ContainerImage.Pinniped/internal/oidc/oidc.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

// Package oidc contains common OIDC functionality needed by Pinniped.
package oidc

import (
	"crypto/ecdsa"
	"time"

	"github.com/ory/fosite"
	"github.com/ory/fosite/compose"
)

const (
	WellKnownEndpointPath     = "/.well-known/openid-configuration"
	AuthorizationEndpointPath = "/oauth2/authorize"
	TokenEndpointPath         = "/oauth2/token" //nolint:gosec // ignore lint warning that this is a credential
	JWKSEndpointPath          = "/jwks.json"
)

func PinnipedCLIOIDCClient() *fosite.DefaultOpenIDConnectClient {
	return &fosite.DefaultOpenIDConnectClient{
		DefaultClient: &fosite.DefaultClient{
			ID:            "pinniped-cli",
			Public:        true,
			RedirectURIs:  []string{"http://127.0.0.1/callback"},
			ResponseTypes: []string{"code"},
			GrantTypes:    []string{"authorization_code"},
			Scopes:        []string{"openid", "profile", "email"},
		},
		TokenEndpointAuthMethod: "none",
	}
}

func FositeOauth2Helper(
	issuerURL string,
	oauthStore fosite.Storage,
	hmacSecretOfLengthAtLeast32 []byte,
	jwtSigningKey *ecdsa.PrivateKey,
) fosite.OAuth2Provider {
	oauthConfig := &compose.Config{
		AuthorizeCodeLifespan: 3 * time.Minute, // seems more than long enough to exchange a code

		IDTokenLifespan:     5 * time.Minute, // match clientCertificateTTL since it has similar properties to this token
		AccessTokenLifespan: 5 * time.Minute, // match clientCertificateTTL since it has similar properties to this token

		RefreshTokenLifespan: 16 * time.Hour, // long enough for a single workday

		IDTokenIssuer: issuerURL,
		TokenURL:      "", // TODO set once we have this endpoint written

		ScopeStrategy:            fosite.ExactScopeStrategy, // be careful and only support exact string matching for scopes
		AudienceMatchingStrategy: nil,                       // I believe the default is fine
		EnforcePKCE:              true,                      // follow current set of best practices and always require PKCE
		AllowedPromptValues:      []string{"none"},          // TODO unclear what we should set here

		RefreshTokenScopes:  nil, // TODO decide what makes sense when we add refresh token support
		MinParameterEntropy: 32,  // 256 bits seems about right
	}

	return compose.Compose(
		oauthConfig,
		oauthStore,
		&compose.CommonStrategy{
			// Note that Fosite requires the HMAC secret to be at least 32 bytes.
			CoreStrategy:               compose.NewOAuth2HMACStrategy(oauthConfig, hmacSecretOfLengthAtLeast32, nil),
			OpenIDConnectTokenStrategy: compose.NewOpenIDConnectECDSAStrategy(oauthConfig, jwtSigningKey),
		},
		nil, // hasher, defaults to using BCrypt when nil. Used for hashing client secrets.
		compose.OAuth2AuthorizeExplicitFactory,
		// compose.OAuth2RefreshTokenGrantFactory,
		compose.OpenIDConnectExplicitFactory,
		// compose.OpenIDConnectRefreshFactory,
		compose.OAuth2PKCEFactory,
	)
}
supervisor-oidc: hoist OIDC discovery handler for testing Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-06 14:11:57 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`// Package oidc contains common OIDC functionality needed by Pinniped.`
			`package oidc`

Test that the port of localhost redirect URI is ignored during validation Also move definition of our oauth client and the general fosite configuration to a helper so we can use the same config to construct the handler for both test and production code. Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-04 23:04:50 +00:00			`import (`
token_handler.go: first draft of token handler, with a bunch of TODOs Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-01 21:25:12 +00:00			`"crypto/ecdsa"`
Set defaults for fosite config Signed-off-by: Monis Khan <mok@vmware.com> 2020-11-20 20:45:29 +00:00			`"time"`

Test that the port of localhost redirect URI is ignored during validation Also move definition of our oauth client and the general fosite configuration to a helper so we can use the same config to construct the handler for both test and production code. Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-04 23:04:50 +00:00			`"github.com/ory/fosite"`
			`"github.com/ory/fosite/compose"`
			`)`

supervisor-oidc: hoist OIDC discovery handler for testing Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-06 14:11:57 +00:00			`const (`
Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`WellKnownEndpointPath = "/.well-known/openid-configuration"`
			`AuthorizationEndpointPath = "/oauth2/authorize"`
			`TokenEndpointPath = "/oauth2/token" //nolint:gosec // ignore lint warning that this is a credential`
			`JWKSEndpointPath = "/jwks.json"`
supervisor-oidc: hoist OIDC discovery handler for testing Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-06 14:11:57 +00:00			`)`
Test that the port of localhost redirect URI is ignored during validation Also move definition of our oauth client and the general fosite configuration to a helper so we can use the same config to construct the handler for both test and production code. Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-04 23:04:50 +00:00
			`func PinnipedCLIOIDCClient() *fosite.DefaultOpenIDConnectClient {`
			`return &fosite.DefaultOpenIDConnectClient{`
			`DefaultClient: &fosite.DefaultClient{`
			`ID: "pinniped-cli",`
			`Public: true,`
			`RedirectURIs: []string{"http://127.0.0.1/callback"},`
			`ResponseTypes: []string{"code"},`
			`GrantTypes: []string{"authorization_code"},`
			`Scopes: []string{"openid", "profile", "email"},`
			`},`
token_handler.go: first draft of token handler, with a bunch of TODOs Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-01 21:25:12 +00:00			`TokenEndpointAuthMethod: "none",`
Test that the port of localhost redirect URI is ignored during validation Also move definition of our oauth client and the general fosite configuration to a helper so we can use the same config to construct the handler for both test and production code. Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-04 23:04:50 +00:00			`}`
			`}`

token_handler.go: first draft of token handler, with a bunch of TODOs Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-01 21:25:12 +00:00			`func FositeOauth2Helper(`
			`issuerURL string,`
			`oauthStore fosite.Storage,`
			`hmacSecretOfLengthAtLeast32 []byte,`
			`jwtSigningKey *ecdsa.PrivateKey,`
			`) fosite.OAuth2Provider {`
Test that the port of localhost redirect URI is ignored during validation Also move definition of our oauth client and the general fosite configuration to a helper so we can use the same config to construct the handler for both test and production code. Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-04 23:04:50 +00:00			`oauthConfig := &compose.Config{`
Set defaults for fosite config Signed-off-by: Monis Khan <mok@vmware.com> 2020-11-20 20:45:29 +00:00			`AuthorizeCodeLifespan: 3 * time.Minute, // seems more than long enough to exchange a code`

			`IDTokenLifespan: 5 * time.Minute, // match clientCertificateTTL since it has similar properties to this token`
			`AccessTokenLifespan: 5 * time.Minute, // match clientCertificateTTL since it has similar properties to this token`

			`RefreshTokenLifespan: 16 * time.Hour, // long enough for a single workday`

			`IDTokenIssuer: issuerURL,`
			`TokenURL: "", // TODO set once we have this endpoint written`

			`ScopeStrategy: fosite.ExactScopeStrategy, // be careful and only support exact string matching for scopes`
			`AudienceMatchingStrategy: nil, // I believe the default is fine`
			`EnforcePKCE: true, // follow current set of best practices and always require PKCE`
			`AllowedPromptValues: []string{"none"}, // TODO unclear what we should set here`

			`RefreshTokenScopes: nil, // TODO decide what makes sense when we add refresh token support`
			`MinParameterEntropy: 32, // 256 bits seems about right`
Test that the port of localhost redirect URI is ignored during validation Also move definition of our oauth client and the general fosite configuration to a helper so we can use the same config to construct the handler for both test and production code. Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-04 23:04:50 +00:00			`}`

			`return compose.Compose(`
			`oauthConfig,`
			`oauthStore,`
			`&compose.CommonStrategy{`
Expose the Supervisor OIDC authorization endpoint to the public 2020-11-05 01:06:47 +00:00			`// Note that Fosite requires the HMAC secret to be at least 32 bytes.`
token_handler.go: first draft of token handler, with a bunch of TODOs Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-01 21:25:12 +00:00			`CoreStrategy: compose.NewOAuth2HMACStrategy(oauthConfig, hmacSecretOfLengthAtLeast32, nil),`
			`OpenIDConnectTokenStrategy: compose.NewOpenIDConnectECDSAStrategy(oauthConfig, jwtSigningKey),`
Test that the port of localhost redirect URI is ignored during validation Also move definition of our oauth client and the general fosite configuration to a helper so we can use the same config to construct the handler for both test and production code. Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-04 23:04:50 +00:00			`},`
			`nil, // hasher, defaults to using BCrypt when nil. Used for hashing client secrets.`
			`compose.OAuth2AuthorizeExplicitFactory,`
			`// compose.OAuth2RefreshTokenGrantFactory,`
Also run OIDC validations in supervisor authorize endpoint Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-06 22:44:58 +00:00			`compose.OpenIDConnectExplicitFactory,`
Test that the port of localhost redirect URI is ignored during validation Also move definition of our oauth client and the general fosite configuration to a helper so we can use the same config to construct the handler for both test and production code. Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-04 23:04:50 +00:00			`// compose.OpenIDConnectRefreshFactory,`
			`compose.OAuth2PKCEFactory,`
			`)`
			`}`