djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1bd346cbeb
ContainerImage.Pinniped/internal/oidc/provider/dynamic_upstream_idp_provider.go

144 lines
5.4 KiB
Go
Raw Normal View History

Supervisor pre-factor to make room for upstream LDAP identity providers
2021-04-07 23:12:13 +00:00
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-03 20:06:07 +00:00
// SPDX-License-Identifier: Apache-2.0
package provider
import (
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.
2020-11-18 21:38:13 +00:00
"context"
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-03 20:06:07 +00:00
"net/url"
"sync"
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.
2020-11-18 21:38:13 +00:00
Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 23:08:27 +00:00
"golang.org/x/oauth2"
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
"k8s.io/apimachinery/pkg/types"
Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 23:08:27 +00:00
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
"go.pinniped.dev/internal/authenticators"
Merge branch 'main' into callback-endpoint
2020-11-20 23:13:25 +00:00
"go.pinniped.dev/pkg/oidcclient/nonce"
Move OIDC Token structs into a new `oidctypes` package. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 23:02:03 +00:00
"go.pinniped.dev/pkg/oidcclient/oidctypes"
Merge branch 'main' into callback-endpoint
2020-11-20 23:13:25 +00:00
"go.pinniped.dev/pkg/oidcclient/pkce"
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-03 20:06:07 +00:00
)
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.
2020-11-18 21:38:13 +00:00
type UpstreamOIDCIdentityProviderI interface {
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
// GetName returns a name for this upstream provider, which will be used as a component of the path for the
// callback endpoint hosted by the Supervisor.
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.
2020-11-18 21:38:13 +00:00
GetName() string
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-03 20:06:07 +00:00
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
// GetClientID returns the OAuth client ID registered with the upstream provider to be used in the authorization code flow.
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.
2020-11-18 21:38:13 +00:00
GetClientID() string
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-03 20:06:07 +00:00
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
// GetResourceUID returns the Kubernetes resource ID
GetResourceUID() types.UID
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
// GetAuthorizationURL returns the Authorization Endpoint fetched from discovery.
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.
2020-11-18 21:38:13 +00:00
GetAuthorizationURL() *url.URL
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-03 20:06:07 +00:00
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
// GetScopes returns the scopes to request in authorization (authcode or password grant) flow.
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.
2020-11-18 21:38:13 +00:00
GetScopes() []string
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
// GetUsernameClaim returns the ID Token username claim name. May return empty string, in which case we
// will use some reasonable defaults.
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.
2020-11-18 21:38:13 +00:00
GetUsernameClaim() string
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
// GetGroupsClaim returns the ID Token groups claim name. May return empty string, in which case we won't
// try to read groups from the upstream provider.
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.
2020-11-18 21:38:13 +00:00
GetGroupsClaim() string
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
// AllowsPasswordGrant returns true if a client should be allowed to use the resource owner password credentials grant
// flow with this upstream provider. When false, it should not be allowed.
AllowsPasswordGrant() bool
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
// GetAdditionalAuthcodeParams returns additional params to be sent on authcode requests.
GetAdditionalAuthcodeParams() map[string]string
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
// PasswordCredentialsGrantAndValidateTokens performs upstream OIDC resource owner password credentials grant and
// token validation. Returns the validated raw tokens as well as the parsed claims of the ID token.
PasswordCredentialsGrantAndValidateTokens(ctx context.Context, username, password string) (*oidctypes.Token, error)
// ExchangeAuthcodeAndValidateTokens performs upstream OIDC authorization code exchange and token validation.
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 20:54:11 +00:00
// Returns the validated raw tokens as well as the parsed claims of the ID token.
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.
2020-11-18 21:38:13 +00:00
ExchangeAuthcodeAndValidateTokens(
ctx context.Context,
authcode string,
pkceCodeVerifier pkce.Code,
expectedIDTokenNonce nonce.Nonce,
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 16:36:07 +00:00
redirectURI string,
Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-04 21:33:36 +00:00
) (*oidctypes.Token, error)
Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 23:08:27 +00:00
Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-04 21:33:36 +00:00
ValidateToken(ctx context.Context, tok *oauth2.Token, expectedIDTokenNonce nonce.Nonce) (*oidctypes.Token, error)
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.
2020-11-18 21:38:13 +00:00
}
Supervisor pre-factor to make room for upstream LDAP identity providers
2021-04-07 23:12:13 +00:00
type UpstreamLDAPIdentityProviderI interface {
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
// GetName returns a name for this upstream provider.
Supervisor pre-factor to make room for upstream LDAP identity providers
2021-04-07 23:12:13 +00:00
GetName() string
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
// GetURL returns a URL which uniquely identifies this LDAP provider, e.g. "ldaps://host.example.com:1234".
Implement upstream LDAP support in auth_handler.go - When the upstream IDP is an LDAP IDP and the user's LDAP username and password are received as new custom headers, then authenticate the user and, if authentication was successful, return a redirect with an authcode. Handle errors according to the OAuth/OIDC specs. - Still does not support having multiple upstream IDPs defined at the same time, which was an existing limitation of this endpoint. - Does not yet include the actual LDAP authentication, which is hidden behind an interface from the point of view of auth_handler.go - Move the oidctestutil package to the testutil directory. - Add an interface for Fosite storage to avoid a cyclical test dependency. - Add GetURL() to the UpstreamLDAPIdentityProviderI interface. - Extract test helpers to be shared between callback_handler_test.go and auth_handler_test.go because the authcode and fosite storage assertions should be identical. - Backfill Content-Type assertions in callback_handler_test.go. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 00:28:01 +00:00
// This URL is not used for connecting to the provider, but rather is used for creating a globally unique user
// identifier by being combined with the user's UID, since user UIDs are only unique within one provider.
Add user search base to downstream subject for upstream LDAP - Also add some tests about UTF-8 characters in LDAP attributes
2021-05-27 00:04:20 +00:00
GetURL() *url.URL
Implement upstream LDAP support in auth_handler.go - When the upstream IDP is an LDAP IDP and the user's LDAP username and password are received as new custom headers, then authenticate the user and, if authentication was successful, return a redirect with an authcode. Handle errors according to the OAuth/OIDC specs. - Still does not support having multiple upstream IDPs defined at the same time, which was an existing limitation of this endpoint. - Does not yet include the actual LDAP authentication, which is hidden behind an interface from the point of view of auth_handler.go - Move the oidctestutil package to the testutil directory. - Add an interface for Fosite storage to avoid a cyclical test dependency. - Add GetURL() to the UpstreamLDAPIdentityProviderI interface. - Extract test helpers to be shared between callback_handler_test.go and auth_handler_test.go because the authcode and fosite storage assertions should be identical. - Backfill Content-Type assertions in callback_handler_test.go. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-09 00:28:01 +00:00
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
// GetResourceUID returns the Kubernetes resource ID
GetResourceUID() types.UID
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
// UserAuthenticator adds an interface method for performing user authentication against the upstream LDAP provider.
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress.
2021-04-10 01:49:43 +00:00
authenticators.UserAuthenticator
Supervisor pre-factor to make room for upstream LDAP identity providers
2021-04-07 23:12:13 +00:00
}
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-03 20:06:07 +00:00
type DynamicUpstreamIDPProvider interface {
Supervisor pre-factor to make room for upstream LDAP identity providers
2021-04-07 23:12:13 +00:00
SetOIDCIdentityProviders(oidcIDPs []UpstreamOIDCIdentityProviderI)
GetOIDCIdentityProviders() []UpstreamOIDCIdentityProviderI
SetLDAPIdentityProviders(ldapIDPs []UpstreamLDAPIdentityProviderI)
GetLDAPIdentityProviders() []UpstreamLDAPIdentityProviderI
Advertise Active Directory idps
2021-07-02 22:30:27 +00:00
SetActiveDirectoryIdentityProviders(adIDPs []UpstreamLDAPIdentityProviderI)
GetActiveDirectoryIdentityProviders() []UpstreamLDAPIdentityProviderI
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-03 20:06:07 +00:00
}
type dynamicUpstreamIDPProvider struct {
Advertise Active Directory idps
2021-07-02 22:30:27 +00:00
oidcUpstreams []UpstreamOIDCIdentityProviderI
ldapUpstreams []UpstreamLDAPIdentityProviderI
activeDirectoryUpstreams []UpstreamLDAPIdentityProviderI
mutex sync.RWMutex
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-03 20:06:07 +00:00
}
func NewDynamicUpstreamIDPProvider() DynamicUpstreamIDPProvider {
return &dynamicUpstreamIDPProvider{
Advertise Active Directory idps
2021-07-02 22:30:27 +00:00
oidcUpstreams: []UpstreamOIDCIdentityProviderI{},
ldapUpstreams: []UpstreamLDAPIdentityProviderI{},
activeDirectoryUpstreams: []UpstreamLDAPIdentityProviderI{},
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-03 20:06:07 +00:00
}
}
Supervisor pre-factor to make room for upstream LDAP identity providers
2021-04-07 23:12:13 +00:00
func (p *dynamicUpstreamIDPProvider) SetOIDCIdentityProviders(oidcIDPs []UpstreamOIDCIdentityProviderI) {
p.mutex.Lock() // acquire a write lock
defer p.mutex.Unlock()
p.oidcUpstreams = oidcIDPs
}
func (p *dynamicUpstreamIDPProvider) GetOIDCIdentityProviders() []UpstreamOIDCIdentityProviderI {
p.mutex.RLock() // acquire a read lock
defer p.mutex.RUnlock()
return p.oidcUpstreams
}
func (p *dynamicUpstreamIDPProvider) SetLDAPIdentityProviders(ldapIDPs []UpstreamLDAPIdentityProviderI) {
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-03 20:06:07 +00:00
p.mutex.Lock() // acquire a write lock
defer p.mutex.Unlock()
Supervisor pre-factor to make room for upstream LDAP identity providers
2021-04-07 23:12:13 +00:00
p.ldapUpstreams = ldapIDPs
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-03 20:06:07 +00:00
}
Supervisor pre-factor to make room for upstream LDAP identity providers
2021-04-07 23:12:13 +00:00
func (p *dynamicUpstreamIDPProvider) GetLDAPIdentityProviders() []UpstreamLDAPIdentityProviderI {
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-03 20:06:07 +00:00
p.mutex.RLock() // acquire a read lock
defer p.mutex.RUnlock()
Supervisor pre-factor to make room for upstream LDAP identity providers
2021-04-07 23:12:13 +00:00
return p.ldapUpstreams
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-03 20:06:07 +00:00
}
Advertise Active Directory idps
2021-07-02 22:30:27 +00:00
func (p *dynamicUpstreamIDPProvider) SetActiveDirectoryIdentityProviders(adIDPs []UpstreamLDAPIdentityProviderI) {
p.mutex.Lock() // acquire a write lock
defer p.mutex.Unlock()
p.activeDirectoryUpstreams = adIDPs
}
func (p *dynamicUpstreamIDPProvider) GetActiveDirectoryIdentityProviders() []UpstreamLDAPIdentityProviderI {
p.mutex.RLock() // acquire a read lock
defer p.mutex.RUnlock()
return p.activeDirectoryUpstreams
}
Reference in New Issue Copy Permalink