Fixed SSO not respecting the OS' trusted TLS CAs (#1233)

Co-authored-by: Eugene <[email protected]>
warp-tech · Feb 4, 2025 · 40e49a2 · 40e49a2
1 parent 376b897
commit 40e49a2
Show file tree

Hide file tree

Showing 7 changed files with 76 additions and 134 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/warpgate-protocol-http/src/api/sso_provider_detail.rs b/warpgate-protocol-http/src/api/sso_provider_detail.rs
@@ -67,7 +67,7 @@ impl Api {
         return_url.set_path("@warpgate/api/sso/return");
         debug!("Return URL: {}", &return_url);
 
-        let client = SsoClient::new(provider_config.provider.clone());
+        let client = SsoClient::new(provider_config.provider.clone())?;
 
         let sso_req = client.start_login(return_url.to_string()).await?;
 

diff --git a/warpgate-protocol-http/src/api/sso_provider_list.rs b/warpgate-protocol-http/src/api/sso_provider_list.rs
@@ -308,7 +308,7 @@ impl Api {
             return Ok(StartSloResponse::NotFound);
         };
 
-        let client = SsoClient::new(provider_config.provider.clone());
+        let client = SsoClient::new(provider_config.provider.clone())?;
         let logout_url = client.logout(state.token, return_url).await?;
 
         logout(session, session_middleware.lock().await.deref_mut());

diff --git a/warpgate-sso/Cargo.toml b/warpgate-sso/Cargo.toml
@@ -9,7 +9,11 @@ bytes.workspace = true
 thiserror = "1.0"
 tokio = { version = "1.20", features = ["tracing", "macros"] }
 tracing.workspace = true
-openidconnect = { version = "3.5", features = ["reqwest", "rustls-tls", "accept-string-booleans"] }
+openidconnect = { version = "4.0", features = [
+    "reqwest",
+    "rustls-tls",
+    "accept-string-booleans",
+] }
 serde.workspace = true
 serde_json.workspace = true
 once_cell = "1.17"

diff --git a/warpgate-sso/src/error.rs b/warpgate-sso/src/error.rs
@@ -1,6 +1,8 @@
 use std::error::Error;
 
-use openidconnect::{ClaimsVerificationError, SigningError};
+use openidconnect::{
+    reqwest, ClaimsVerificationError, ConfigurationError, SignatureVerificationError, SigningError,
+};
 
 #[derive(thiserror::Error, Debug)]
 pub enum SsoError {
@@ -20,10 +22,16 @@ pub enum SsoError {
     ClaimsVerification(#[from] ClaimsVerificationError),
     #[error("signing error: {0}")]
     Signing(#[from] SigningError),
+    #[error("reqwest: {0}")]
+    Reqwest(#[from] reqwest::Error),
     #[error("I/O: {0}")]
     Io(#[from] std::io::Error),
     #[error("JWT error: {0}")]
     Jwt(#[from] jsonwebtoken::errors::Error),
+    #[error("signature verification: {0}")]
+    SignatureVerification(#[from] SignatureVerificationError),
+    #[error("configuration: {0}")]
+    Configuration(#[from] ConfigurationError),
     #[error("the OIDC provider doesn't support RP-initiated logout")]
     LogoutNotSupported,
     #[error(transparent)]

diff --git a/warpgate-sso/src/request.rs b/warpgate-sso/src/request.rs
@@ -25,8 +25,7 @@ impl SsoLoginRequest {
     }
 
     pub async fn verify_code(self, code: String) -> Result<SsoLoginResponse, SsoError> {
-        //
-        let result = SsoClient::new(self.config)
+        let result = SsoClient::new(self.config)?
             .finish_login(self.pkce_verifier, self.redirect_url, &self.nonce, code)
             .await?;