djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
62c597eb3b
ContainerImage.Pinniped/internal/federationdomain/endpoints/token/token_handler.go

539 lines
22 KiB
Go
Raw Normal View History

First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
token_handler.go: first draft of token handler, with a bunch of TODOs Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-01 21:25:12 +00:00
// SPDX-License-Identifier: Apache-2.0
// Package token provides a handler for the OIDC token endpoint.
package token
import (
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
"context"
Check username claim is unchanged for oidc. Also add integration tests for claims changing.
2021-12-14 19:59:52 +00:00
"errors"
Pinniped Supervisor should issue a warning when groups change during refresh
2022-02-02 00:50:30 +00:00
"fmt"
token_handler.go: first draft of token handler, with a bunch of TODOs Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-01 21:25:12 +00:00
"net/http"
"github.com/ory/fosite"
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
errorsx "github.com/pkg/errors"
Perform access token based refresh by fetching the userinfo
2022-01-13 02:05:10 +00:00
"golang.org/x/oauth2"
Pinniped Supervisor should issue a warning when groups change during refresh
2022-02-02 00:50:30 +00:00
"k8s.io/apimachinery/pkg/util/sets"
Supervisor should emit a warning when access token lifetime is too short
2022-01-18 23:34:19 +00:00
"k8s.io/apiserver/pkg/warning"
Handle refresh requests without groups scope Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 15:21:16 +00:00
"k8s.io/utils/strings/slices"
token_handler.go: first draft of token handler, with a bunch of TODOs Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-01 21:25:12 +00:00
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
reorganize federation domain packages to be more intuitive Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-06-22 22:12:33 +00:00
"go.pinniped.dev/internal/federationdomain/downstreamsession"
"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
"go.pinniped.dev/internal/federationdomain/oidc"
"go.pinniped.dev/internal/federationdomain/resolvedprovider"
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
token_handler.go: first draft of token handler, with a bunch of TODOs Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-01 21:25:12 +00:00
"go.pinniped.dev/internal/httputil/httperr"
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
"go.pinniped.dev/internal/idtransform"
token_handler.go: first draft of token handler, with a bunch of TODOs Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-01 21:25:12 +00:00
"go.pinniped.dev/internal/plog"
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 22:28:13 +00:00
"go.pinniped.dev/internal/psession"
token_handler.go: first draft of token handler, with a bunch of TODOs Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-01 21:25:12 +00:00
)
func NewHandler(
Reorganized FederationDomain packages to avoid circular dependency Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-06-22 20:12:50 +00:00
idpLister federationdomainproviders.FederationDomainIdentityProvidersListerI,
token_handler.go: first draft of token handler, with a bunch of TODOs Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-01 21:25:12 +00:00
oauthHelper fosite.OAuth2Provider,
) http.Handler {
return httperr.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 22:28:13 +00:00
session := psession.NewPinnipedSession()
accessRequest, err := oauthHelper.NewAccessRequest(r.Context(), r, session)
token_handler.go: first draft of token handler, with a bunch of TODOs Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-01 21:25:12 +00:00
if err != nil {
Cleanup code via TODOs accumulated during token endpoint work We opened https://github.com/vmware-tanzu/pinniped/issues/254 for the TODO in dynamicOpenIDConnectECDSAStrategy.GenerateToken(). This commit also ensures that linting and unit tests are passing again. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-04 15:06:55 +00:00
plog.Info("token request error", oidc.FositeErrorForLog(err)...)
Upgrade project Go dependencies Most of the changes in this commit are because of these fosite PRs which changed behavior and/or APIs in fosite: - https://github.com/ory/fosite/pull/667 - https://github.com/ory/fosite/pull/679 (from me!) - https://github.com/ory/fosite/pull/675 - https://github.com/ory/fosite/pull/688 Due to the changes in fosite PR #688, we need to bump our storage version for anything which stores the DefaultSession struct as JSON.
2022-12-14 00:18:51 +00:00
oauthHelper.WriteAccessError(r.Context(), w, accessRequest, err)
token_handler.go: first draft of token handler, with a bunch of TODOs Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-01 21:25:12 +00:00
return nil
}
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
// Check if we are performing a refresh grant.
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
if accessRequest.GetGrantTypes().ExactOne(oidcapi.GrantTypeRefreshToken) {
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
// The above call to NewAccessRequest has loaded the session from storage into the accessRequest variable.
// The session, requested scopes, and requested audience from the original authorize request was retrieved
// from the Kube storage layer and added to the accessRequest. Additionally, the audience and scopes may
// have already been granted on the accessRequest.
err = upstreamRefresh(r.Context(), accessRequest, idpLister)
if err != nil {
plog.Info("upstream refresh error", oidc.FositeErrorForLog(err)...)
Upgrade project Go dependencies Most of the changes in this commit are because of these fosite PRs which changed behavior and/or APIs in fosite: - https://github.com/ory/fosite/pull/667 - https://github.com/ory/fosite/pull/679 (from me!) - https://github.com/ory/fosite/pull/675 - https://github.com/ory/fosite/pull/688 Due to the changes in fosite PR #688, we need to bump our storage version for anything which stores the DefaultSession struct as JSON.
2022-12-14 00:18:51 +00:00
oauthHelper.WriteAccessError(r.Context(), w, accessRequest, err)
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
return nil
}
}
Supervisor should emit a warning when access token lifetime is too short
2022-01-18 23:34:19 +00:00
// When we are in the authorization code flow, check if we have any warnings that previous handlers want us
// to send to the client to be printed on the CLI.
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
if accessRequest.GetGrantTypes().ExactOne(oidcapi.GrantTypeAuthorizationCode) {
Integration test + making sure we get the session correctly in token handler
2022-01-19 21:20:49 +00:00
storedSession := accessRequest.GetSession().(*psession.PinnipedSession)
customSessionData := storedSession.Custom
if customSessionData != nil {
for _, warningText := range customSessionData.Warnings {
warning.AddWarning(r.Context(), "", warningText)
}
Supervisor should emit a warning when access token lifetime is too short
2022-01-18 23:34:19 +00:00
}
}
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
token_handler.go: first draft of token handler, with a bunch of TODOs Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-01 21:25:12 +00:00
accessResponse, err := oauthHelper.NewAccessResponse(r.Context(), accessRequest)
if err != nil {
Cleanup code via TODOs accumulated during token endpoint work We opened https://github.com/vmware-tanzu/pinniped/issues/254 for the TODO in dynamicOpenIDConnectECDSAStrategy.GenerateToken(). This commit also ensures that linting and unit tests are passing again. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-04 15:06:55 +00:00
plog.Info("token response error", oidc.FositeErrorForLog(err)...)
Upgrade project Go dependencies Most of the changes in this commit are because of these fosite PRs which changed behavior and/or APIs in fosite: - https://github.com/ory/fosite/pull/667 - https://github.com/ory/fosite/pull/679 (from me!) - https://github.com/ory/fosite/pull/675 - https://github.com/ory/fosite/pull/688 Due to the changes in fosite PR #688, we need to bump our storage version for anything which stores the DefaultSession struct as JSON.
2022-12-14 00:18:51 +00:00
oauthHelper.WriteAccessError(r.Context(), w, accessRequest, err)
token_handler.go: first draft of token handler, with a bunch of TODOs Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-01 21:25:12 +00:00
return nil
}
Upgrade project Go dependencies Most of the changes in this commit are because of these fosite PRs which changed behavior and/or APIs in fosite: - https://github.com/ory/fosite/pull/667 - https://github.com/ory/fosite/pull/679 (from me!) - https://github.com/ory/fosite/pull/675 - https://github.com/ory/fosite/pull/688 Due to the changes in fosite PR #688, we need to bump our storage version for anything which stores the DefaultSession struct as JSON.
2022-12-14 00:18:51 +00:00
oauthHelper.WriteAccessResponse(r.Context(), w, accessRequest, accessResponse)
token_handler.go: first draft of token handler, with a bunch of TODOs Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-01 21:25:12 +00:00
return nil
})
}
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
func errMissingUpstreamSessionInternalError() *fosite.RFC6749Error {
return &fosite.RFC6749Error{
ErrorField: "error",
DescriptionField: "There was an internal server error.",
HintField: "Required upstream data not found in session.",
CodeField: http.StatusInternalServerError,
}
}
func errUpstreamRefreshError() *fosite.RFC6749Error {
return &fosite.RFC6749Error{
ErrorField: "error",
DescriptionField: "Error during upstream refresh.",
CodeField: http.StatusUnauthorized,
}
}
Reorganized FederationDomain packages to avoid circular dependency Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-06-22 20:12:50 +00:00
func upstreamRefresh(ctx context.Context, accessRequest fosite.AccessRequester, idpLister federationdomainproviders.FederationDomainIdentityProvidersListerI) error {
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
session := accessRequest.GetSession().(*psession.PinnipedSession)
Check that username and subject remain the same for ldap refresh
2021-10-25 21:25:43 +00:00
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
customSessionData := session.Custom
if customSessionData == nil {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return errorsx.WithStack(errMissingUpstreamSessionInternalError())
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
}
providerName := customSessionData.ProviderName
providerUID := customSessionData.ProviderUID
if providerUID == "" || providerName == "" {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return errorsx.WithStack(errMissingUpstreamSessionInternalError())
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
}
Handle refresh requests without groups scope Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 15:21:16 +00:00
grantedScopes := accessRequest.GetGrantedScopes()
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
clientID := accessRequest.GetClient().GetID()
Handle refresh requests without groups scope Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 15:21:16 +00:00
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
switch customSessionData.ProviderType {
case psession.ProviderTypeOIDC:
Fix some tests in supervisor_login_test.go
2023-06-26 22:26:24 +00:00
return upstreamOIDCRefresh(ctx, idpLister, session, grantedScopes, clientID)
case psession.ProviderTypeLDAP, psession.ProviderTypeActiveDirectory:
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
return upstreamLDAPRefresh(ctx, idpLister, session, grantedScopes, clientID)
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
default:
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return errorsx.WithStack(errMissingUpstreamSessionInternalError())
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
}
}
Get tests to compile again and fix lint errors
2023-06-13 19:26:59 +00:00
//nolint:funlen
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
func upstreamOIDCRefresh(
ctx context.Context,
Reorganized FederationDomain packages to avoid circular dependency Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-06-22 20:12:50 +00:00
idpLister federationdomainproviders.FederationDomainIdentityProvidersListerI,
Fix some tests in supervisor_login_test.go
2023-06-26 22:26:24 +00:00
session *psession.PinnipedSession,
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
grantedScopes []string,
clientID string,
) error {
Refactor validatetoken to handle refresh case without id token Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-14 00:40:13 +00:00
s := session.Custom
fix token_handler_test.go
2023-06-26 19:40:13 +00:00
groupsScopeGranted := slices.Contains(grantedScopes, oidcapi.ScopeGroups)
Perform access token based refresh by fetching the userinfo
2022-01-13 02:05:10 +00:00
if s.OIDC == nil {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return errorsx.WithStack(errMissingUpstreamSessionInternalError())
Perform access token based refresh by fetching the userinfo
2022-01-13 02:05:10 +00:00
}
Refactored oidcUpstreamRefresh Various style changes, updated some comments and variable names and extracted a helper function for validation.
2022-01-12 22:28:52 +00:00
Perform access token based refresh by fetching the userinfo
2022-01-13 02:05:10 +00:00
accessTokenStored := s.OIDC.UpstreamAccessToken != ""
refreshTokenStored := s.OIDC.UpstreamRefreshToken != ""
Refactored oidcUpstreamRefresh Various style changes, updated some comments and variable names and extracted a helper function for validation.
2022-01-12 22:28:52 +00:00
exactlyOneTokenStored := (accessTokenStored || refreshTokenStored) && !(accessTokenStored && refreshTokenStored)
if !exactlyOneTokenStored {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return errorsx.WithStack(errMissingUpstreamSessionInternalError())
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
}
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
p, err := findOIDCProviderByNameAndValidateUID(s, idpLister)
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
if err != nil {
return err
}
plog.Debug("attempting upstream refresh request",
"providerName", s.ProviderName, "providerType", s.ProviderType, "providerUID", s.ProviderUID)
Perform access token based refresh by fetching the userinfo
2022-01-13 02:05:10 +00:00
var tokens *oauth2.Token
if refreshTokenStored {
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
tokens, err = p.Provider.PerformRefresh(ctx, s.OIDC.UpstreamRefreshToken)
Perform access token based refresh by fetching the userinfo
2022-01-13 02:05:10 +00:00
if err != nil {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return errUpstreamRefreshError().WithHint(
Perform access token based refresh by fetching the userinfo
2022-01-13 02:05:10 +00:00
"Upstream refresh failed.",
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
).WithTrace(err).WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)
Perform access token based refresh by fetching the userinfo
2022-01-13 02:05:10 +00:00
}
} else {
Refactored oidcUpstreamRefresh Various style changes, updated some comments and variable names and extracted a helper function for validation.
2022-01-12 22:28:52 +00:00
tokens = &oauth2.Token{AccessToken: s.OIDC.UpstreamAccessToken}
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
}
// Upstream refresh may or may not return a new ID token. From the spec:
// "the response body is the Token Response of Section 3.1.3.3 except that it might not contain an id_token."
// https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
Perform access token based refresh by fetching the userinfo
2022-01-13 02:05:10 +00:00
_, hasIDTok := tokens.Extra("id_token").(string)
Refactor validatetoken to handle refresh case without id token Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-14 00:40:13 +00:00
Update group memberships during refresh for upstream OIDC providers Update the user's group memberships when possible. Note that we won't always have enough information to be able to update it (see code comments).
2022-01-15 00:38:21 +00:00
// We may or may not have an ID token, and we may or may not have a userinfo endpoint to call for more claims.
// Use what we can (one, both, or neither) and return the union of their claims. If we stored an access token,
// then require that the userinfo endpoint exists and returns a successful response, or else we would have no
// way to check that the user's session was not revoked on the server.
Refactor validatetoken to handle refresh case without id token Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-14 00:40:13 +00:00
// The spec is not 100% clear about whether an ID token from the refresh flow should include a nonce, and at
// least some providers do not include one, so we skip the nonce validation here (but not other validations).
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
validatedTokens, err := p.Provider.ValidateTokenAndMergeWithUserInfo(ctx, tokens, "", hasIDTok, accessTokenStored)
Refactor validatetoken to handle refresh case without id token Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-14 00:40:13 +00:00
if err != nil {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return errUpstreamRefreshError().WithHintf(
"Upstream refresh returned an invalid ID token or UserInfo response.").WithTrace(err).
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)
Refactor validatetoken to handle refresh case without id token Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-14 00:40:13 +00:00
}
Update group memberships during refresh for upstream OIDC providers Update the user's group memberships when possible. Note that we won't always have enough information to be able to update it (see code comments).
2022-01-15 00:38:21 +00:00
mergedClaims := validatedTokens.IDToken.Claims
Refactor validatetoken to handle refresh case without id token Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-14 00:40:13 +00:00
started add units tests for identity transforms to token_handler_test.go
2023-08-23 23:01:25 +00:00
// To the extent possible, check that the user's basic identity hasn't changed. We check that their downstream
// username has not changed separately below, as part of reapplying the transformations.
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
err = validateSubjectAndIssuerUnchangedSinceInitialLogin(mergedClaims, session)
Refactored oidcUpstreamRefresh Various style changes, updated some comments and variable names and extracted a helper function for validation.
2022-01-12 22:28:52 +00:00
if err != nil {
return err
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
}
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
var refreshedUntransformedGroups []string
fix token_handler_test.go
2023-06-26 19:40:13 +00:00
if groupsScopeGranted {
Handle refresh requests without groups scope Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 15:21:16 +00:00
// If possible, update the user's group memberships. The configured groups claim name (if there is one) may or
// may not be included in the newly fetched and merged claims. It could be missing due to a misconfiguration of the
// claim name. It could also be missing because the claim was originally found in the ID token during login, but
// now we might not have a refreshed ID token.
// If the claim is found, then use it to update the user's group membership in the session.
// If the claim is not found, then we have no new information about groups, so skip updating the group membership
// and let any old groups memberships in the session remain.
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
refreshedUntransformedGroups, err = downstreamsession.GetGroupsFromUpstreamIDToken(p.Provider, mergedClaims)
Pinniped Supervisor should issue a warning when groups change during refresh
2022-02-02 00:50:30 +00:00
if err != nil {
Handle refresh requests without groups scope Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 15:21:16 +00:00
return errUpstreamRefreshError().WithHintf(
"Upstream refresh error while extracting groups claim.").WithTrace(err).
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)
Pinniped Supervisor should issue a warning when groups change during refresh
2022-02-02 00:50:30 +00:00
}
Update group memberships during refresh for upstream OIDC providers Update the user's group memberships when possible. Note that we won't always have enough information to be able to update it (see code comments).
2022-01-15 00:38:21 +00:00
}
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
// It's possible that a username wasn't returned by the upstream provider during refresh,
// but if it is, verify that the transformed version of it hasn't changed.
refreshedUntransformedUsername, hasRefreshedUntransformedUsername := getString(mergedClaims, p.Provider.GetUsernameClaim())
Fix some tests in supervisor_login_test.go
2023-06-26 22:26:24 +00:00
oldUntransformedUsername := s.UpstreamUsername
oldUntransformedGroups := s.UpstreamGroups
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
if !hasRefreshedUntransformedUsername {
// If we could not get a new username, then we still need the untransformed username to be able to
// run the transformations again, so fetch the original untransformed username from the session.
Fix some tests in supervisor_login_test.go
2023-06-26 22:26:24 +00:00
refreshedUntransformedUsername = oldUntransformedUsername
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
}
if refreshedUntransformedGroups == nil {
// If we could not get a new list of groups, then we still need the untransformed groups list to be able to
// run the transformations again, so fetch the original untransformed groups list from the session.
fix token_handler_test.go
2023-06-26 19:40:13 +00:00
// We should also run the transformations on the original groups even when the groups scope was not granted,
// because a transformation policy may want to reject the authentication based on the group memberships, even
// though the group memberships will not be shared with the client (in the code below) due to the groups scope
// not being granted.
Fix some tests in supervisor_login_test.go
2023-06-26 22:26:24 +00:00
refreshedUntransformedGroups = oldUntransformedGroups
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
}
fix token_handler_test.go
2023-06-26 19:40:13 +00:00
oldTransformedUsername, err := getDownstreamUsernameFromPinnipedSession(session)
if err != nil {
return err
}
var oldTransformedGroups []string
if groupsScopeGranted {
oldTransformedGroups, err = getDownstreamGroupsFromPinnipedSession(session)
if err != nil {
return err
}
}
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
transformationResult, err := transformRefreshedIdentity(ctx,
p.Transforms,
oldTransformedUsername,
refreshedUntransformedUsername,
refreshedUntransformedGroups,
s.ProviderName,
s.ProviderType,
)
if err != nil {
return err
}
fix token_handler_test.go
2023-06-26 19:40:13 +00:00
if groupsScopeGranted {
warnIfGroupsChanged(ctx, oldTransformedGroups, transformationResult.Groups, transformationResult.Username, clientID)
Fix some tests in supervisor_login_test.go
2023-06-26 22:26:24 +00:00
// Replace the old value for the downstream groups in the user's session with the new value.
fix token_handler_test.go
2023-06-26 19:40:13 +00:00
session.Fosite.Claims.Extra[oidcapi.IDTokenClaimGroups] = transformationResult.Groups
}
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
// Upstream refresh may or may not return a new refresh token. If we got a new refresh token, then update it in
// the user's session. If we did not get a new refresh token, then keep the old one in the session by avoiding
// overwriting the old one.
Perform access token based refresh by fetching the userinfo
2022-01-13 02:05:10 +00:00
if tokens.RefreshToken != "" {
Refactored oidcUpstreamRefresh Various style changes, updated some comments and variable names and extracted a helper function for validation.
2022-01-12 22:28:52 +00:00
plog.Debug("upstream refresh request returned a new refresh token",
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
"providerName", s.ProviderName, "providerType", s.ProviderType, "providerUID", s.ProviderUID)
Perform access token based refresh by fetching the userinfo
2022-01-13 02:05:10 +00:00
s.OIDC.UpstreamRefreshToken = tokens.RefreshToken
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
}
return nil
}
Pinniped Supervisor should issue a warning when groups change during refresh
2022-02-02 00:50:30 +00:00
// print out the diff between two lists of sorted groups.
func diffSortedGroups(oldGroups, newGroups []string) ([]string, []string) {
oldGroupsAsSet := sets.NewString(oldGroups...)
newGroupsAsSet := sets.NewString(newGroups...)
added := newGroupsAsSet.Difference(oldGroupsAsSet) // groups in newGroups that are not in oldGroups i.e. added
removed := oldGroupsAsSet.Difference(newGroupsAsSet) // groups in oldGroups that are not in newGroups i.e. removed
return added.List(), removed.List()
}
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
func validateSubjectAndIssuerUnchangedSinceInitialLogin(mergedClaims map[string]interface{}, session *psession.PinnipedSession) error {
Refactored oidcUpstreamRefresh Various style changes, updated some comments and variable names and extracted a helper function for validation.
2022-01-12 22:28:52 +00:00
s := session.Custom
// If we have any claims at all, we better have a subject, and it better match the previous value.
// but it's possible that we don't because both returning a new id token on refresh and having a userinfo
// endpoint are optional.
if len(mergedClaims) == 0 {
return nil
}
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
newSub, hasSub := getString(mergedClaims, oidcapi.IDTokenClaimSubject)
Refactored oidcUpstreamRefresh Various style changes, updated some comments and variable names and extracted a helper function for validation.
2022-01-12 22:28:52 +00:00
if !hasSub {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return errUpstreamRefreshError().WithHintf(
"Upstream refresh failed.").WithTrace(errors.New("subject in upstream refresh not found")).
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)
Refactored oidcUpstreamRefresh Various style changes, updated some comments and variable names and extracted a helper function for validation.
2022-01-12 22:28:52 +00:00
}
if s.OIDC.UpstreamSubject != newSub {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return errUpstreamRefreshError().WithHintf(
"Upstream refresh failed.").WithTrace(errors.New("subject in upstream refresh does not match previous value")).
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)
Refactored oidcUpstreamRefresh Various style changes, updated some comments and variable names and extracted a helper function for validation.
2022-01-12 22:28:52 +00:00
}
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
newIssuer, hasIssuer := getString(mergedClaims, oidcapi.IDTokenClaimIssuer)
Refactored oidcUpstreamRefresh Various style changes, updated some comments and variable names and extracted a helper function for validation.
2022-01-12 22:28:52 +00:00
// It's possible that an issuer wasn't returned by the upstream provider during refresh,
// but if it is, verify that it hasn't changed.
if hasIssuer && s.OIDC.UpstreamIssuer != newIssuer {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return errUpstreamRefreshError().WithHintf(
"Upstream refresh failed.").WithTrace(errors.New("issuer in upstream refresh does not match previous value")).
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)
Refactored oidcUpstreamRefresh Various style changes, updated some comments and variable names and extracted a helper function for validation.
2022-01-12 22:28:52 +00:00
}
return nil
}
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
func getString(m map[string]interface{}, key string) (string, bool) {
val, ok := m[key].(string)
return val, ok
}
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
func findOIDCProviderByNameAndValidateUID(
s *psession.CustomSessionData,
Reorganized FederationDomain packages to avoid circular dependency Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-06-22 20:12:50 +00:00
idpLister federationdomainproviders.FederationDomainIdentityProvidersListerI,
) (*resolvedprovider.FederationDomainResolvedOIDCIdentityProvider, error) {
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
for _, p := range idpLister.GetOIDCIdentityProviders() {
if p.Provider.GetName() == s.ProviderName {
if p.Provider.GetResourceUID() != s.ProviderUID {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return nil, errorsx.WithStack(errUpstreamRefreshError().WithHint(
More small updates based on PR feedback
2021-10-22 17:23:21 +00:00
"Provider from upstream session data has changed its resource UID since authentication."))
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
}
return p, nil
}
}
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return nil, errorsx.WithStack(errUpstreamRefreshError().
Update group memberships during refresh for upstream OIDC providers Update the user's group memberships when possible. Note that we won't always have enough information to be able to update it (see code comments).
2022-01-15 00:38:21 +00:00
WithHint("Provider from upstream session data was not found.").
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType))
Perform an upstream refresh during downstream refresh for OIDC upstreams - If the upstream refresh fails, then fail the downstream refresh - If the upstream refresh returns an ID token, then validate it (we use its claims in the future, but not in this commit) - If the upstream refresh returns a new refresh token, then save it into the user's session in storage - Pass the provider cache into the token handler so it can use the cached providers to perform upstream refreshes - Handle unexpected errors in the token handler where the user's session does not contain the expected data. These should not be possible in practice unless someone is manually editing the storage, but handle them anyway just to be safe. - Refactor to share the refresh code between the CLI and the token endpoint by moving it into the UpstreamOIDCIdentityProviderI interface, since the token endpoint needed it to be part of that interface anyway
2021-10-13 19:31:20 +00:00
}
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
func upstreamLDAPRefresh(
ctx context.Context,
Reorganized FederationDomain packages to avoid circular dependency Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-06-22 20:12:50 +00:00
idpLister federationdomainproviders.FederationDomainIdentityProvidersListerI,
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
session *psession.PinnipedSession,
grantedScopes []string,
clientID string,
) error {
fix token_handler_test.go
2023-06-26 19:40:13 +00:00
s := session.Custom
groupsScopeGranted := slices.Contains(grantedScopes, oidcapi.ScopeGroups)
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
oldTransformedUsername, err := getDownstreamUsernameFromPinnipedSession(session)
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
if err != nil {
return err
}
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
var oldTransformedGroups []string
fix token_handler_test.go
2023-06-26 19:40:13 +00:00
if groupsScopeGranted {
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
oldTransformedGroups, err = getDownstreamGroupsFromPinnipedSession(session)
Add a couple tests, address pr comments Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 21:19:55 +00:00
if err != nil {
return err
}
Only run group refresh when the skipGroupRefresh boolean isn't set for AD and LDAP
2022-02-01 16:31:29 +00:00
}
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
Addressing code review changes - changed to use custom authenticators.Response rather than the k8s one that doesn't include space for a DN - Added more checking for correct idp type in token handler - small style changes Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-03 17:33:22 +00:00
validLDAP := s.ProviderType == psession.ProviderTypeLDAP && s.LDAP != nil && s.LDAP.UserDN != ""
validAD := s.ProviderType == psession.ProviderTypeActiveDirectory && s.ActiveDirectory != nil && s.ActiveDirectory.UserDN != ""
if !(validLDAP || validAD) {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return errorsx.WithStack(errMissingUpstreamSessionInternalError())
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
}
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-09 22:02:40 +00:00
var additionalAttributes map[string]string
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
if s.ProviderType == psession.ProviderTypeLDAP {
additionalAttributes = s.LDAP.ExtraRefreshAttributes
} else {
additionalAttributes = s.ActiveDirectory.ExtraRefreshAttributes
}
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
p, dn, err := findLDAPProviderByNameAndValidateUID(s, idpLister)
Check that username and subject remain the same for ldap refresh
2021-10-25 21:25:43 +00:00
if err != nil {
return err
}
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
if session.IDTokenClaims().AuthTime.IsZero() {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return errorsx.WithStack(errMissingUpstreamSessionInternalError())
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
}
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
fix token_handler_test.go
2023-06-26 19:40:13 +00:00
plog.Debug("attempting upstream refresh request",
"providerName", s.ProviderName, "providerType", s.ProviderType, "providerUID", s.ProviderUID)
oldUntransformedUsername := s.UpstreamUsername
Fix some tests in supervisor_login_test.go
2023-06-26 22:26:24 +00:00
oldUntransformedGroups := s.UpstreamGroups
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
refreshedUntransformedGroups, err := p.Provider.PerformRefresh(ctx, upstreamprovider.RefreshAttributes{
fix token_handler_test.go
2023-06-26 19:40:13 +00:00
Username: oldUntransformedUsername,
Subject: session.Fosite.Claims.Subject,
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
DN: dn,
Fix some tests in supervisor_login_test.go
2023-06-26 22:26:24 +00:00
Groups: oldUntransformedGroups,
Make pwdLastSet stuff more generic and not require parsing the timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-12-08 23:03:57 +00:00
AdditionalAttributes: additionalAttributes,
Don't do ldap group search when group scope not specified Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 17:58:08 +00:00
GrantedScopes: grantedScopes,
add the IDP display name to the downstream ID token's `sub` claim To make the subject of the downstream ID token more unique when there are multiple IDPs. It is possible to define two IDPs in a FederationDomain using the same identity provider CR, in which case the only thing that would make the subject claim different is adding the IDP display name into the values of the subject claim.
2023-08-30 22:13:42 +00:00
}, p.DisplayName)
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
if err != nil {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return errUpstreamRefreshError().WithHint(
"Upstream refresh failed.").WithTrace(err).
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
}
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
transformationResult, err := transformRefreshedIdentity(ctx,
p.Transforms,
oldTransformedUsername,
fix token_handler_test.go
2023-06-26 19:40:13 +00:00
oldUntransformedUsername, // LDAP PerformRefresh validates that the username did not change, so this is also the refreshed upstream username
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
refreshedUntransformedGroups,
s.ProviderName,
s.ProviderType,
)
if err != nil {
return err
}
fix token_handler_test.go
2023-06-26 19:40:13 +00:00
if groupsScopeGranted {
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
warnIfGroupsChanged(ctx, oldTransformedGroups, transformationResult.Groups, transformationResult.Username, clientID)
Fix some tests in supervisor_login_test.go
2023-06-26 22:26:24 +00:00
// Replace the old value for the downstream groups in the user's session with the new value.
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
session.Fosite.Claims.Extra[oidcapi.IDTokenClaimGroups] = transformationResult.Groups
Handle refresh requests without groups scope Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 15:21:16 +00:00
}
Pinniped Supervisor should issue a warning when groups change during refresh
2022-02-02 00:50:30 +00:00
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
return nil
}
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
func transformRefreshedIdentity(
ctx context.Context,
transforms *idtransform.TransformationPipeline,
oldTransformedUsername string,
upstreamUsername string,
upstreamGroups []string,
providerName string,
providerType psession.ProviderType,
) (*idtransform.TransformationResult, error) {
transformationResult, err := transforms.Evaluate(ctx, upstreamUsername, upstreamGroups)
if err != nil {
return nil, errUpstreamRefreshError().WithHintf(
"Upstream refresh error while applying configured identity transformations.").
WithTrace(err).
WithDebugf("provider name: %q, provider type: %q", providerName, providerType)
}
if !transformationResult.AuthenticationAllowed {
return nil, errUpstreamRefreshError().WithHintf(
"Upstream refresh rejected by configured identity policy: %s.", transformationResult.RejectedAuthenticationMessage).
WithDebugf("provider name: %q, provider type: %q", providerName, providerType)
}
if oldTransformedUsername != transformationResult.Username {
return nil, errUpstreamRefreshError().WithHintf(
"Upstream refresh failed.").
WithTrace(errors.New("username in upstream refresh does not match previous value")).
WithDebugf("provider name: %q, provider type: %q", providerName, providerType)
}
return transformationResult, nil
}
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
func findLDAPProviderByNameAndValidateUID(
s *psession.CustomSessionData,
Reorganized FederationDomain packages to avoid circular dependency Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-06-22 20:12:50 +00:00
idpLister federationdomainproviders.FederationDomainIdentityProvidersListerI,
) (*resolvedprovider.FederationDomainResolvedLDAPIdentityProvider, string, error) {
var providers []*resolvedprovider.FederationDomainResolvedLDAPIdentityProvider
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
var dn string
if s.ProviderType == psession.ProviderTypeLDAP {
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
providers = idpLister.GetLDAPIdentityProviders()
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
dn = s.LDAP.UserDN
} else if s.ProviderType == psession.ProviderTypeActiveDirectory {
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
providers = idpLister.GetActiveDirectoryIdentityProviders()
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
dn = s.ActiveDirectory.UserDN
}
for _, p := range providers {
First draft of implementation of multiple IDPs support
2023-05-08 21:07:38 +00:00
if p.Provider.GetName() == s.ProviderName {
if p.Provider.GetResourceUID() != s.ProviderUID {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return nil, "", errorsx.WithStack(errUpstreamRefreshError().WithHint(
Update group memberships during refresh for upstream OIDC providers Update the user's group memberships when possible. Note that we won't always have enough information to be able to update it (see code comments).
2022-01-15 00:38:21 +00:00
"Provider from upstream session data has changed its resource UID since authentication.").
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType))
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
}
return p, dn, nil
}
}
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return nil, "", errorsx.WithStack(errUpstreamRefreshError().
Update group memberships during refresh for upstream OIDC providers Update the user's group memberships when possible. Note that we won't always have enough information to be able to update it (see code comments).
2022-01-15 00:38:21 +00:00
WithHint("Provider from upstream session data was not found.").
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType))
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
}
Refactor out a function, add tests for getting the wrong idp uid
2021-10-27 00:03:16 +00:00
func getDownstreamUsernameFromPinnipedSession(session *psession.PinnipedSession) (string, error) {
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
downstreamUsername := session.Custom.Username
if len(downstreamUsername) == 0 {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return "", errorsx.WithStack(errMissingUpstreamSessionInternalError())
Addressing code review changes - changed to use custom authenticators.Response rather than the k8s one that doesn't include space for a DN - Added more checking for correct idp type in token handler - small style changes Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-03 17:33:22 +00:00
}
Refactor out a function, add tests for getting the wrong idp uid
2021-10-27 00:03:16 +00:00
return downstreamUsername, nil
}
Only run group refresh when the skipGroupRefresh boolean isn't set for AD and LDAP
2022-02-01 16:31:29 +00:00
func getDownstreamGroupsFromPinnipedSession(session *psession.PinnipedSession) ([]string, error) {
extra := session.Fosite.Claims.Extra
if extra == nil {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return nil, errorsx.WithStack(errMissingUpstreamSessionInternalError())
Only run group refresh when the skipGroupRefresh boolean isn't set for AD and LDAP
2022-02-01 16:31:29 +00:00
}
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
downstreamGroupsInterface := extra[oidcapi.IDTokenClaimGroups]
Only run group refresh when the skipGroupRefresh boolean isn't set for AD and LDAP
2022-02-01 16:31:29 +00:00
if downstreamGroupsInterface == nil {
Add a couple tests, address pr comments Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-22 21:19:55 +00:00
return nil, errorsx.WithStack(errMissingUpstreamSessionInternalError())
Only run group refresh when the skipGroupRefresh boolean isn't set for AD and LDAP
2022-02-01 16:31:29 +00:00
}
downstreamGroupsInterfaceList, ok := downstreamGroupsInterface.([]interface{})
if !ok {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return nil, errorsx.WithStack(errMissingUpstreamSessionInternalError())
Only run group refresh when the skipGroupRefresh boolean isn't set for AD and LDAP
2022-02-01 16:31:29 +00:00
}
downstreamGroups := make([]string, 0, len(downstreamGroupsInterfaceList))
for _, downstreamGroupInterface := range downstreamGroupsInterfaceList {
downstreamGroup, ok := downstreamGroupInterface.(string)
if !ok || len(downstreamGroup) == 0 {
Remove our direct dependency on ory/x ory/x has new releases very often, sometimes multiple times per week, causing a lot of noise from dependabot. We were barely using it directly, so replace our direct usages with equivalent code.
2022-03-24 17:24:54 +00:00
return nil, errorsx.WithStack(errMissingUpstreamSessionInternalError())
Only run group refresh when the skipGroupRefresh boolean isn't set for AD and LDAP
2022-02-01 16:31:29 +00:00
}
downstreamGroups = append(downstreamGroups, downstreamGroup)
}
return downstreamGroups, nil
}
Pinniped Supervisor should issue a warning when groups change during refresh
2022-02-02 00:50:30 +00:00
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
func warnIfGroupsChanged(ctx context.Context, oldGroups, newGroups []string, username string, clientID string) {
if clientID != oidcapi.ClientIDPinnipedCLI {
// Only send these warnings to the CLI client. They are intended for kubectl to print to the screen.
// A webapp using a dynamic client wouldn't know to look for these special warning headers, and
// if the dynamic client lacked the username scope, then these warning messages would be leaking
// the user's username to the client within the text of the warning.
return
}
Fix typo in group removed warning Signed-off-by: Monis Khan <mok@vmware.com>
2022-03-02 17:03:22 +00:00
added, removed := diffSortedGroups(oldGroups, newGroups)
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
Pinniped Supervisor should issue a warning when groups change during refresh
2022-02-02 00:50:30 +00:00
if len(added) > 0 {
warning.AddWarning(ctx, "", fmt.Sprintf("User %q has been added to the following groups: %q", username, added))
}
if len(removed) > 0 {
Fix typo in group removed warning Signed-off-by: Monis Khan <mok@vmware.com>
2022-03-02 17:03:22 +00:00
warning.AddWarning(ctx, "", fmt.Sprintf("User %q has been removed from the following groups: %q", username, removed))
Pinniped Supervisor should issue a warning when groups change during refresh
2022-02-02 00:50:30 +00:00
}
}
Reference in New Issue Copy Permalink