Add support for client registration + group enforcement

If configured, dynamically register and renew a client.

Add support for filtering groups to allow access.

Author: lstoll

config.go

@@ -54,6 +54,13 @@ type upstream struct {
 	OIDCClientID string `json:"oidcClientID"`
 	// OIDCClientSecret sets the OIDC client secret
 	OIDCClientSecret string `json:"oidcClientSecret"`
+
+	// OIDCRegisterClient enables auto-registration of the OIDC client the
+	// issuer. If used, the client id and client secret are ignored.
+	OIDCRegisterClient bool `json:"oidcRegisterClient"`
+	// OIDCRequireGroups requires the user to be in one of the groups listed in
+	// the OIDC groups claim. This will automatically add the `groups` scope.
+	OIDCRequireGroups []string `json:"oidcRequireGroups"`
 }
 
 type kubernetesConfig struct {
@@ -103,10 +110,10 @@ func parseAndValidateConfig(cfg []byte) (config, error) {
 		}
 
 		if u.OIDCIssuer != "" {
-			if u.OIDCClientID == "" {
+			if u.OIDCClientID == "" && !u.OIDCRegisterClient {
 				verr = errors.Join(verr, fmt.Errorf("upstream %s oidcClientID required", u.Name))
 			}
-			if u.OIDCClientSecret == "" {
+			if u.OIDCClientSecret == "" && !u.OIDCRegisterClient {
 				verr = errors.Join(verr, fmt.Errorf("upstream %s oidcClientSecret required", u.Name))
 			}
 		}

go.mod

@@ -10,7 +10,7 @@ require (
 	k8s.io/api v0.34.1
 	k8s.io/apimachinery v0.34.1
 	k8s.io/client-go v0.34.1
-	lds.li/oauth2ext v0.0.0-20250914000806-c3b2c2b5b83a
+	lds.li/oauth2ext v0.0.0-20250914133403-f15f6850f142
 	tailscale.com v1.88.1
 )
 

go.sum

@@ -362,6 +362,8 @@ k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPG
 k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 lds.li/oauth2ext v0.0.0-20250914000806-c3b2c2b5b83a h1:zfJ6WGu4U0UJmuajE/TCgMgR8PaCSMluazfUI8lsopc=
 lds.li/oauth2ext v0.0.0-20250914000806-c3b2c2b5b83a/go.mod h1:hM8whxxUy2hC0nsgxAYIbCMF+W2mzhRokz15zCkYFwA=
+lds.li/oauth2ext v0.0.0-20250914133403-f15f6850f142 h1:ZcWyDcAjS4TAjjEZQIGaKim1rKDBhGNYCuisYme7ia8=
+lds.li/oauth2ext v0.0.0-20250914133403-f15f6850f142/go.mod h1:hM8whxxUy2hC0nsgxAYIbCMF+W2mzhRokz15zCkYFwA=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=

go.work

@@ -0,0 +1,6 @@
+go 1.25.1
+
+use (
+	.
+	../oauth2ext
+)

go.work.sum

@@ -329,20 +329,19 @@ func tsproxy(ctx context.Context) error {
 				// TODO pass public paths direct to the proxy
 				mux := http.NewServeMux()
 
+				// process these first, so they take precedence over the OIDC
+				// auth.
 				for _, p := range upstream.FunnelPublicPatterns {
 					mux.Handle(p, rp)
 				}
 
 				if upstream.OIDCIssuer != "" {
-					baseURL := "https://" + strings.TrimSuffix(st.Self.DNSName, ".")
-
-					oidcm, err := oidcmiddleware.NewFromDiscovery(ctx, nil, upstream.OIDCIssuer, upstream.OIDCClientID, upstream.OIDCClientSecret, baseURL+"/.tsproxy/oidc-callback")
+					mw, err := buildMiddlewareForUpstream(ctx, st, upstream)
 					if err != nil {
-						return fmt.Errorf("oidc: new middleware: %w", err)
+						return fmt.Errorf("oidc: build middleware: %w", err)
 					}
-					oidcm.OAuth2Config.Scopes = append(oidcm.OAuth2Config.Scopes, "profile", "email")
 
-					mux.Handle("/", oidcm.Wrap(rp)) // fallback to authed path.
+					mux.Handle("/", mw(rp)) // fallback to authed path.
 				} else if !slices.Contains(upstream.FunnelPublicPatterns, "/") {
 					// no OIDC auth, no root pattern, default behaviour is to block.
 					mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {

main.go

@@ -0,0 +1,180 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"slices"
+	"strings"
+	"time"
+
+	"golang.org/x/oauth2"
+	"lds.li/oauth2ext/oidc"
+	"lds.li/oauth2ext/oidcclientreg"
+	"lds.li/oauth2ext/oidcmiddleware"
+	"tailscale.com/ipn/ipnstate"
+)
+
+type groupClaims struct {
+	Groups []string `json:"groups"`
+}
+
+func buildMiddlewareForUpstream(ctx context.Context, st *ipnstate.Status, upstream upstream) (func(http.Handler) http.Handler, error) {
+	baseURL := "https://" + strings.TrimSuffix(st.Self.DNSName, ".")
+
+	p, err := oidc.DiscoverProvider(ctx, upstream.OIDCIssuer)
+	if err != nil {
+		return nil, fmt.Errorf("oidc: discover: %w", err)
+	}
+
+	oidcOAuth2ConfigFn, err := oidcOAuth2ConfigFn(ctx, upstream, baseURL+"/.tsproxy/oidc-callback")
+	if err != nil {
+		return nil, fmt.Errorf("oidc: oauth2 config: %w", err)
+	}
+
+	gmw := func(h http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if len(upstream.OIDCRequireGroups) == 0 {
+				h.ServeHTTP(w, r)
+				return
+			}
+
+			cl, ok := oidcmiddleware.IDClaimsFromContext(r.Context())
+			if !ok {
+				slog.Error("oidc: missing id claims")
+				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+				return
+			}
+
+			var gc groupClaims
+			if err := cl.UnmarshalClaims(&gc); err != nil {
+				slog.Error("oidc: unmarshalling group claims", "error", err)
+				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+				return
+			}
+
+			allowed := false
+			for _, required := range upstream.OIDCRequireGroups {
+				if slices.Contains(gc.Groups, required) {
+					allowed = true
+					break
+				}
+			}
+			if allowed {
+				h.ServeHTTP(w, r)
+				return
+			}
+
+			slog.WarnContext(r.Context(), "oidc: user not in required groups", "upstream", upstream.Name, "groups", gc.Groups)
+			http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+		})
+	}
+
+	omw := &oidcmiddleware.Handler{
+		Provider:           p,
+		OAuth2ConfigSource: oidcOAuth2ConfigFn,
+		SessionStore:       &oidcmiddleware.Cookiestore{},
+	}
+
+	return func(h http.Handler) http.Handler {
+		return omw.Wrap(gmw(h))
+	}, nil
+}
+
+func oidcOAuth2ConfigFn(ctx context.Context, upstream upstream, redirURL string) (func(context.Context) (oauth2.Config, error), error) {
+	p, err := oidc.DiscoverProvider(ctx, upstream.OIDCIssuer)
+	if err != nil {
+		return nil, fmt.Errorf("oidc: discover: %w", err)
+	}
+
+	scopes := []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail}
+	if len(upstream.OIDCRequireGroups) > 0 {
+		scopes = append(scopes, "groups")
+	}
+
+	o2cfg := &oauth2.Config{
+		Endpoint:    p.Endpoint(),
+		Scopes:      scopes,
+		RedirectURL: redirURL,
+	}
+
+	if !upstream.OIDCRegisterClient {
+		// just return something that uses the current config.
+		return func(ctx context.Context) (oauth2.Config, error) {
+			c := *o2cfg
+			c.ClientID = upstream.OIDCClientID
+			c.ClientSecret = upstream.OIDCClientSecret
+			return c, nil
+		}, nil
+	}
+
+	// otherwise register a client, and run a routine to update the config.
+	regResp, err := registerOIDCClient(ctx, upstream, p)
+	if err != nil {
+		return nil, fmt.Errorf("oidc: register client: %w", err)
+	}
+
+	o2cfg.ClientID = regResp.ClientID
+	o2cfg.ClientSecret = regResp.ClientSecret
+
+	slog.Info("oidc: registered client", "upstream", upstream.Name, "client_id", o2cfg.ClientID)
+
+	reRegisterDelay := time.Hour // for now, to exercise it.
+	// if regResp.ClientSecretExpiresAt != nil {
+	// 	ttl := time.Duration(*regResp.ClientSecretExpiresAt-time.Now().Unix()) * time.Second
+	// 	reRegisterDelay = time.Duration(float64(ttl) * 0.75)
+	// } else {
+	// 	reRegisterDelay = time.Hour // TODO set a better default
+	// }
+
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-time.After(reRegisterDelay):
+				newRegResp, err := registerOIDCClient(ctx, upstream, p)
+				if err != nil {
+					slog.Error("oidc: failed to register client", "upstream", upstream.Name, "error", err)
+					// If registration fails, try again sooner
+					reRegisterDelay = time.Minute
+					continue
+				}
+				slog.Info("oidc: registered client", "upstream", upstream.Name, "client_id", o2cfg.ClientID)
+				o2cfg.ClientID = newRegResp.ClientID
+				o2cfg.ClientSecret = newRegResp.ClientSecret
+				// On success, wait longer before next registration
+				// TODO - same calculation as above
+				reRegisterDelay = time.Hour
+			}
+		}
+	}()
+
+	return func(ctx context.Context) (oauth2.Config, error) {
+		return *o2cfg, nil
+	}, nil
+}
+
+// registerOIDCClient performs dynamic client registration with the OIDC provider
+func registerOIDCClient(ctx context.Context, upstream upstream, provider *oidc.Provider) (*oidcclientreg.ClientRegistrationResponse, error) {
+	// Create registration request
+	request := &oidcclientreg.ClientRegistrationRequest{
+		ClientName:      fmt.Sprintf("tsproxy-%s", upstream.Name),
+		RedirectURIs:    []string{"http://127.0.0.1/callback"},
+		ApplicationType: "web",
+		ResponseTypes:   []string{"code"},
+		GrantTypes:      []string{"authorization_code"},
+	}
+
+	if slices.Contains(provider.Metadata.IDTokenSigningAlgValuesSupported, "ES256") {
+		request.IDTokenSignedResponseAlg = "ES256"
+	}
+
+	response, err := oidcclientreg.RegisterWithProvider(ctx, provider, request)
+	if err != nil {
+		return nil, fmt.Errorf("failed to register client: %w", err)
+	}
+
+	return response, nil
+}