Add new SSO rule options (#247)

rthellend · web-flow · commit 75a27350a85c · 2025-12-31T10:06:34.000-08:00
### Description

Add two new SSO rule options:
  * `SkipLoginPage` redirects requests directly to the IDP's login page.
* `Return403ForGetRequests` returns a simple 403 (Forbidden) response
for GET requests. Normally, GET requests get a login page.

Also, add `TokenLifetime` to OIDC, SAML, and Passkey providers.

### Type of change

* [ ] New feature
* [x] Feature improvement
* [ ] Bug fix
* [ ] Documentation
* [ ] Cleanup / refactoring
* [ ] Other (please explain)

### How is this change tested ?

* [ ] Unit tests
* [x] Manual tests (explain)
* [ ] Tests are not needed
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 ## next
 
+### :star: Feature improvement
+
+* Add two new SSO rule options:
+  * `SkipLoginPage` redirects requests directly to the IDP's login page.
+  * `Return403ForGetRequests` returns a simple 403 (Forbidden) response for GET requests. Normally, GET requests get a login page.
+* Add `TokenLifetime` to OIDC, SAML, and Passkey providers. This optional field set the lifetime of auth tokens set by tlsproxy.
+
 ### :wrench: Misc
 
 * Update go: 1.25.5
diff --git a/proxy/backend-sso.go b/proxy/backend-sso.go
@@ -374,7 +374,7 @@ func (be *Backend) enforceSSOPolicy(w http.ResponseWriter, req *http.Request, ov
 	// * the backend has ForceReAuth set, and the last authentication
 	//   either on a different host, or too long ago.
 	if claims == nil || (rule.ForceReAuth != 0 && (claims["hhash"] != hex.EncodeToString(hh[:]) || time.Since(iat) > rule.ForceReAuth)) {
-		if req.Method != http.MethodGet {
+		if req.Method != http.MethodGet || rule.Return403ForGetRequests {
 			be.logRequestF("REQ %s ➔ %s %s ➔ status:%d (SSO) (%q)", formatReqDesc(req), req.Method, req.RequestURI, http.StatusForbidden, userAgent(req))
 			http.Error(w, "authentication required", http.StatusForbidden)
 			return false
@@ -396,7 +396,7 @@ func (be *Backend) enforceSSOPolicy(w http.ResponseWriter, req *http.Request, ov
 			http.Error(w, "internal error", http.StatusInternalServerError)
 			return false
 		}
-		if _, ok := be.SSO.p.(*passkeys.Manager); ok || req.Header.Get("x-skip-login-confirmation") != "" {
+		if _, ok := be.SSO.p.(*passkeys.Manager); ok || req.Header.Get("x-skip-login-confirmation") != "" || rule.SkipLoginPage {
 			be.logRequestF("REQ %s ➔ %s %s ➔ status:%d (SSO) (%q)", formatReqDesc(req), req.Method, req.RequestURI, http.StatusFound, userAgent(req))
 			http.Redirect(w, req, "/.sso/login?redirect="+token, http.StatusFound)
 			return false
diff --git a/proxy/config.go b/proxy/config.go
@@ -609,6 +609,9 @@ type ConfigOIDC struct {
 	// be valid. Only set this if all host names in the domain are served
 	// by this proxy.
 	Domain string `yaml:"domain,omitempty"`
+	// TokenLifetime is the amount of time that tokens, issued by the proxy
+	// for this provider, will be valid. The default is 20 hours.
+	TokenLifetime time.Duration `yaml:"tokenLifetime,omitempty"`
 }
 
 // ConfigSAML contains the parameters of a SAML identity provider.
@@ -623,6 +626,9 @@ type ConfigSAML struct {
 	// be valid. Only set this if all host names in the domain are served
 	// by this proxy.
 	Domain string `yaml:"domain,omitempty"`
+	// TokenLifetime is the amount of time that tokens, issued by the proxy
+	// for this provider, will be valid. The default is 20 hours.
+	TokenLifetime time.Duration `yaml:"tokenLifetime,omitempty"`
 }
 
 // ConfigPasskey contains the parameters of a Passkey manager.
@@ -645,6 +651,9 @@ type ConfigPasskey struct {
 	// be valid. Only set this if all host names in the domain are served
 	// by this proxy.
 	Domain string `yaml:"domain,omitempty"`
+	// TokenLifetime is the amount of time that tokens, issued by the proxy
+	// for this provider, will be valid. The default is 20 hours.
+	TokenLifetime time.Duration `yaml:"tokenLifetime,omitempty"`
 }
 
 // ConfigPKI defines the parameters of a local Certificate Authority.
@@ -713,6 +722,13 @@ type SSORule struct {
 	// Scopes restricts access to user identities that have at least one of
 	// these scopes. If empty, there are no scope restrictions.
 	Scopes Strings `yaml:"scopes,flow,omitempty"`
+	// SkipLoginPage indicates that when authentication is required, the
+	// user is redirected to the provider's login page directly.
+	SkipLoginPage bool `yaml:"skipLoginPage,omitempty"`
+	// Return403ForGetRequests indicates that unauthorized GET requests
+	// should return 403 (Forbidden) instead of redirecting to a login
+	// page.
+	Return403ForGetRequests bool `yaml:"return403ForGetRequests,omitempty"`
 }
 
 // BackendSSO specifies the identity parameters to use for a backend.
diff --git a/proxy/internal/cookiemanager/cookiemanager.go b/proxy/internal/cookiemanager/cookiemanager.go
@@ -46,21 +46,27 @@ const (
 	tlsProxyNonce         = "TLSPROXYNONCE"
 
 	expiredAuthTokenLeeway = 7 * 24 * time.Hour
+	defaultTokenLifetime   = 20 * time.Hour
 )
 
 type CookieManager struct {
-	tm       *tokenmanager.TokenManager
-	provider string
-	domain   string
-	issuer   string
+	tm            *tokenmanager.TokenManager
+	provider      string
+	domain        string
+	issuer        string
+	tokenLifetime time.Duration
 }
 
-func New(tm *tokenmanager.TokenManager, provider, domain, issuer string) *CookieManager {
+func New(tm *tokenmanager.TokenManager, provider, domain, issuer string, tokenLifetime time.Duration) *CookieManager {
+	if tokenLifetime <= 0 {
+		tokenLifetime = defaultTokenLifetime
+	}
 	return &CookieManager{
-		tm:       tm,
-		provider: provider,
-		domain:   domain,
-		issuer:   issuer,
+		tm:            tm,
+		provider:      provider,
+		domain:        domain,
+		issuer:        issuer,
+		tokenLifetime: tokenLifetime,
 	}
 }
 
@@ -109,7 +115,7 @@ func (cm *CookieManager) SetAuthTokenCookie(w http.ResponseWriter, req *http.Req
 		}
 		claims["th"] = th
 	}
-	token, err := cm.MintToken(claims, 20*time.Hour, cm.issuer, "")
+	token, err := cm.MintToken(claims, cm.tokenLifetime, cm.issuer, "")
 	if err != nil {
 		return err
 	}
@@ -118,7 +124,7 @@ func (cm *CookieManager) SetAuthTokenCookie(w http.ResponseWriter, req *http.Req
 		Value:    token,
 		Domain:   cm.domain,
 		Path:     "/",
-		Expires:  now.Add(20*time.Hour + expiredAuthTokenLeeway),
+		Expires:  now.Add(cm.tokenLifetime + expiredAuthTokenLeeway),
 		SameSite: http.SameSiteLaxMode,
 		Secure:   true,
 		HttpOnly: true,
diff --git a/proxy/internal/cookiemanager/cookiemanager_test.go b/proxy/internal/cookiemanager/cookiemanager_test.go
@@ -46,7 +46,7 @@ func TestCookies(t *testing.T) {
 	if err != nil {
 		t.Fatalf("New: %v", err)
 	}
-	cm := New(tm, "idp", "example.com", "https://idp.example.com")
+	cm := New(tm, "idp", "example.com", "https://idp.example.com", 0)
 
 	recorder := httptest.NewRecorder()
 	req, _ := http.NewRequest("GET", "http://example.com", nil)
diff --git a/proxy/proxy.go b/proxy/proxy.go
@@ -331,7 +331,7 @@ func (p *Proxy) Reconfigure(cfg *Config) error {
 	for _, pp := range cfg.OIDCProviders {
 		_, host, _, _ := hostAndPath(pp.RedirectURL)
 		issuer := "https://" + host + "/"
-		cm := cookiemanager.New(p.tokenManager, pp.Name, pp.Domain, issuer)
+		cm := cookiemanager.New(p.tokenManager, pp.Name, pp.Domain, issuer, pp.TokenLifetime)
 		oidcCfg := oidc.Config{
 			DiscoveryURL:     pp.DiscoveryURL,
 			AuthEndpoint:     pp.AuthEndpoint,
@@ -359,7 +359,7 @@ func (p *Proxy) Reconfigure(cfg *Config) error {
 	for _, pp := range cfg.SAMLProviders {
 		_, host, _, _ := hostAndPath(pp.ACSURL)
 		issuer := "https://" + host + "/"
-		cm := cookiemanager.New(p.tokenManager, pp.Name, pp.Domain, issuer)
+		cm := cookiemanager.New(p.tokenManager, pp.Name, pp.Domain, issuer, pp.TokenLifetime)
 		samlCfg := saml.Config{
 			SSOURL:   pp.SSOURL,
 			EntityID: pp.EntityID,
@@ -389,7 +389,7 @@ func (p *Proxy) Reconfigure(cfg *Config) error {
 		}
 		_, host, _, _ := hostAndPath(pp.Endpoint)
 		issuer := "https://" + host + "/"
-		cm := cookiemanager.New(p.tokenManager, pp.Name, pp.Domain, issuer)
+		cm := cookiemanager.New(p.tokenManager, pp.Name, pp.Domain, issuer, pp.TokenLifetime)
 		cfg := passkeys.Config{
 			Store:              p.store,
 			Other:              other.identityProvider,
diff --git a/proxy/sso-oidc_test.go b/proxy/sso-oidc_test.go
@@ -378,7 +378,7 @@ func newIDPServer(t *testing.T) *idpServer {
 	if err != nil {
 		t.Fatalf("tokenmanager.New: %v", err)
 	}
-	cm := cookiemanager.New(tm, "idp", "example.com", "https://idp.example.com")
+	cm := cookiemanager.New(tm, "idp", "example.com", "https://idp.example.com", 0)
 	opts := oidc.ServerOptions{
 		CookieManager: cm,
 		Clients: []oidc.Client{

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ func TestCookies(t *testing.T) {`
`46`	`46`	`if err != nil {`
`47`	`47`	`t.Fatalf("New: %v", err)`
`48`	`48`	`}`
`49`		`- cm := New(tm, "idp", "example.com", "https://idp.example.com")`
	`49`	`+ cm := New(tm, "idp", "example.com", "https://idp.example.com", 0)`
`50`	`50`
`51`	`51`	`recorder := httptest.NewRecorder()`
`52`	`52`	`req, _ := http.NewRequest("GET", "http://example.com", nil)`
Original file line number	Diff line number	Diff line change
`@@ -378,7 +378,7 @@ func newIDPServer(t testing.T) idpServer {`
`378`	`378`	`if err != nil {`
`379`	`379`	`t.Fatalf("tokenmanager.New: %v", err)`
`380`	`380`	`}`
`381`		`- cm := cookiemanager.New(tm, "idp", "example.com", "https://idp.example.com")`
	`381`	`+ cm := cookiemanager.New(tm, "idp", "example.com", "https://idp.example.com", 0)`
`382`	`382`	`opts := oidc.ServerOptions{`
`383`	`383`	`CookieManager: cm,`
`384`	`384`	`Clients: []oidc.Client{`