				Secure:   m.config.Secure,
 				HttpOnly: true,
@@ -150,13 +154,20 @@ func (m Middleware) Handler(next http.Handler) http.Handler {
 	})
 }
 
-func parts(path string) (provider, method string, ok bool) {
-	const prefix = "/auth/v1/method/oidc/"
-	if !strings.HasPrefix(path, prefix) {
-		return "", "", false
+func parts(path string) (provider, method, prefix string, ok bool) {
+	var oidcPrefix = "/auth/v1/method/oidc/"
+	if strings.HasPrefix(path, oidcPrefix) {
+		b, a, f := strings.Cut(path[len(oidcPrefix):], "/")
+		return b, a, oidcPrefix, f
+	}
+
+	var oauthPrefix = "/auth/v1/method/oauth/"
+	if strings.HasPrefix(path, oauthPrefix) {
+		b, a, f := strings.Cut(path[len(oauthPrefix):], "/")
+		return b, a, oauthPrefix, f
 	}
 
-	return strings.Cut(path[len(prefix):], "/")
+	return "", "", "", false
 }
 
 func generateSecurityToken() string {

internal/server/auth/method/oauth/server.go

@@ -0,0 +1,168 @@
+package oauth
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"go.flipt.io/flipt/errors"
+	"go.flipt.io/flipt/internal/config"
+	storageauth "go.flipt.io/flipt/internal/storage/auth"
+	"go.flipt.io/flipt/rpc/flipt/auth"
+	"go.uber.org/zap"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/protobuf/types/known/timestamppb"
+)
+
+const (
+	storageMetadataGithubAccessToken = "io.flipt.auth.oauth.access_token"
+)
+
+var (
+	hostToAuthorizeBaseURL = map[string]string{
+		"github": "https://github.com/login/oauth/authorize",
+	}
+	hostToAccessTokenBaseURL = map[string]string{
+		"github": "https://github.com/login/oauth/access_token",
+	}
+)
+
+// Server is an OAuth server side handler.
+type Server struct {
+	logger *zap.Logger
+	store  storageauth.Store
+	config config.AuthenticationConfig
+
+	auth.UnimplementedAuthenticationMethodOAuthServiceServer
+}
+
+// NewServer constructs a Server.
+func NewServer(
+	logger *zap.Logger,
+	store storageauth.Store,
+	config config.AuthenticationConfig,
+) *Server {
+	return &Server{
+		logger: logger,
+		store:  store,
+		config: config,
+	}
+}
+
+// RegisterGRPC registers the server as an Server on the provided grpc server.
+func (s *Server) RegisterGRPC(server *grpc.Server) {
+	auth.RegisterAuthenticationMethodOAuthServiceServer(server, s)
+}
+
+func callbackURL(host, oauthHost string) string {
+	// strip trailing slash from host
+	host = strings.TrimSuffix(host, "/")
+	return host + "/auth/v1/method/oauth/" + oauthHost + "/callback"
+}
+
+// AuthorizeURL will return a URL for the client to redirect to for completion of the OAuth flow with GitHub.
+func (s *Server) AuthorizeURL(ctx context.Context, a *auth.OAuthAuthorizeRequest) (*auth.AuthorizeURLResponse, error) {
+	oauthConfig := s.config.Methods.OAuth.Method.Hosts[a.Host]
+
+	authorizeBaseURL := hostToAuthorizeBaseURL[a.Host]
+
+	u, err := url.Parse(authorizeBaseURL)
+	if err != nil {
+		return nil, err
+	}
+
+	// Build OAuth authorize url.
+	q := u.Query()
+
+	q.Set("client_id", oauthConfig.ClientId)
+	q.Set("scope", strings.Join(oauthConfig.Scopes, ":"))
+	q.Set("redirect_uri", callbackURL(oauthConfig.RedirectAddress, a.Host))
+	q.Set("state", a.State)
+
+	u.RawQuery = q.Encode()
+
+	return &auth.AuthorizeURLResponse{
+		AuthorizeUrl: u.String(),
+	}, nil
+}
+
+// OAuthCallback is the OAuth callback method for OAuth authentication. It will take in a SessionCode
+// which is the OAuth grant passed in by the OAuth service, and exchange the grant with an Authentication
+// that includes the access token.
+func (s *Server) OAuthCallback(ctx context.Context, oauth *auth.OAuthCallbackRequest) (*auth.OAuthCallbackResponse, error) {
+	if oauth.State != "" {
+		md, ok := metadata.FromIncomingContext(ctx)
+		if !ok {
+			return nil, errors.ErrUnauthenticatedf("missing state parameter")
+		}
+
+		state, ok := md["flipt_client_state"]
+		if !ok || len(state) < 1 {
+			return nil, errors.ErrUnauthenticatedf("missing state parameter")
+		}
+
+		if oauth.State != state[0] {
+			return nil, errors.ErrUnauthenticatedf("unexpected state parameter")
+		}
+	}
+
+	oauthConfig := s.config.Methods.OAuth.Method.Hosts[oauth.Host]
+
+	c := &http.Client{
+		Timeout: 5 * time.Second,
+	}
+
+	accessTokenURL := hostToAccessTokenBaseURL[oauth.Host]
+
+	req, err := http.NewRequestWithContext(ctx, "POST", accessTokenURL, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	q := req.URL.Query()
+	q.Set("client_id", oauthConfig.ClientId)
+	q.Set("client_secret", oauthConfig.ClientSecret)
+	q.Set("code", oauth.Code)
+	e := q.Encode()
+	req.URL.RawQuery = e
+
+	// We have to accept JSON from the GitHub server when requesting the access token.
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := c.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	var oauthAccessTokenResponse struct {
+		AccessToken string   `json:"access_token,omitempty"`
+		Scopes      []string `json:"scopes,omitempty"`
+	}
+
+	if err := json.NewDecoder(resp.Body).Decode(&oauthAccessTokenResponse); err != nil {
+		return nil, err
+	}
+
+	metadata := map[string]string{
+		storageMetadataGithubAccessToken: oauthAccessTokenResponse.AccessToken,
+	}
+
+	clientToken, a, err := s.store.CreateAuthentication(ctx, &storageauth.CreateAuthenticationRequest{
+		Method:    auth.Method_METHOD_OAUTH,
+		ExpiresAt: timestamppb.New(time.Now().UTC().Add(s.config.Session.TokenLifetime)),
+		Metadata:  metadata,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &auth.OAuthCallbackResponse{
+		ClientToken:    clientToken,
+		Authentication: a,
+	}, nil
+}

internal/server/auth/method/oidc/testing/http.go

@@ -9,7 +9,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.flipt.io/flipt/internal/config"
 	"go.flipt.io/flipt/internal/gateway"
-	"go.flipt.io/flipt/internal/server/auth/method/oidc"
+	"go.flipt.io/flipt/internal/server/auth/method"
 	"go.flipt.io/flipt/rpc/flipt/auth"
 	"go.uber.org/zap"
 )
@@ -32,10 +32,10 @@ func StartHTTPServer(
 			GRPCServer: StartGRPCServer(t, ctx, logger, conf),
 		}
 
-		oidcmiddleware = oidc.NewHTTPMiddleware(conf.Session)
+		oidcmiddleware = method.NewHTTPMiddleware(conf.Session)
 		mux            = gateway.NewGatewayServeMux(
 			logger,
-			runtime.WithMetadata(oidc.ForwardCookies),
+			runtime.WithMetadata(method.ForwardCookies),
 			runtime.WithForwardResponseOption(oidcmiddleware.ForwardResponseOption),
 		)
 	)