2022-01-07 23:04:58 +00:00
|
|
|
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
2020-12-01 21:25:12 +00:00
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
// Package token provides a handler for the OIDC token endpoint.
|
|
|
|
package token
|
|
|
|
|
|
|
|
import (
|
2021-10-13 19:31:20 +00:00
|
|
|
"context"
|
2021-12-14 19:59:52 +00:00
|
|
|
"errors"
|
2022-02-02 00:50:30 +00:00
|
|
|
"fmt"
|
2020-12-01 21:25:12 +00:00
|
|
|
"net/http"
|
|
|
|
|
|
|
|
"github.com/ory/fosite"
|
2022-03-24 17:24:54 +00:00
|
|
|
errorsx "github.com/pkg/errors"
|
2022-01-13 02:05:10 +00:00
|
|
|
"golang.org/x/oauth2"
|
2022-02-02 00:50:30 +00:00
|
|
|
"k8s.io/apimachinery/pkg/util/sets"
|
2022-01-18 23:34:19 +00:00
|
|
|
"k8s.io/apiserver/pkg/warning"
|
2022-06-22 15:21:16 +00:00
|
|
|
"k8s.io/utils/strings/slices"
|
2020-12-01 21:25:12 +00:00
|
|
|
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
|
2020-12-01 21:25:12 +00:00
|
|
|
"go.pinniped.dev/internal/httputil/httperr"
|
2020-12-04 15:06:55 +00:00
|
|
|
"go.pinniped.dev/internal/oidc"
|
2022-01-15 00:38:21 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/downstreamsession"
|
2021-10-13 19:31:20 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/provider"
|
2020-12-01 21:25:12 +00:00
|
|
|
"go.pinniped.dev/internal/plog"
|
2021-10-06 22:28:13 +00:00
|
|
|
"go.pinniped.dev/internal/psession"
|
2020-12-01 21:25:12 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func NewHandler(
|
2021-10-13 19:31:20 +00:00
|
|
|
idpLister oidc.UpstreamIdentityProvidersLister,
|
2020-12-01 21:25:12 +00:00
|
|
|
oauthHelper fosite.OAuth2Provider,
|
|
|
|
) http.Handler {
|
|
|
|
return httperr.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
|
2021-10-06 22:28:13 +00:00
|
|
|
session := psession.NewPinnipedSession()
|
|
|
|
accessRequest, err := oauthHelper.NewAccessRequest(r.Context(), r, session)
|
2020-12-01 21:25:12 +00:00
|
|
|
if err != nil {
|
2020-12-04 15:06:55 +00:00
|
|
|
plog.Info("token request error", oidc.FositeErrorForLog(err)...)
|
2022-12-14 00:18:51 +00:00
|
|
|
oauthHelper.WriteAccessError(r.Context(), w, accessRequest, err)
|
2020-12-01 21:25:12 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-10-13 19:31:20 +00:00
|
|
|
// Check if we are performing a refresh grant.
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
if accessRequest.GetGrantTypes().ExactOne(oidcapi.GrantTypeRefreshToken) {
|
2021-10-13 19:31:20 +00:00
|
|
|
// The above call to NewAccessRequest has loaded the session from storage into the accessRequest variable.
|
|
|
|
// The session, requested scopes, and requested audience from the original authorize request was retrieved
|
|
|
|
// from the Kube storage layer and added to the accessRequest. Additionally, the audience and scopes may
|
|
|
|
// have already been granted on the accessRequest.
|
|
|
|
err = upstreamRefresh(r.Context(), accessRequest, idpLister)
|
|
|
|
if err != nil {
|
|
|
|
plog.Info("upstream refresh error", oidc.FositeErrorForLog(err)...)
|
2022-12-14 00:18:51 +00:00
|
|
|
oauthHelper.WriteAccessError(r.Context(), w, accessRequest, err)
|
2021-10-13 19:31:20 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
2022-01-18 23:34:19 +00:00
|
|
|
|
|
|
|
// When we are in the authorization code flow, check if we have any warnings that previous handlers want us
|
|
|
|
// to send to the client to be printed on the CLI.
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
if accessRequest.GetGrantTypes().ExactOne(oidcapi.GrantTypeAuthorizationCode) {
|
2022-01-19 21:20:49 +00:00
|
|
|
storedSession := accessRequest.GetSession().(*psession.PinnipedSession)
|
|
|
|
customSessionData := storedSession.Custom
|
|
|
|
if customSessionData != nil {
|
|
|
|
for _, warningText := range customSessionData.Warnings {
|
|
|
|
warning.AddWarning(r.Context(), "", warningText)
|
|
|
|
}
|
2022-01-18 23:34:19 +00:00
|
|
|
}
|
|
|
|
}
|
2021-10-13 19:31:20 +00:00
|
|
|
|
2020-12-01 21:25:12 +00:00
|
|
|
accessResponse, err := oauthHelper.NewAccessResponse(r.Context(), accessRequest)
|
|
|
|
if err != nil {
|
2020-12-04 15:06:55 +00:00
|
|
|
plog.Info("token response error", oidc.FositeErrorForLog(err)...)
|
2022-12-14 00:18:51 +00:00
|
|
|
oauthHelper.WriteAccessError(r.Context(), w, accessRequest, err)
|
2020-12-01 21:25:12 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-12-14 00:18:51 +00:00
|
|
|
oauthHelper.WriteAccessResponse(r.Context(), w, accessRequest, accessResponse)
|
2020-12-01 21:25:12 +00:00
|
|
|
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
}
|
2021-10-13 19:31:20 +00:00
|
|
|
|
2022-03-24 17:24:54 +00:00
|
|
|
func errMissingUpstreamSessionInternalError() *fosite.RFC6749Error {
|
|
|
|
return &fosite.RFC6749Error{
|
|
|
|
ErrorField: "error",
|
|
|
|
DescriptionField: "There was an internal server error.",
|
|
|
|
HintField: "Required upstream data not found in session.",
|
|
|
|
CodeField: http.StatusInternalServerError,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func errUpstreamRefreshError() *fosite.RFC6749Error {
|
|
|
|
return &fosite.RFC6749Error{
|
|
|
|
ErrorField: "error",
|
|
|
|
DescriptionField: "Error during upstream refresh.",
|
|
|
|
CodeField: http.StatusUnauthorized,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-10-13 19:31:20 +00:00
|
|
|
func upstreamRefresh(ctx context.Context, accessRequest fosite.AccessRequester, providerCache oidc.UpstreamIdentityProvidersLister) error {
|
|
|
|
session := accessRequest.GetSession().(*psession.PinnipedSession)
|
2021-10-25 21:25:43 +00:00
|
|
|
|
2021-10-13 19:31:20 +00:00
|
|
|
customSessionData := session.Custom
|
|
|
|
if customSessionData == nil {
|
2022-03-24 17:24:54 +00:00
|
|
|
return errorsx.WithStack(errMissingUpstreamSessionInternalError())
|
2021-10-13 19:31:20 +00:00
|
|
|
}
|
|
|
|
providerName := customSessionData.ProviderName
|
|
|
|
providerUID := customSessionData.ProviderUID
|
|
|
|
if providerUID == "" || providerName == "" {
|
2022-03-24 17:24:54 +00:00
|
|
|
return errorsx.WithStack(errMissingUpstreamSessionInternalError())
|
2021-10-13 19:31:20 +00:00
|
|
|
}
|
|
|
|
|
2022-06-22 15:21:16 +00:00
|
|
|
grantedScopes := accessRequest.GetGrantedScopes()
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
clientID := accessRequest.GetClient().GetID()
|
2022-06-22 15:21:16 +00:00
|
|
|
|
2021-10-13 19:31:20 +00:00
|
|
|
switch customSessionData.ProviderType {
|
|
|
|
case psession.ProviderTypeOIDC:
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
return upstreamOIDCRefresh(ctx, session, providerCache, grantedScopes, clientID)
|
2021-10-13 19:31:20 +00:00
|
|
|
case psession.ProviderTypeLDAP:
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
return upstreamLDAPRefresh(ctx, providerCache, session, grantedScopes, clientID)
|
2021-10-13 19:31:20 +00:00
|
|
|
case psession.ProviderTypeActiveDirectory:
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
return upstreamLDAPRefresh(ctx, providerCache, session, grantedScopes, clientID)
|
2021-10-13 19:31:20 +00:00
|
|
|
default:
|
2022-03-24 17:24:54 +00:00
|
|
|
return errorsx.WithStack(errMissingUpstreamSessionInternalError())
|
2021-10-13 19:31:20 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
func upstreamOIDCRefresh(
|
|
|
|
ctx context.Context,
|
|
|
|
session *psession.PinnipedSession,
|
|
|
|
providerCache oidc.UpstreamIdentityProvidersLister,
|
|
|
|
grantedScopes []string,
|
|
|
|
clientID string,
|
|
|
|
) error {
|
2021-12-14 00:40:13 +00:00
|
|
|
s := session.Custom
|
2022-01-13 02:05:10 +00:00
|
|
|
if s.OIDC == nil {
|
2022-03-24 17:24:54 +00:00
|
|
|
return errorsx.WithStack(errMissingUpstreamSessionInternalError())
|
2022-01-13 02:05:10 +00:00
|
|
|
}
|
2022-01-12 22:28:52 +00:00
|
|
|
|
2022-01-13 02:05:10 +00:00
|
|
|
accessTokenStored := s.OIDC.UpstreamAccessToken != ""
|
|
|
|
refreshTokenStored := s.OIDC.UpstreamRefreshToken != ""
|
2022-01-12 22:28:52 +00:00
|
|
|
|
|
|
|
exactlyOneTokenStored := (accessTokenStored || refreshTokenStored) && !(accessTokenStored && refreshTokenStored)
|
|
|
|
if !exactlyOneTokenStored {
|
2022-03-24 17:24:54 +00:00
|
|
|
return errorsx.WithStack(errMissingUpstreamSessionInternalError())
|
2021-10-13 19:31:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
p, err := findOIDCProviderByNameAndValidateUID(s, providerCache)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
plog.Debug("attempting upstream refresh request",
|
|
|
|
"providerName", s.ProviderName, "providerType", s.ProviderType, "providerUID", s.ProviderUID)
|
|
|
|
|
2022-01-13 02:05:10 +00:00
|
|
|
var tokens *oauth2.Token
|
|
|
|
if refreshTokenStored {
|
|
|
|
tokens, err = p.PerformRefresh(ctx, s.OIDC.UpstreamRefreshToken)
|
|
|
|
if err != nil {
|
2022-03-24 17:24:54 +00:00
|
|
|
return errUpstreamRefreshError().WithHint(
|
2022-01-13 02:05:10 +00:00
|
|
|
"Upstream refresh failed.",
|
2022-03-24 17:24:54 +00:00
|
|
|
).WithTrace(err).WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)
|
2022-01-13 02:05:10 +00:00
|
|
|
}
|
|
|
|
} else {
|
2022-01-12 22:28:52 +00:00
|
|
|
tokens = &oauth2.Token{AccessToken: s.OIDC.UpstreamAccessToken}
|
2021-10-13 19:31:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Upstream refresh may or may not return a new ID token. From the spec:
|
|
|
|
// "the response body is the Token Response of Section 3.1.3.3 except that it might not contain an id_token."
|
|
|
|
// https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
|
2022-01-13 02:05:10 +00:00
|
|
|
_, hasIDTok := tokens.Extra("id_token").(string)
|
2021-12-14 00:40:13 +00:00
|
|
|
|
2022-01-15 00:38:21 +00:00
|
|
|
// We may or may not have an ID token, and we may or may not have a userinfo endpoint to call for more claims.
|
|
|
|
// Use what we can (one, both, or neither) and return the union of their claims. If we stored an access token,
|
|
|
|
// then require that the userinfo endpoint exists and returns a successful response, or else we would have no
|
|
|
|
// way to check that the user's session was not revoked on the server.
|
2021-12-14 00:40:13 +00:00
|
|
|
// The spec is not 100% clear about whether an ID token from the refresh flow should include a nonce, and at
|
|
|
|
// least some providers do not include one, so we skip the nonce validation here (but not other validations).
|
2022-01-13 02:05:10 +00:00
|
|
|
validatedTokens, err := p.ValidateTokenAndMergeWithUserInfo(ctx, tokens, "", hasIDTok, accessTokenStored)
|
2021-12-14 00:40:13 +00:00
|
|
|
if err != nil {
|
2022-03-24 17:24:54 +00:00
|
|
|
return errUpstreamRefreshError().WithHintf(
|
|
|
|
"Upstream refresh returned an invalid ID token or UserInfo response.").WithTrace(err).
|
|
|
|
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)
|
2021-12-14 00:40:13 +00:00
|
|
|
}
|
2022-01-15 00:38:21 +00:00
|
|
|
mergedClaims := validatedTokens.IDToken.Claims
|
2021-12-14 00:40:13 +00:00
|
|
|
|
2022-01-15 00:38:21 +00:00
|
|
|
// To the extent possible, check that the user's basic identity hasn't changed.
|
|
|
|
err = validateIdentityUnchangedSinceInitialLogin(mergedClaims, session, p.GetUsernameClaim())
|
2022-01-12 22:28:52 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
2021-10-13 19:31:20 +00:00
|
|
|
}
|
|
|
|
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
groupsScope := slices.Contains(grantedScopes, oidcapi.ScopeGroups)
|
2022-06-22 17:58:08 +00:00
|
|
|
if groupsScope { //nolint:nestif
|
2022-06-22 15:21:16 +00:00
|
|
|
// If possible, update the user's group memberships. The configured groups claim name (if there is one) may or
|
|
|
|
// may not be included in the newly fetched and merged claims. It could be missing due to a misconfiguration of the
|
|
|
|
// claim name. It could also be missing because the claim was originally found in the ID token during login, but
|
|
|
|
// now we might not have a refreshed ID token.
|
|
|
|
// If the claim is found, then use it to update the user's group membership in the session.
|
|
|
|
// If the claim is not found, then we have no new information about groups, so skip updating the group membership
|
|
|
|
// and let any old groups memberships in the session remain.
|
|
|
|
refreshedGroups, err := downstreamsession.GetGroupsFromUpstreamIDToken(p, mergedClaims)
|
2022-02-02 00:50:30 +00:00
|
|
|
if err != nil {
|
2022-06-22 15:21:16 +00:00
|
|
|
return errUpstreamRefreshError().WithHintf(
|
|
|
|
"Upstream refresh error while extracting groups claim.").WithTrace(err).
|
|
|
|
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)
|
2022-02-02 00:50:30 +00:00
|
|
|
}
|
2022-06-22 15:21:16 +00:00
|
|
|
if refreshedGroups != nil {
|
|
|
|
oldGroups, err := getDownstreamGroupsFromPinnipedSession(session)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
username, err := getDownstreamUsernameFromPinnipedSession(session)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
warnIfGroupsChanged(ctx, oldGroups, refreshedGroups, username, clientID)
|
|
|
|
session.Fosite.Claims.Extra[oidcapi.IDTokenClaimGroups] = refreshedGroups
|
2022-02-02 00:50:30 +00:00
|
|
|
}
|
2022-01-15 00:38:21 +00:00
|
|
|
}
|
|
|
|
|
2021-10-13 19:31:20 +00:00
|
|
|
// Upstream refresh may or may not return a new refresh token. If we got a new refresh token, then update it in
|
|
|
|
// the user's session. If we did not get a new refresh token, then keep the old one in the session by avoiding
|
|
|
|
// overwriting the old one.
|
2022-01-13 02:05:10 +00:00
|
|
|
if tokens.RefreshToken != "" {
|
2022-01-12 22:28:52 +00:00
|
|
|
plog.Debug("upstream refresh request returned a new refresh token",
|
2021-10-13 19:31:20 +00:00
|
|
|
"providerName", s.ProviderName, "providerType", s.ProviderType, "providerUID", s.ProviderUID)
|
2022-01-13 02:05:10 +00:00
|
|
|
s.OIDC.UpstreamRefreshToken = tokens.RefreshToken
|
2021-10-13 19:31:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-02-02 00:50:30 +00:00
|
|
|
// print out the diff between two lists of sorted groups.
|
|
|
|
func diffSortedGroups(oldGroups, newGroups []string) ([]string, []string) {
|
|
|
|
oldGroupsAsSet := sets.NewString(oldGroups...)
|
|
|
|
newGroupsAsSet := sets.NewString(newGroups...)
|
|
|
|
added := newGroupsAsSet.Difference(oldGroupsAsSet) // groups in newGroups that are not in oldGroups i.e. added
|
|
|
|
removed := oldGroupsAsSet.Difference(newGroupsAsSet) // groups in oldGroups that are not in newGroups i.e. removed
|
|
|
|
return added.List(), removed.List()
|
|
|
|
}
|
|
|
|
|
2022-01-15 00:38:21 +00:00
|
|
|
func validateIdentityUnchangedSinceInitialLogin(mergedClaims map[string]interface{}, session *psession.PinnipedSession, usernameClaimName string) error {
|
2022-01-12 22:28:52 +00:00
|
|
|
s := session.Custom
|
|
|
|
|
|
|
|
// If we have any claims at all, we better have a subject, and it better match the previous value.
|
|
|
|
// but it's possible that we don't because both returning a new id token on refresh and having a userinfo
|
|
|
|
// endpoint are optional.
|
|
|
|
if len(mergedClaims) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
newSub, hasSub := getString(mergedClaims, oidcapi.IDTokenClaimSubject)
|
2022-01-12 22:28:52 +00:00
|
|
|
if !hasSub {
|
2022-03-24 17:24:54 +00:00
|
|
|
return errUpstreamRefreshError().WithHintf(
|
|
|
|
"Upstream refresh failed.").WithTrace(errors.New("subject in upstream refresh not found")).
|
|
|
|
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)
|
2022-01-12 22:28:52 +00:00
|
|
|
}
|
|
|
|
if s.OIDC.UpstreamSubject != newSub {
|
2022-03-24 17:24:54 +00:00
|
|
|
return errUpstreamRefreshError().WithHintf(
|
|
|
|
"Upstream refresh failed.").WithTrace(errors.New("subject in upstream refresh does not match previous value")).
|
|
|
|
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)
|
2022-01-12 22:28:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
newUsername, hasUsername := getString(mergedClaims, usernameClaimName)
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
oldUsername, err := getDownstreamUsernameFromPinnipedSession(session)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2022-01-12 22:28:52 +00:00
|
|
|
// It's possible that a username wasn't returned by the upstream provider during refresh,
|
|
|
|
// but if it is, verify that it hasn't changed.
|
|
|
|
if hasUsername && oldUsername != newUsername {
|
2022-03-24 17:24:54 +00:00
|
|
|
return errUpstreamRefreshError().WithHintf(
|
|
|
|
"Upstream refresh failed.").WithTrace(errors.New("username in upstream refresh does not match previous value")).
|
|
|
|
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)
|
2022-01-12 22:28:52 +00:00
|
|
|
}
|
|
|
|
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
newIssuer, hasIssuer := getString(mergedClaims, oidcapi.IDTokenClaimIssuer)
|
2022-01-12 22:28:52 +00:00
|
|
|
// It's possible that an issuer wasn't returned by the upstream provider during refresh,
|
|
|
|
// but if it is, verify that it hasn't changed.
|
|
|
|
if hasIssuer && s.OIDC.UpstreamIssuer != newIssuer {
|
2022-03-24 17:24:54 +00:00
|
|
|
return errUpstreamRefreshError().WithHintf(
|
|
|
|
"Upstream refresh failed.").WithTrace(errors.New("issuer in upstream refresh does not match previous value")).
|
|
|
|
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)
|
2022-01-12 22:28:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-01-07 23:04:58 +00:00
|
|
|
func getString(m map[string]interface{}, key string) (string, bool) {
|
|
|
|
val, ok := m[key].(string)
|
|
|
|
return val, ok
|
|
|
|
}
|
|
|
|
|
2021-10-13 19:31:20 +00:00
|
|
|
func findOIDCProviderByNameAndValidateUID(
|
|
|
|
s *psession.CustomSessionData,
|
|
|
|
providerCache oidc.UpstreamIdentityProvidersLister,
|
|
|
|
) (provider.UpstreamOIDCIdentityProviderI, error) {
|
|
|
|
for _, p := range providerCache.GetOIDCIdentityProviders() {
|
|
|
|
if p.GetName() == s.ProviderName {
|
|
|
|
if p.GetResourceUID() != s.ProviderUID {
|
2022-03-24 17:24:54 +00:00
|
|
|
return nil, errorsx.WithStack(errUpstreamRefreshError().WithHint(
|
2021-10-22 17:23:21 +00:00
|
|
|
"Provider from upstream session data has changed its resource UID since authentication."))
|
2021-10-13 19:31:20 +00:00
|
|
|
}
|
|
|
|
return p, nil
|
|
|
|
}
|
|
|
|
}
|
2022-03-24 17:24:54 +00:00
|
|
|
return nil, errorsx.WithStack(errUpstreamRefreshError().
|
2022-01-15 00:38:21 +00:00
|
|
|
WithHint("Provider from upstream session data was not found.").
|
|
|
|
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType))
|
2021-10-13 19:31:20 +00:00
|
|
|
}
|
2021-10-22 20:57:30 +00:00
|
|
|
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
func upstreamLDAPRefresh(
|
|
|
|
ctx context.Context,
|
|
|
|
providerCache oidc.UpstreamIdentityProvidersLister,
|
|
|
|
session *psession.PinnipedSession,
|
|
|
|
grantedScopes []string,
|
|
|
|
clientID string,
|
|
|
|
) error {
|
2021-10-28 19:00:56 +00:00
|
|
|
username, err := getDownstreamUsernameFromPinnipedSession(session)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
subject := session.Fosite.Claims.Subject
|
2022-06-22 21:19:55 +00:00
|
|
|
var oldGroups []string
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
if slices.Contains(grantedScopes, oidcapi.ScopeGroups) {
|
2022-06-22 21:19:55 +00:00
|
|
|
oldGroups, err = getDownstreamGroupsFromPinnipedSession(session)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2022-02-01 16:31:29 +00:00
|
|
|
}
|
2021-10-28 19:00:56 +00:00
|
|
|
|
|
|
|
s := session.Custom
|
|
|
|
|
2021-10-22 20:57:30 +00:00
|
|
|
// if you have neither a valid ldap session config nor a valid active directory session config
|
2021-11-03 17:33:22 +00:00
|
|
|
validLDAP := s.ProviderType == psession.ProviderTypeLDAP && s.LDAP != nil && s.LDAP.UserDN != ""
|
|
|
|
validAD := s.ProviderType == psession.ProviderTypeActiveDirectory && s.ActiveDirectory != nil && s.ActiveDirectory.UserDN != ""
|
|
|
|
if !(validLDAP || validAD) {
|
2022-03-24 17:24:54 +00:00
|
|
|
return errorsx.WithStack(errMissingUpstreamSessionInternalError())
|
2021-10-22 20:57:30 +00:00
|
|
|
}
|
|
|
|
|
2021-12-09 22:02:40 +00:00
|
|
|
var additionalAttributes map[string]string
|
2021-12-08 23:03:57 +00:00
|
|
|
if s.ProviderType == psession.ProviderTypeLDAP {
|
|
|
|
additionalAttributes = s.LDAP.ExtraRefreshAttributes
|
|
|
|
} else {
|
|
|
|
additionalAttributes = s.ActiveDirectory.ExtraRefreshAttributes
|
|
|
|
}
|
|
|
|
|
2021-10-22 20:57:30 +00:00
|
|
|
// get ldap/ad provider out of cache
|
2021-10-25 21:25:43 +00:00
|
|
|
p, dn, err := findLDAPProviderByNameAndValidateUID(s, providerCache)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2021-10-28 19:00:56 +00:00
|
|
|
if session.IDTokenClaims().AuthTime.IsZero() {
|
2022-03-24 17:24:54 +00:00
|
|
|
return errorsx.WithStack(errMissingUpstreamSessionInternalError())
|
2021-10-28 19:00:56 +00:00
|
|
|
}
|
2021-10-22 20:57:30 +00:00
|
|
|
// run PerformRefresh
|
2022-06-22 17:58:08 +00:00
|
|
|
groups, err := p.PerformRefresh(ctx, provider.RefreshAttributes{
|
2021-12-08 23:03:57 +00:00
|
|
|
Username: username,
|
|
|
|
Subject: subject,
|
|
|
|
DN: dn,
|
2022-02-01 16:31:29 +00:00
|
|
|
Groups: oldGroups,
|
2021-12-08 23:03:57 +00:00
|
|
|
AdditionalAttributes: additionalAttributes,
|
2022-06-22 17:58:08 +00:00
|
|
|
GrantedScopes: grantedScopes,
|
2021-10-28 19:00:56 +00:00
|
|
|
})
|
2021-10-22 20:57:30 +00:00
|
|
|
if err != nil {
|
2022-03-24 17:24:54 +00:00
|
|
|
return errUpstreamRefreshError().WithHint(
|
|
|
|
"Upstream refresh failed.").WithTrace(err).
|
|
|
|
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType)
|
2021-10-22 20:57:30 +00:00
|
|
|
}
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
groupsScope := slices.Contains(grantedScopes, oidcapi.ScopeGroups)
|
2022-06-22 15:21:16 +00:00
|
|
|
if groupsScope {
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
warnIfGroupsChanged(ctx, oldGroups, groups, username, clientID)
|
2022-06-22 15:21:16 +00:00
|
|
|
// Replace the old value with the new value.
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
session.Fosite.Claims.Extra[oidcapi.IDTokenClaimGroups] = groups
|
2022-06-22 15:21:16 +00:00
|
|
|
}
|
2022-02-02 00:50:30 +00:00
|
|
|
|
2021-10-22 20:57:30 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func findLDAPProviderByNameAndValidateUID(
|
|
|
|
s *psession.CustomSessionData,
|
|
|
|
providerCache oidc.UpstreamIdentityProvidersLister,
|
|
|
|
) (provider.UpstreamLDAPIdentityProviderI, string, error) {
|
|
|
|
var providers []provider.UpstreamLDAPIdentityProviderI
|
|
|
|
var dn string
|
|
|
|
if s.ProviderType == psession.ProviderTypeLDAP {
|
|
|
|
providers = providerCache.GetLDAPIdentityProviders()
|
|
|
|
dn = s.LDAP.UserDN
|
|
|
|
} else if s.ProviderType == psession.ProviderTypeActiveDirectory {
|
|
|
|
providers = providerCache.GetActiveDirectoryIdentityProviders()
|
|
|
|
dn = s.ActiveDirectory.UserDN
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, p := range providers {
|
|
|
|
if p.GetName() == s.ProviderName {
|
|
|
|
if p.GetResourceUID() != s.ProviderUID {
|
2022-03-24 17:24:54 +00:00
|
|
|
return nil, "", errorsx.WithStack(errUpstreamRefreshError().WithHint(
|
2022-01-15 00:38:21 +00:00
|
|
|
"Provider from upstream session data has changed its resource UID since authentication.").
|
|
|
|
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType))
|
2021-10-22 20:57:30 +00:00
|
|
|
}
|
|
|
|
return p, dn, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-03-24 17:24:54 +00:00
|
|
|
return nil, "", errorsx.WithStack(errUpstreamRefreshError().
|
2022-01-15 00:38:21 +00:00
|
|
|
WithHint("Provider from upstream session data was not found.").
|
|
|
|
WithDebugf("provider name: %q, provider type: %q", s.ProviderName, s.ProviderType))
|
2021-10-22 20:57:30 +00:00
|
|
|
}
|
2021-10-27 00:03:16 +00:00
|
|
|
|
|
|
|
func getDownstreamUsernameFromPinnipedSession(session *psession.PinnipedSession) (string, error) {
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
downstreamUsername := session.Custom.Username
|
|
|
|
if len(downstreamUsername) == 0 {
|
2022-03-24 17:24:54 +00:00
|
|
|
return "", errorsx.WithStack(errMissingUpstreamSessionInternalError())
|
2021-11-03 17:33:22 +00:00
|
|
|
}
|
2021-10-27 00:03:16 +00:00
|
|
|
return downstreamUsername, nil
|
|
|
|
}
|
2022-02-01 16:31:29 +00:00
|
|
|
|
|
|
|
func getDownstreamGroupsFromPinnipedSession(session *psession.PinnipedSession) ([]string, error) {
|
|
|
|
extra := session.Fosite.Claims.Extra
|
|
|
|
if extra == nil {
|
2022-03-24 17:24:54 +00:00
|
|
|
return nil, errorsx.WithStack(errMissingUpstreamSessionInternalError())
|
2022-02-01 16:31:29 +00:00
|
|
|
}
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
downstreamGroupsInterface := extra[oidcapi.IDTokenClaimGroups]
|
2022-02-01 16:31:29 +00:00
|
|
|
if downstreamGroupsInterface == nil {
|
2022-06-22 21:19:55 +00:00
|
|
|
return nil, errorsx.WithStack(errMissingUpstreamSessionInternalError())
|
2022-02-01 16:31:29 +00:00
|
|
|
}
|
|
|
|
downstreamGroupsInterfaceList, ok := downstreamGroupsInterface.([]interface{})
|
|
|
|
if !ok {
|
2022-03-24 17:24:54 +00:00
|
|
|
return nil, errorsx.WithStack(errMissingUpstreamSessionInternalError())
|
2022-02-01 16:31:29 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
downstreamGroups := make([]string, 0, len(downstreamGroupsInterfaceList))
|
|
|
|
for _, downstreamGroupInterface := range downstreamGroupsInterfaceList {
|
|
|
|
downstreamGroup, ok := downstreamGroupInterface.(string)
|
|
|
|
if !ok || len(downstreamGroup) == 0 {
|
2022-03-24 17:24:54 +00:00
|
|
|
return nil, errorsx.WithStack(errMissingUpstreamSessionInternalError())
|
2022-02-01 16:31:29 +00:00
|
|
|
}
|
|
|
|
downstreamGroups = append(downstreamGroups, downstreamGroup)
|
|
|
|
}
|
|
|
|
return downstreamGroups, nil
|
|
|
|
}
|
2022-02-02 00:50:30 +00:00
|
|
|
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
func warnIfGroupsChanged(ctx context.Context, oldGroups, newGroups []string, username string, clientID string) {
|
|
|
|
if clientID != oidcapi.ClientIDPinnipedCLI {
|
|
|
|
// Only send these warnings to the CLI client. They are intended for kubectl to print to the screen.
|
|
|
|
// A webapp using a dynamic client wouldn't know to look for these special warning headers, and
|
|
|
|
// if the dynamic client lacked the username scope, then these warning messages would be leaking
|
|
|
|
// the user's username to the client within the text of the warning.
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-02 17:03:22 +00:00
|
|
|
added, removed := diffSortedGroups(oldGroups, newGroups)
|
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
|
|
|
|
2022-02-02 00:50:30 +00:00
|
|
|
if len(added) > 0 {
|
|
|
|
warning.AddWarning(ctx, "", fmt.Sprintf("User %q has been added to the following groups: %q", username, added))
|
|
|
|
}
|
|
|
|
if len(removed) > 0 {
|
2022-03-02 17:03:22 +00:00
|
|
|
warning.AddWarning(ctx, "", fmt.Sprintf("User %q has been removed from the following groups: %q", username, removed))
|
2022-02-02 00:50:30 +00:00
|
|
|
}
|
|
|
|
}
|