2022-01-07 23:04:58 +00:00
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
2020-11-30 20:54:11 +00:00
// SPDX-License-Identifier: Apache-2.0
// Package upstreamoidc implements an abstraction of upstream OIDC provider interactions.
package upstreamoidc
import (
"context"
2021-09-28 15:51:01 +00:00
"encoding/json"
2021-08-12 17:00:18 +00:00
"fmt"
2021-10-22 21:32:26 +00:00
"io"
2020-11-30 20:54:11 +00:00
"net/http"
"net/url"
2021-10-22 21:32:26 +00:00
"strings"
2021-12-14 00:40:13 +00:00
"time"
2020-11-30 20:54:11 +00:00
2021-01-20 17:54:44 +00:00
coreosoidc "github.com/coreos/go-oidc/v3/oidc"
2020-11-30 20:54:11 +00:00
"golang.org/x/oauth2"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2021-10-08 22:48:21 +00:00
"k8s.io/apimachinery/pkg/types"
2021-09-28 15:51:01 +00:00
"k8s.io/apimachinery/pkg/util/sets"
2020-11-30 20:54:11 +00:00
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
2020-11-30 20:54:11 +00:00
"go.pinniped.dev/internal/httputil/httperr"
"go.pinniped.dev/internal/oidc/provider"
2021-01-14 21:46:01 +00:00
"go.pinniped.dev/internal/plog"
2020-11-30 20:54:11 +00:00
"go.pinniped.dev/pkg/oidcclient/nonce"
2020-11-30 23:02:03 +00:00
"go.pinniped.dev/pkg/oidcclient/oidctypes"
2020-11-30 20:54:11 +00:00
"go.pinniped.dev/pkg/oidcclient/pkce"
)
2021-01-09 19:27:35 +00:00
func New ( config * oauth2 . Config , provider * coreosoidc . Provider , client * http . Client ) provider . UpstreamOIDCIdentityProviderI {
2020-12-02 16:27:20 +00:00
return & ProviderConfig { Config : config , Provider : provider , Client : client }
2020-11-30 23:14:57 +00:00
}
2020-11-30 20:54:11 +00:00
// ProviderConfig holds the active configuration of an upstream OIDC provider.
type ProviderConfig struct {
2021-10-08 22:48:21 +00:00
Name string
ResourceUID types . UID
UsernameClaim string
GroupsClaim string
Config * oauth2 . Config
Client * http . Client
AllowPasswordGrant bool
AdditionalAuthcodeParams map [ string ] string
2021-10-22 21:32:26 +00:00
RevocationURL * url . URL // will commonly be nil: many providers do not offer this
2021-10-08 22:48:21 +00:00
Provider interface {
2021-01-09 19:27:35 +00:00
Verifier ( * coreosoidc . Config ) * coreosoidc . IDTokenVerifier
2021-09-28 15:29:20 +00:00
Claims ( v interface { } ) error
2021-01-09 19:27:35 +00:00
UserInfo ( ctx context . Context , tokenSource oauth2 . TokenSource ) ( * coreosoidc . UserInfo , error )
2020-11-30 20:54:11 +00:00
}
}
2021-10-13 19:31:20 +00:00
var _ provider . UpstreamOIDCIdentityProviderI = ( * ProviderConfig ) ( nil )
2021-10-08 22:48:21 +00:00
func ( p * ProviderConfig ) GetResourceUID ( ) types . UID {
return p . ResourceUID
}
2021-10-22 21:32:26 +00:00
func ( p * ProviderConfig ) GetRevocationURL ( ) * url . URL {
return p . RevocationURL
}
2022-01-11 23:40:38 +00:00
func ( p * ProviderConfig ) HasUserInfoURL ( ) bool {
providerJSON := & struct {
UserInfoURL string ` json:"userinfo_endpoint" `
} { }
if err := p . Provider . Claims ( providerJSON ) ; err != nil {
// This should never happen in practice because we should have already successfully
// parsed these claims when p.Provider was created.
return false
}
return len ( providerJSON . UserInfoURL ) > 0
}
2021-10-08 22:48:21 +00:00
func ( p * ProviderConfig ) GetAdditionalAuthcodeParams ( ) map [ string ] string {
return p . AdditionalAuthcodeParams
}
2020-11-30 20:54:11 +00:00
func ( p * ProviderConfig ) GetName ( ) string {
return p . Name
}
func ( p * ProviderConfig ) GetClientID ( ) string {
return p . Config . ClientID
}
func ( p * ProviderConfig ) GetAuthorizationURL ( ) * url . URL {
result , _ := url . Parse ( p . Config . Endpoint . AuthURL )
return result
}
func ( p * ProviderConfig ) GetScopes ( ) [ ] string {
return p . Config . Scopes
}
func ( p * ProviderConfig ) GetUsernameClaim ( ) string {
return p . UsernameClaim
}
func ( p * ProviderConfig ) GetGroupsClaim ( ) string {
return p . GroupsClaim
}
2021-08-12 17:00:18 +00:00
func ( p * ProviderConfig ) AllowsPasswordGrant ( ) bool {
return p . AllowPasswordGrant
}
func ( p * ProviderConfig ) PasswordCredentialsGrantAndValidateTokens ( ctx context . Context , username , password string ) ( * oidctypes . Token , error ) {
// Disallow this grant when requested.
if ! p . AllowPasswordGrant {
2021-08-16 21:27:40 +00:00
return nil , fmt . Errorf ( "resource owner password credentials grant is not allowed for this upstream provider according to its configuration" )
2021-08-12 17:00:18 +00:00
}
// Note that this implicitly uses the scopes from p.Config.Scopes.
tok , err := p . Config . PasswordCredentialsToken (
coreosoidc . ClientContext ( ctx , p . Client ) ,
username ,
password ,
)
if err != nil {
return nil , err
}
// There is no nonce to validate for a resource owner password credentials grant because it skips using
// the authorize endpoint and goes straight to the token endpoint.
2021-08-17 20:14:09 +00:00
const skipNonceValidation nonce . Nonce = ""
2022-01-13 02:05:10 +00:00
return p . ValidateTokenAndMergeWithUserInfo ( ctx , tok , skipNonceValidation , true , false )
2021-08-12 17:00:18 +00:00
}
2020-12-04 21:33:36 +00:00
func ( p * ProviderConfig ) ExchangeAuthcodeAndValidateTokens ( ctx context . Context , authcode string , pkceCodeVerifier pkce . Code , expectedIDTokenNonce nonce . Nonce , redirectURI string ) ( * oidctypes . Token , error ) {
2020-12-02 16:36:07 +00:00
tok , err := p . Config . Exchange (
2021-01-09 19:27:35 +00:00
coreosoidc . ClientContext ( ctx , p . Client ) ,
2020-12-02 16:36:07 +00:00
authcode ,
pkceCodeVerifier . Verifier ( ) ,
oauth2 . SetAuthURLParam ( "redirect_uri" , redirectURI ) ,
)
2020-11-30 20:54:11 +00:00
if err != nil {
2020-12-04 21:33:36 +00:00
return nil , err
2020-11-30 20:54:11 +00:00
}
2022-01-13 02:05:10 +00:00
return p . ValidateTokenAndMergeWithUserInfo ( ctx , tok , expectedIDTokenNonce , true , false )
2020-11-30 23:08:27 +00:00
}
2021-10-13 19:31:20 +00:00
func ( p * ProviderConfig ) PerformRefresh ( ctx context . Context , refreshToken string ) ( * oauth2 . Token , error ) {
2021-10-13 21:05:00 +00:00
// Use the provided HTTP client to benefit from its CA, proxy, and other settings.
httpClientContext := coreosoidc . ClientContext ( ctx , p . Client )
2021-10-13 19:31:20 +00:00
// Create a TokenSource without an access token, so it thinks that a refresh is immediately required.
// Then ask it for the tokens to cause it to perform the refresh and return the results.
2021-10-13 21:05:00 +00:00
return p . Config . TokenSource ( httpClientContext , & oauth2 . Token { RefreshToken : refreshToken } ) . Token ( )
2021-10-13 19:31:20 +00:00
}
2021-12-03 21:44:24 +00:00
// RevokeToken will attempt to revoke the given token, if the provider has a revocation endpoint.
2021-12-08 22:29:25 +00:00
// It may return an error wrapped by a RetryableRevocationError, which is an error indicating that it may
// be worth trying to revoke the same token again later. Any other error returned should be assumed to
// represent an error such that it is not worth retrying revocation later, even though revocation failed.
2021-12-03 21:44:24 +00:00
func ( p * ProviderConfig ) RevokeToken ( ctx context . Context , token string , tokenType provider . RevocableTokenType ) error {
2021-10-22 21:32:26 +00:00
if p . RevocationURL == nil {
2021-12-03 21:44:24 +00:00
plog . Trace ( "RevokeToken() was called but upstream provider has no available revocation endpoint" ,
"providerName" , p . Name ,
"tokenType" , tokenType ,
)
2021-10-22 21:32:26 +00:00
return nil
}
// First try using client auth in the request params.
2021-12-03 21:44:24 +00:00
tryAnotherClientAuthMethod , err := p . tryRevokeToken ( ctx , token , tokenType , false )
2021-10-22 21:32:26 +00:00
if tryAnotherClientAuthMethod {
// Try again using basic auth this time. Overwrite the first client auth error,
// which isn't useful anymore when retrying.
2021-12-03 21:44:24 +00:00
_ , err = p . tryRevokeToken ( ctx , token , tokenType , true )
2021-10-22 21:32:26 +00:00
}
return err
}
2021-12-03 21:44:24 +00:00
// tryRevokeToken will call the revocation endpoint using either basic auth or by including
2021-10-22 21:32:26 +00:00
// client auth in the request params. It will return an error when the request failed. If the
// request failed for a reason that might be due to bad client auth, then it will return true
// for the tryAnotherClientAuthMethod return value, indicating that it might be worth trying
// again using the other client auth method.
// RFC 7009 defines how to make a revocation request and how to interpret the response.
// See https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 for details.
2021-12-03 21:44:24 +00:00
func ( p * ProviderConfig ) tryRevokeToken (
2021-10-22 21:32:26 +00:00
ctx context . Context ,
2021-12-03 21:44:24 +00:00
token string ,
tokenType provider . RevocableTokenType ,
2021-10-22 21:32:26 +00:00
useBasicAuth bool ,
) ( tryAnotherClientAuthMethod bool , err error ) {
clientID := p . Config . ClientID
clientSecret := p . Config . ClientSecret
// Use the provided HTTP client to benefit from its CA, proxy, and other settings.
httpClient := p . Client
params := url . Values {
2021-12-03 21:44:24 +00:00
"token" : [ ] string { token } ,
"token_type_hint" : [ ] string { string ( tokenType ) } ,
2021-10-22 21:32:26 +00:00
}
if ! useBasicAuth {
params [ "client_id" ] = [ ] string { clientID }
params [ "client_secret" ] = [ ] string { clientSecret }
}
req , err := http . NewRequestWithContext ( ctx , http . MethodPost , p . RevocationURL . String ( ) , strings . NewReader ( params . Encode ( ) ) )
if err != nil {
// This shouldn't really happen since we already know that the method and URL are legal.
return false , err
}
req . Header . Set ( "Content-Type" , "application/x-www-form-urlencoded" )
if useBasicAuth {
req . SetBasicAuth ( clientID , clientSecret )
}
resp , err := httpClient . Do ( req )
if err != nil {
// Couldn't connect to the server or some similar error.
2021-12-08 22:29:25 +00:00
// Could be a temporary network problem, so it might be worth retrying.
return false , provider . NewRetryableRevocationError ( err )
2021-10-22 21:32:26 +00:00
}
defer resp . Body . Close ( )
2021-12-08 22:29:25 +00:00
status := resp . StatusCode
switch {
case status == http . StatusOK :
2021-10-22 21:32:26 +00:00
// Success!
2021-12-03 21:44:24 +00:00
plog . Trace ( "RevokeToken() got 200 OK response from provider's revocation endpoint" , "providerName" , p . Name , "usedBasicAuth" , useBasicAuth )
2021-10-22 21:32:26 +00:00
return false , nil
2021-12-08 22:29:25 +00:00
case status == http . StatusBadRequest :
2021-10-22 21:32:26 +00:00
// Bad request might be due to bad client auth method. Try to detect that.
2021-12-03 21:44:24 +00:00
plog . Trace ( "RevokeToken() got 400 Bad Request response from provider's revocation endpoint" , "providerName" , p . Name , "usedBasicAuth" , useBasicAuth )
2021-10-22 21:32:26 +00:00
body , err := io . ReadAll ( resp . Body )
if err != nil {
return false ,
2021-12-08 22:29:25 +00:00
fmt . Errorf ( "error reading response body on response with status code %d: %w" , status , err )
2021-10-22 21:32:26 +00:00
}
var parsedResp struct {
ErrorType string ` json:"error" `
ErrorDescription string ` json:"error_description" `
}
bodyStr := strings . TrimSpace ( string ( body ) ) // trimmed for logging purposes
err = json . Unmarshal ( body , & parsedResp )
if err != nil {
return false ,
2021-12-08 22:29:25 +00:00
fmt . Errorf ( "error parsing response body %q on response with status code %d: %w" , bodyStr , status , err )
2021-10-22 21:32:26 +00:00
}
2021-12-08 22:29:25 +00:00
err = fmt . Errorf ( "server responded with status %d with body: %s" , status , bodyStr )
2021-10-22 21:32:26 +00:00
if parsedResp . ErrorType != "invalid_client" {
2021-12-08 22:29:25 +00:00
// Got an error unrelated to client auth, so not worth trying client auth again. Also, these are errors
// of the type where the server is pretty conclusively rejecting our request, so they are generally
// not worth trying again later either.
// These errors could be any of the other errors from https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
// or "unsupported_token_type" from https://datatracker.ietf.org/doc/html/rfc7009#section-2.2.1
// or could be some unspecified custom error added by the OIDC provider.
2021-10-22 21:32:26 +00:00
return false , err
}
// Got an "invalid_client" response, which might mean client auth failed, so it may be worth trying again
// using another client auth method. See https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
2021-12-03 21:44:24 +00:00
plog . Trace ( "RevokeToken()'s 400 Bad Request response from provider's revocation endpoint was type 'invalid_client'" , "providerName" , p . Name , "usedBasicAuth" , useBasicAuth )
2021-10-22 21:32:26 +00:00
return true , err
2021-12-08 22:29:25 +00:00
case status >= 500 && status <= 599 :
// The spec says 503 Service Unavailable should be retried by the client later.
// See https://datatracker.ietf.org/doc/html/rfc7009#section-2.2.1.
// Other forms of 5xx server errors are not particularly conclusive failures. For example, gateway errors could
// be caused by an underlying problem which could potentially become resolved in the near future. We'll be
// optimistic and call all 5xx errors retryable.
plog . Trace ( "RevokeToken() got unexpected error response from provider's revocation endpoint" , "providerName" , p . Name , "usedBasicAuth" , useBasicAuth , "statusCode" , status )
return false , provider . NewRetryableRevocationError ( fmt . Errorf ( "server responded with status %d" , status ) )
2021-10-22 21:32:26 +00:00
default :
2021-12-08 22:29:25 +00:00
// Any other error is probably not due to failed client auth, and is probably not worth retrying later.
plog . Trace ( "RevokeToken() got unexpected error response from provider's revocation endpoint" , "providerName" , p . Name , "usedBasicAuth" , useBasicAuth , "statusCode" , status )
return false , fmt . Errorf ( "server responded with status %d" , status )
2021-10-22 21:32:26 +00:00
}
}
2021-12-16 20:53:49 +00:00
// ValidateTokenAndMergeWithUserInfo will validate the ID token. It will also merge the claims from the userinfo endpoint response,
2021-10-13 19:31:20 +00:00
// if the provider offers the userinfo endpoint.
2022-01-13 02:05:10 +00:00
func ( p * ProviderConfig ) ValidateTokenAndMergeWithUserInfo ( ctx context . Context , tok * oauth2 . Token , expectedIDTokenNonce nonce . Nonce , requireIDToken bool , requireUserInfo bool ) ( * oidctypes . Token , error ) {
2021-12-14 00:40:13 +00:00
var validatedClaims = make ( map [ string ] interface { } )
var idTokenExpiry time . Time
// if we require the id token, make sure we have it.
// also, if it exists but wasn't required, still make sure it passes these checks.
2022-01-07 23:04:58 +00:00
idTokenExpiry , idTok , err := p . validateIDToken ( ctx , tok , expectedIDTokenNonce , validatedClaims , requireIDToken )
2020-11-30 20:54:11 +00:00
if err != nil {
2022-01-07 23:04:58 +00:00
return nil , err
2020-11-30 20:54:11 +00:00
}
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
idTokenSubject , _ := validatedClaims [ oidcapi . IDTokenClaimSubject ] . ( string )
2021-01-09 19:27:35 +00:00
2021-12-14 00:40:13 +00:00
if len ( idTokenSubject ) > 0 || ! requireIDToken {
2022-01-12 19:19:43 +00:00
// only fetch userinfo if the ID token has a subject or if we are ignoring the id token completely.
// otherwise, defer to existing ID token validation
2022-01-13 02:05:10 +00:00
if err := p . maybeFetchUserInfoAndMergeClaims ( ctx , tok , validatedClaims , requireIDToken , requireUserInfo ) ; err != nil {
2021-11-30 00:44:58 +00:00
return nil , httperr . Wrap ( http . StatusInternalServerError , "could not fetch user info claims" , err )
}
2020-11-30 20:54:11 +00:00
}
2020-12-04 21:33:36 +00:00
return & oidctypes . Token {
2020-11-30 23:02:03 +00:00
AccessToken : & oidctypes . AccessToken {
2020-11-30 20:54:11 +00:00
Token : tok . AccessToken ,
Type : tok . TokenType ,
Expiry : metav1 . NewTime ( tok . Expiry ) ,
} ,
2020-11-30 23:02:03 +00:00
RefreshToken : & oidctypes . RefreshToken {
2020-11-30 20:54:11 +00:00
Token : tok . RefreshToken ,
} ,
2020-11-30 23:02:03 +00:00
IDToken : & oidctypes . IDToken {
2020-11-30 20:54:11 +00:00
Token : idTok ,
2021-12-14 00:40:13 +00:00
Expiry : metav1 . NewTime ( idTokenExpiry ) ,
2020-12-04 21:33:36 +00:00
Claims : validatedClaims ,
2020-11-30 20:54:11 +00:00
} ,
2020-12-04 21:33:36 +00:00
} , nil
2020-11-30 20:54:11 +00:00
}
2021-01-09 19:27:35 +00:00
2022-01-07 23:04:58 +00:00
func ( p * ProviderConfig ) validateIDToken ( ctx context . Context , tok * oauth2 . Token , expectedIDTokenNonce nonce . Nonce , validatedClaims map [ string ] interface { } , requireIDToken bool ) ( time . Time , string , error ) {
idTok , hasIDTok := tok . Extra ( "id_token" ) . ( string )
if ! hasIDTok && ! requireIDToken {
return time . Time { } , "" , nil // exit early
2021-01-09 19:27:35 +00:00
}
2022-01-07 23:04:58 +00:00
var idTokenExpiry time . Time
if ! hasIDTok {
return time . Time { } , "" , httperr . New ( http . StatusBadRequest , "received response missing ID token" )
2021-09-28 15:29:20 +00:00
}
2022-01-07 23:04:58 +00:00
validated , err := p . Provider . Verifier ( & coreosoidc . Config { ClientID : p . GetClientID ( ) } ) . Verify ( coreosoidc . ClientContext ( ctx , p . Client ) , idTok )
if err != nil {
return time . Time { } , "" , httperr . Wrap ( http . StatusBadRequest , "received invalid ID token" , err )
}
if validated . AccessTokenHash != "" {
if err := validated . VerifyAccessToken ( tok . AccessToken ) ; err != nil {
return time . Time { } , "" , httperr . Wrap ( http . StatusBadRequest , "received invalid ID token" , err )
}
2021-09-28 15:29:20 +00:00
}
2022-01-07 23:04:58 +00:00
if expectedIDTokenNonce != "" {
if err := expectedIDTokenNonce . Validate ( validated ) ; err != nil {
return time . Time { } , "" , httperr . Wrap ( http . StatusBadRequest , "received ID token with invalid nonce" , err )
}
}
if err := validated . Claims ( & validatedClaims ) ; err != nil {
return time . Time { } , "" , httperr . Wrap ( http . StatusInternalServerError , "could not unmarshal id token claims" , err )
}
maybeLogClaims ( "claims from ID token" , p . Name , validatedClaims )
idTokenExpiry = validated . Expiry // keep track of the id token expiry if we have an id token. Otherwise, it'll just be the zero value.
return idTokenExpiry , idTok , nil
}
2021-09-28 15:29:20 +00:00
2022-01-13 02:05:10 +00:00
func ( p * ProviderConfig ) maybeFetchUserInfoAndMergeClaims ( ctx context . Context , tok * oauth2 . Token , claims map [ string ] interface { } , requireIDToken bool , requireUserInfo bool ) error {
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
idTokenSubject , _ := claims [ oidcapi . IDTokenClaimSubject ] . ( string )
2021-01-09 19:27:35 +00:00
2022-01-13 02:05:10 +00:00
userInfo , err := p . maybeFetchUserInfo ( ctx , tok , requireUserInfo )
2021-01-09 19:27:35 +00:00
if err != nil {
2021-11-30 00:44:58 +00:00
return err
2021-09-28 15:29:20 +00:00
}
2021-11-30 00:44:58 +00:00
if userInfo == nil {
2021-09-28 15:29:20 +00:00
return nil
2021-01-09 19:27:35 +00:00
}
// The sub (subject) Claim MUST always be returned in the UserInfo Response.
// NOTE: Due to the possibility of token substitution attacks (see Section 16.11), the UserInfo Response is not
// guaranteed to be about the End-User identified by the sub (subject) element of the ID Token. The sub Claim in
// the UserInfo Response MUST be verified to exactly match the sub Claim in the ID Token; if they do not match,
// the UserInfo Response values MUST NOT be used.
//
// http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
2021-12-16 20:53:49 +00:00
// If there is no ID token and it is not required, we must assume that the caller is performing other checks
// to ensure the subject is correct.
2021-12-14 00:40:13 +00:00
checkIDToken := requireIDToken || len ( idTokenSubject ) > 0
if checkIDToken && ( len ( userInfo . Subject ) == 0 || userInfo . Subject != idTokenSubject ) {
2021-01-09 19:27:35 +00:00
return httperr . Newf ( http . StatusUnprocessableEntity , "userinfo 'sub' claim (%s) did not match id_token 'sub' claim (%s)" , userInfo . Subject , idTokenSubject )
}
2021-12-16 20:53:49 +00:00
// keep track of the issuer from the ID token
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
idTokenIssuer := claims [ oidcapi . IDTokenClaimIssuer ]
2021-12-14 00:40:13 +00:00
2021-01-09 19:27:35 +00:00
// merge existing claims with user info claims
if err := userInfo . Claims ( & claims ) ; err != nil {
return httperr . Wrap ( http . StatusInternalServerError , "could not unmarshal user info claims" , err )
}
2021-12-16 20:53:49 +00:00
// The OIDC spec for the UserInfo response does not make any guarantees about the iss claim's existence or validity:
2021-12-14 00:40:13 +00:00
// "If signed, the UserInfo Response SHOULD contain the Claims iss (issuer) and aud (audience) as members. The iss value SHOULD be the OP's Issuer Identifier URL."
// See https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
// So we just ignore it and use it the version from the id token, which has stronger guarantees.
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
delete ( claims , oidcapi . IDTokenClaimIssuer )
2021-12-14 00:40:13 +00:00
if idTokenIssuer != nil {
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
claims [ oidcapi . IDTokenClaimIssuer ] = idTokenIssuer
2021-12-14 00:40:13 +00:00
}
2021-01-09 19:27:35 +00:00
2021-09-28 15:51:01 +00:00
maybeLogClaims ( "claims from ID token and userinfo" , p . Name , claims )
2021-01-09 19:27:35 +00:00
return nil
}
2021-09-28 15:51:01 +00:00
2022-01-13 02:05:10 +00:00
func ( p * ProviderConfig ) maybeFetchUserInfo ( ctx context . Context , tok * oauth2 . Token , requireUserInfo bool ) ( * coreosoidc . UserInfo , error ) {
// implementing the user info endpoint is not required by the OIDC spec, but we may require it in certain situations.
2022-01-11 23:40:38 +00:00
if ! p . HasUserInfoURL ( ) {
2022-01-13 02:05:10 +00:00
if requireUserInfo {
// TODO should these all be http errors?
return nil , httperr . New ( http . StatusInternalServerError , "userinfo endpoint not found, but is required" )
}
2021-11-30 00:44:58 +00:00
return nil , nil
}
userInfo , err := p . Provider . UserInfo ( coreosoidc . ClientContext ( ctx , p . Client ) , oauth2 . StaticTokenSource ( tok ) )
if err != nil {
return nil , httperr . Wrap ( http . StatusInternalServerError , "could not get user info" , err )
}
return userInfo , nil
}
2021-09-28 15:51:01 +00:00
func maybeLogClaims ( msg , name string , claims map [ string ] interface { } ) {
if plog . Enabled ( plog . LevelAll ) { // log keys and values at all level
data , _ := json . Marshal ( claims ) // nothing we can do if it fails, but it really never should
2022-04-16 02:43:53 +00:00
plog . All ( msg , "providerName" , name , "claims" , string ( data ) )
2021-09-28 15:51:01 +00:00
return
}
if plog . Enabled ( plog . LevelDebug ) { // log keys at debug level
keys := sets . StringKeySet ( claims ) . List ( ) // note: this is only safe because the compiler asserts that claims is a map[string]<anything>
2022-04-16 02:43:53 +00:00
plog . Debug ( msg , "providerName" , name , "keys" , keys )
2021-09-28 15:51:01 +00:00
return
}
}