feat: add SSO sharing policy (#4705)

Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>

Author: nabokihms

api/v2/api.pb.go

@@ -15,6 +15,7 @@ message Client {
   string name = 6;
   string logo_url = 7;
   repeated string allowed_connectors = 8;
+  repeated string sso_shared_with = 9;
 }
 
 // ClientInfo represents an OAuth2 client without sensitive information.
@@ -26,6 +27,7 @@ message ClientInfo {
   string name = 5;
   string logo_url = 6;
   repeated string allowed_connectors = 7;
+  repeated string sso_shared_with = 8;
 }
 
 // GetClientReq is a request to retrieve client details.
@@ -69,6 +71,7 @@ message UpdateClientReq {
     string name = 4;
     string logo_url = 5;
     repeated string allowed_connectors = 6;
+    repeated string sso_shared_with = 7;
 }
 
 // UpdateClientResp returns the response from updating a client.

api/v2/api.proto

@@ -687,6 +687,9 @@ type Sessions struct {
 	// Must be 16, 24, or 32 bytes for AES-128, AES-192, or AES-256.
 	// If empty, cookies are not encrypted.
 	CookieEncryptionKey string `json:"cookieEncryptionKey"`
+	// SSOSharedWithDefault is the default SSO sharing policy for clients without explicit ssoSharedWith.
+	// "all" = share with all clients, "none" = share with no one (default: "none").
+	SSOSharedWithDefault string `json:"ssoSharedWithDefault"`
 }
 
 // MFAAuthenticator defines a multi-factor authentication provider.

cmd/dex/config.go

@@ -807,6 +807,9 @@ func parseSessionConfig(s *Sessions) (*server.SessionConfig, error) {
 		if s.CookieEncryptionKey != "" {
 			sc.CookieEncryptionKey = []byte(s.CookieEncryptionKey)
 		}
+		if s.SSOSharedWithDefault != "" {
+			sc.SSOSharedWithDefault = s.SSOSharedWithDefault
+		}
 	}
 	if sc.AbsoluteLifetime <= 0 {
 		return nil, fmt.Errorf("absoluteLifetime must be positive, got %v", sc.AbsoluteLifetime)
@@ -820,6 +823,12 @@ func parseSessionConfig(s *Sessions) (*server.SessionConfig, error) {
 	if k := len(sc.CookieEncryptionKey); k > 0 && k != 16 && k != 24 && k != 32 {
 		return nil, fmt.Errorf("cookieEncryptionKey must be 16, 24, or 32 bytes (AES-128/192/256), got %d", k)
 	}
+	switch sc.SSOSharedWithDefault {
+	case "", "none", "all":
+		// valid
+	default:
+		return nil, fmt.Errorf("ssoSharedWithDefault must be \"none\" or \"all\", got %q", sc.SSOSharedWithDefault)
+	}
 	return sc, nil
 }
 

cmd/dex/serve.go

@@ -101,6 +101,20 @@ web:
 #     keysRotationPeriod: "6h"
 #     algorithm: "RS256" # supported values: "RS256" (default) and "ES256"; changes apply on the next key rotation
 
+# Authentication sessions configuration.
+# Requires DEX_SESSIONS_ENABLED=true feature flag.
+# sessions:
+#   cookieName: "dex_session"
+#   absoluteLifetime: "24h"
+#   validIfNotUsedFor: "1h"
+#   rememberMeCheckedByDefault: false
+#   # AES key for encrypting session cookies. Must be 16, 24, or 32 bytes.
+#   # If empty, cookies are not encrypted.
+#   cookieEncryptionKey: ""
+#   # Default SSO sharing policy for clients without explicit ssoSharedWith.
+#   # "all" = share with all clients (Keycloak-like), "none" = no sharing (default).
+#   ssoSharedWithDefault: "none"
+
 # OAuth2 configuration
 # oauth2:
 #   # use ["code", "token", "id_token"] to enable implicit flow for web-only clients
@@ -159,6 +173,19 @@ web:
 #     allowedConnectors:
 #       - github
 #       - google
+#
+#   # Example of SSO sharing between clients.
+#   # ssoSharedWith defines which other clients can reuse this client's session.
+#   # ["*"] = share with all, [] = share with no one.
+#   # If omitted, ssoSharedWithDefault from sessions config is used.
+#   - id: portal-app
+#     secret: portal-secret
+#     redirectURIs:
+#       - 'https://portal.example.com/callback'
+#     name: 'Portal'
+#     ssoSharedWith:
+#       - "dashboard-app"
+#       - "admin-app"
 
 # Connectors are used to authenticate users against upstream identity providers.
 #

config.yaml.dist

@@ -102,6 +102,9 @@ telemetry:
 #   absoluteLifetime: "24h"
 #   validIfNotUsedFor: "1h"
 #   rememberMeCheckedByDefault: false
+#   # Default SSO sharing policy for clients without explicit ssoSharedWith.
+#   # "all" = share with all clients (Keycloak-like), "none" = no sharing (default).
+#   ssoSharedWithDefault: "none"
 
 # Options for controlling the logger.
 # logger:
@@ -187,6 +190,11 @@ staticClients:
   # If omitted, mfa.defaultMFAChain is used.
   # mfaChain:
   # - totp-1
+  # Optional: which other clients can reuse this client's authentication session (SSO).
+  # ["*"] = share with all clients, [] = share with no one.
+  # If omitted, ssoSharedWithDefault from sessions config is used.
+  # ssoSharedWith:
+  # - "*"
 
 # Example using environment variables
 # Set DEX_CLIENT_ID and DEX_SECURE_CLIENT_SECRET before starting Dex

examples/config-dev.yaml

@@ -66,6 +66,7 @@ func (d dexAPI) GetClient(ctx context.Context, req *api.GetClientReq) (*api.GetC
 			Public:            c.Public,
 			LogoUrl:           c.LogoURL,
 			AllowedConnectors: c.AllowedConnectors,
+			SsoSharedWith:     c.SSOSharedWith,
 		},
 	}, nil
 }
@@ -91,6 +92,7 @@ func (d dexAPI) CreateClient(ctx context.Context, req *api.CreateClientReq) (*ap
 		Name:              req.Client.Name,
 		LogoURL:           req.Client.LogoUrl,
 		AllowedConnectors: req.Client.AllowedConnectors,
+		SSOSharedWith:     req.Client.SsoSharedWith,
 	}
 	if err := d.s.CreateClient(ctx, c); err != nil {
 		if err == storage.ErrAlreadyExists {
@@ -126,6 +128,9 @@ func (d dexAPI) UpdateClient(ctx context.Context, req *api.UpdateClientReq) (*ap
 		if req.AllowedConnectors != nil {
 			old.AllowedConnectors = req.AllowedConnectors
 		}
+		if req.SsoSharedWith != nil {
+			old.SSOSharedWith = req.SsoSharedWith
+		}
 		return old, nil
 	})
 	if err != nil {
@@ -167,6 +172,7 @@ func (d dexAPI) ListClients(ctx context.Context, req *api.ListClientReq) (*api.L
 			Public:            client.Public,
 			LogoUrl:           client.LogoURL,
 			AllowedConnectors: client.AllowedConnectors,
+			SsoSharedWith:     client.SSOSharedWith,
 		}
 		clients = append(clients, &c)
 	}

server/api.go

@@ -246,6 +246,7 @@ func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
 			default:
 				panic("unsupported error type")
 			}
+			return
 		}
 		prompt, err := ParsePrompt(authReq.Prompt)
 		if err != nil {

server/handlers.go

@@ -1604,6 +1604,30 @@ func TestHandleAuthorizationConnectorGrantTypeFiltering(t *testing.T) {
 	}
 }
 
+func TestHandleAuthorizationInvalidRequestWithSessions(t *testing.T) {
+	ctx := t.Context()
+	httpServer, s := newTestServerMultipleConnectors(t, func(c *Config) {
+		c.SessionConfig = &SessionConfig{
+			CookieName:        "dex_session",
+			AbsoluteLifetime:  24 * time.Hour,
+			ValidIfNotUsedFor: 1 * time.Hour,
+		}
+		c.Storage.CreateClient(ctx, storage.Client{
+			ID:           "test",
+			RedirectURIs: []string{"http://example.com/callback"},
+		})
+	})
+	defer httpServer.Close()
+
+	// Send a request with an unregistered redirect_uri — should not panic.
+	rr := httptest.NewRecorder()
+	reqURL := fmt.Sprintf("%s/auth?response_type=code&client_id=test&redirect_uri=http://evil.com/callback&scope=openid", httpServer.URL)
+	req := httptest.NewRequest(http.MethodGet, reqURL, nil)
+	s.handleAuthorization(rr, req)
+
+	require.Equal(t, http.StatusBadRequest, rr.Code)
+}
+
 func TestHandleConnectorLoginGrantTypeRejection(t *testing.T) {
 	ctx := t.Context()
 	httpServer, s := newTestServer(t, func(c *Config) {

server/handlers_test.go

@@ -156,6 +156,9 @@ type SessionConfig struct {
 	AbsoluteLifetime           time.Duration
 	ValidIfNotUsedFor          time.Duration
 	RememberMeCheckedByDefault bool
+	// SSOSharedWithDefault is the default SSO sharing policy for clients without explicit SSOSharedWith.
+	// "all" = share with all clients, "none" or "" = share with no one (default).
+	SSOSharedWithDefault string
 }
 
 // WebConfig holds the server's frontend templates and asset configuration.