Commit Graph

2431 Commits

Author SHA1 Message Date
Andrew Keesler
8fcc176d8b
Merge pull request #258 from ankeesler/jwt-authenticator
Add JWTAuthenticator API and initial controller
2020-12-09 08:21:04 -05:00
Ryan Richard
6420caca94 Bring back the test that was skipped by the previous commit
- This test is still a work in progress. Some TODO comments
  have been added to give hints for next steps.
2020-12-08 18:25:01 -08:00
Ryan Richard
f84dda937b Merge branch 'token-refresh' into token-exchange-endpoint 2020-12-08 18:12:12 -08:00
Ryan Richard
ef4ef583dc token_handler_test.go: Refactor how we specify the expected results
- This is to make it easier for the token exchange branch to also edit
  this test without causing a lot of merge conflicts with the
  refresh token branch, to enable parallel development of closely
  related stories.
2020-12-08 18:10:55 -08:00
Margo Crawford
f103c02408 Add check for grant type in tokenexchangehandler,
- also started writing a test for the tokenexchangehandler, skipping for
now

Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-08 17:33:08 -08:00
Margo Crawford
ef3f837800 Merge remote-tracking branch 'origin/token-refresh' into token-exchange-endpoint 2020-12-08 16:58:35 -08:00
Ryan Richard
170982a688 refactor token_handler_test.go: easier to make more requests after initial authcode exchange
- This refactor will allow us to add new test tables for the
  refresh and token exchange requests, which both must come after
  an initial successful authcode exchange has already happened

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-08 16:54:58 -08:00
Margo Crawford
a852baac75 Merge remote-tracking branch 'origin/token-refresh' into token-exchange-endpoint
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-08 12:55:44 -08:00
Andrew Keesler
381a2e749a
impotent -> idempotent
These words do not mean the same thing...

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:49 -05:00
Aram Price
9ed5dcb031
Only create underlying jwt authenticator when spec has changed
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:49 -05:00
Andrew Keesler
e0ee18a993
Always close JWTAuthenticator underlying authenticator
Otherwise we will leak goroutines.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00
Andrew Keesler
0efc19a1b7
Support JWTAuthenticator in pinniped CLI
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00
Andrew Keesler
57103e0a9f
Add JWTAuthenticator controller
See https://github.com/vmware-tanzu/pinniped/issues/260 for UX bummer.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00
Andrew Keesler
946b0539d2
Add JWTAuthenticator API type
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00
Ryan Richard
a9111f39af Merge branch 'main' into token-refresh 2020-12-08 12:32:41 -08:00
Ryan Richard
18d90a727e token_handler_test.go: refresh token gets deleted when authcode reused 2020-12-08 12:12:55 -08:00
Ryan Richard
c090eb6a62 Supervisor token endpoint returns refresh tokens when requested 2020-12-08 11:47:39 -08:00
Andrew Keesler
8f51993db2
Merge pull request #265 from vmware-tanzu/scope-constants
Use constants for scope values
2020-12-08 14:32:09 -05:00
aram price
8d2b8ae6b5 Use constants for scope values 2020-12-08 10:46:05 -08:00
Matt Moyer
afbef23a51 WIP implementing TokenExchangeHandler methods
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-08 10:17:03 -08:00
Margo Crawford
e5ecaf01a0 WIP stubbing out tokenexchangehandler 2020-12-08 09:28:19 -08:00
Margo Crawford
b7b6816531
Merge pull request #259 from mattmoyer/add-cli-request-audience
Add a `--request-audience` flag to the `pinniped login oidc` CLI command
2020-12-08 09:26:19 -08:00
Matt Moyer
bfcd2569e9
Add a --request-audience flag to the pinniped login oidc CLI command.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-08 10:22:20 -06:00
Aram Price
d91baba240 authorize and callback endpoints now handle the offline_access scope
- This is in preparation for the token endpoint to support the refresh
  grant

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-07 17:22:34 -08:00
Ryan Richard
6a90a10123
Merge pull request #249 from vmware-tanzu/token-endpoint
OIDC token endpoint supports authcode flow
2020-12-07 15:08:07 -08:00
Ryan Richard
12e5f94e75 Merge branch 'main' into token-endpoint 2020-12-07 14:23:40 -08:00
Ryan Richard
e1ae48f2e4 Discovery does not return token_endpoint_auth_signing_alg_values_supported
`token_endpoint_auth_signing_alg_values_supported` is only related to
private_key_jwt and client_secret_jwt client authentication methods
at the token endpoint, which we do not support. See
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
for more details.

Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-07 14:15:31 -08:00
Matt Moyer
dcaf9166dc
Merge pull request #261 from mattmoyer/remove-goerr113-linter
Disable the goerr113 linter.
2020-12-07 16:07:11 -06:00
Matt Moyer
9e945d7547
Disable the goerr113 linter.
This linter is nice in principle, but I've found it more annoying than helpful in practice.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-07 15:53:41 -06:00
Aram Price
648fa4b9ba Backfill test for token endpoint error when JWK is not yet available
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-07 11:53:24 -08:00
Ryan Richard
e0b6133bf1 Integration tests call supervisor token endpoint and validate response
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-04 17:07:04 -08:00
Aram Price
ac19782405 Merge branch 'main' into token-endpoint
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-04 15:52:49 -08:00
Ryan Richard
858356610c Make assertions about how many secrets were stored by fosite in tests
In both callback_handler_test.go and token_handler_test.go

Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-04 15:40:17 -08:00
Matt Moyer
040ad3293a
Merge pull request #255 from mattmoyer/reduce-default-cli-scopes
Remove "email" and "profile" from default scopes requested by CLI.
2020-12-04 17:04:03 -06:00
Matt Moyer
66270fded0
Merge pull request #257 from mattmoyer/prefactoring-for-cli-request-audience
Prefactor before adding CLI "request audience" functionality.
2020-12-04 17:03:38 -06:00
Aram Price
26a8747509 Use the more specific label name of "storage.pinniped.dev/type"
Instead of the less specific "storage.pinniped.dev"

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-04 14:39:11 -08:00
Ryan Richard
ac83633888 Add fosite kube storage for access and refresh tokens
Also switched the token_handler_test.go to use kube storage.

Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-04 14:31:06 -08:00
Matt Moyer
c6ead9d7dd
Remove "email" and "profile" from default scopes requested by CLI.
We decided that we don't really need these in every case, since we'll be returning username and groups in a custom claim.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-04 16:02:16 -06:00
Matt Moyer
8c3be3ffb2
Refactor UpstreamOIDCIdentityProviderI claim handling.
This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-04 15:35:35 -06:00
Matt Moyer
014d760f3d
Add validated ID token claims to the oidctypes.Token structure.
This is just a more convenient copy of these values which are already stored inside the ID token. This will save us from having to pass them around seprately or re-parse them later.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-04 15:18:41 -06:00
Andrew Keesler
8d5f4a93ed
Get rid of an unnecessary comment from 58237d0e7d
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-04 11:16:32 -05:00
Andrew Keesler
37631b41ea
Don't set our TokenURL - we don't need it right now
TokenURL is used by Fosite to validate clients authenticating with the
private_key_jwt method. We don't have any use for this right now, so just leave
this blank until we need it.

See when Ryan brought this up in
https://github.com/vmware-tanzu/pinniped/pull/239#discussion_r528022162.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-04 10:18:45 -05:00
Andrew Keesler
03806629b8
Cleanup code via TODOs accumulated during token endpoint work
We opened https://github.com/vmware-tanzu/pinniped/issues/254 for the TODO in
dynamicOpenIDConnectECDSAStrategy.GenerateToken().

This commit also ensures that linting and unit tests are passing again.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-04 10:09:42 -05:00
Andrew Keesler
83e0934864
Add logging in dynamic OIDC ECDSA strategy
I'm worried that these errors are going to be really burried from the user, so
add some log statements to try to make them a tiny bit more observable.

Also follow some of our error message convetions by using lowercase error
messages.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-04 09:05:39 -05:00
Andrew Keesler
2dc3ab1840
Merge remote-tracking branch 'upstream/main' into token-endpoint 2020-12-04 08:58:18 -05:00
Matt Moyer
7b088d611d
Merge pull request #252 from mattmoyer/fix-csrf-cookie-same-site
Switch CSRF cookie from `Same-Site=Strict` to `Same-Site=Lax`.
2020-12-03 21:53:24 -06:00
Matt Moyer
f0ebd808d7
Switch CSRF cookie from Same-Site=Strict to Same-Site=Lax.
This CSRF cookie needs to be included on the request to the callback endpoint triggered by the redirect from the OIDC upstream provider. This is not allowed by `Same-Site=Strict` but is allowed by `Same-Site=Lax` because it is a "cross-site top-level navigation" [1].

We didn't catch this earlier with our Dex-based tests because the upstream and downstream issuers were on the same parent domain `*.svc.cluster.local` so the cookie was allowed even with `Strict` mode.

[1]: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-3.2

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 21:30:00 -06:00
Margo Crawford
0bb2b10b3b Passing signing key through to the token endpoint 2020-12-03 17:16:08 -08:00
Matt Moyer
fa94ebfbd1
Merge pull request #229 from vmware-tanzu/callback-endpoint
Implement supervisor OIDC upstream callback endpoint used during authorize flow
2020-12-03 16:28:02 -06:00
Matt Moyer
c18c670765
Merge remote-tracking branch 'origin/main' into callback-endpoint 2020-12-03 14:53:26 -06:00