ContainerImage.Pinniped/internal/oidc/oidc.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

// Package oidc contains common OIDC functionality needed by Pinniped.
package oidc

import (
	"github.com/ory/fosite"
	"github.com/ory/fosite/compose"
)

const (
	WellKnownEndpointPath     = "/.well-known/openid-configuration"
	AuthorizationEndpointPath = "/oauth2/authorize"
	TokenEndpointPath         = "/oauth2/token" //nolint:gosec // ignore lint warning that this is a credential
	JWKSEndpointPath          = "/jwks.json"
)

func PinnipedCLIOIDCClient() *fosite.DefaultOpenIDConnectClient {
	return &fosite.DefaultOpenIDConnectClient{
		DefaultClient: &fosite.DefaultClient{
			ID:            "pinniped-cli",
			Public:        true,
			RedirectURIs:  []string{"http://127.0.0.1/callback"},
			ResponseTypes: []string{"code"},
			GrantTypes:    []string{"authorization_code"},
			Scopes:        []string{"openid", "profile", "email"},
		},
	}
}

func FositeOauth2Helper(oauthStore interface{}, hmacSecretOfLengthAtLeast32 []byte) fosite.OAuth2Provider {
	oauthConfig := &compose.Config{
		EnforcePKCEForPublicClients: true,
	}

	return compose.Compose(
		oauthConfig,
		oauthStore,
		&compose.CommonStrategy{
			// Note that Fosite requires the HMAC secret to be at least 32 bytes.
			CoreStrategy: compose.NewOAuth2HMACStrategy(oauthConfig, hmacSecretOfLengthAtLeast32, nil),
		},
		nil, // hasher, defaults to using BCrypt when nil. Used for hashing client secrets.
		compose.OAuth2AuthorizeExplicitFactory,
		// compose.OAuth2RefreshTokenGrantFactory,
		compose.OpenIDConnectExplicitFactory,
		// compose.OpenIDConnectRefreshFactory,
		compose.OAuth2PKCEFactory,
	)
}
supervisor-oidc: hoist OIDC discovery handler for testing Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-06 14:11:57 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`// Package oidc contains common OIDC functionality needed by Pinniped.`
			`package oidc`

Test that the port of localhost redirect URI is ignored during validation Also move definition of our oauth client and the general fosite configuration to a helper so we can use the same config to construct the handler for both test and production code. Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-04 23:04:50 +00:00			`import (`
			`"github.com/ory/fosite"`
			`"github.com/ory/fosite/compose"`
			`)`

supervisor-oidc: hoist OIDC discovery handler for testing Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-06 14:11:57 +00:00			`const (`
Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`WellKnownEndpointPath = "/.well-known/openid-configuration"`
			`AuthorizationEndpointPath = "/oauth2/authorize"`
			`TokenEndpointPath = "/oauth2/token" //nolint:gosec // ignore lint warning that this is a credential`
			`JWKSEndpointPath = "/jwks.json"`
supervisor-oidc: hoist OIDC discovery handler for testing Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-06 14:11:57 +00:00			`)`
Test that the port of localhost redirect URI is ignored during validation Also move definition of our oauth client and the general fosite configuration to a helper so we can use the same config to construct the handler for both test and production code. Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-04 23:04:50 +00:00
			`func PinnipedCLIOIDCClient() *fosite.DefaultOpenIDConnectClient {`
			`return &fosite.DefaultOpenIDConnectClient{`
			`DefaultClient: &fosite.DefaultClient{`
			`ID: "pinniped-cli",`
			`Public: true,`
			`RedirectURIs: []string{"http://127.0.0.1/callback"},`
			`ResponseTypes: []string{"code"},`
			`GrantTypes: []string{"authorization_code"},`
			`Scopes: []string{"openid", "profile", "email"},`
			`},`
			`}`
			`}`

Expose the Supervisor OIDC authorization endpoint to the public 2020-11-05 01:06:47 +00:00			`func FositeOauth2Helper(oauthStore interface{}, hmacSecretOfLengthAtLeast32 []byte) fosite.OAuth2Provider {`
Test that the port of localhost redirect URI is ignored during validation Also move definition of our oauth client and the general fosite configuration to a helper so we can use the same config to construct the handler for both test and production code. Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-04 23:04:50 +00:00			`oauthConfig := &compose.Config{`
			`EnforcePKCEForPublicClients: true,`
			`}`

			`return compose.Compose(`
			`oauthConfig,`
			`oauthStore,`
			`&compose.CommonStrategy{`
Expose the Supervisor OIDC authorization endpoint to the public 2020-11-05 01:06:47 +00:00			`// Note that Fosite requires the HMAC secret to be at least 32 bytes.`
			`CoreStrategy: compose.NewOAuth2HMACStrategy(oauthConfig, hmacSecretOfLengthAtLeast32, nil),`
Test that the port of localhost redirect URI is ignored during validation Also move definition of our oauth client and the general fosite configuration to a helper so we can use the same config to construct the handler for both test and production code. Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-04 23:04:50 +00:00			`},`
			`nil, // hasher, defaults to using BCrypt when nil. Used for hashing client secrets.`
			`compose.OAuth2AuthorizeExplicitFactory,`
			`// compose.OAuth2RefreshTokenGrantFactory,`
Also run OIDC validations in supervisor authorize endpoint Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-06 22:44:58 +00:00			`compose.OpenIDConnectExplicitFactory,`
Test that the port of localhost redirect URI is ignored during validation Also move definition of our oauth client and the general fosite configuration to a helper so we can use the same config to construct the handler for both test and production code. Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-04 23:04:50 +00:00			`// compose.OpenIDConnectRefreshFactory,`
			`compose.OAuth2PKCEFactory,`
			`)`
			`}`