Commit Graph

14 Commits

Author SHA1 Message Date
Ryan Richard
e0ecdc004b Allow dynamic clients to be used in downstream OIDC flows
This is only a first commit towards making this feature work.
- Hook dynamic clients into fosite by returning them from the storage
  interface (after finding and validating them)
- In the auth endpoint, prevent the use of the username and password
  headers for dynamic clients to force them to use the browser-based
  login flows for all the upstream types
- Add happy path integration tests in supervisor_login_test.go
- Add lots of comments (and some small refactors) in
  supervisor_login_test.go to make it much easier to understand
- Add lots of unit tests for the auth endpoint regarding dynamic clients
  (more unit tests to be added for other endpoints in follow-up commits)
- Enhance crud.go to make lifetime=0 mean never garbage collect,
  since we want client secret storage Secrets to last forever
- Move the OIDCClient validation code to a package where it can be
  shared between the controller and the fosite storage interface
- Make shared test helpers for tests that need to create OIDC client
  secret storage Secrets
- Create a public const for "pinniped-cli" now that we are using that
  string in several places in the production code
2022-07-14 09:51:11 -07:00
Ryan Richard
b9272b2729 Reserve all of *.pinniped.dev for requested aud in token exchanges
Our previous plan was to reserve only *.oauth.pinniped.dev but we
changed our minds during PR review.
2022-06-13 12:08:11 -07:00
Ryan Richard
ea45e5dfef Disallow certain requested audience strings in token exchange 2022-06-07 16:32:19 -07:00
Matt Moyer
c832cab8d0
Update internal/oidc/token_exchange.go for latest Fosite version.
The `fosite.TokenEndpointHandler` changed and now requires some additional methods.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-01 13:08:41 -06:00
Matt Moyer
04c4cd9534
Upgrade to github.com/coreos/go-oidc v3.0.0.
See https://github.com/coreos/go-oidc/releases/tag/v3.0.0 for release notes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-21 12:08:14 -06:00
Matt Moyer
3a81fbd1b4
Update fosite error usage.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 16:31:08 -06:00
Matt Moyer
8527c363bb
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience".
This is a bit more clear. We're changing this now because it is a non-backwards-compatible change that we can make now since none of this RFC8693 token exchange stuff has been released yet.

There is also a small typo fix in some flag usages (s/RF8693/RFC8693/)

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 14:24:13 -06:00
Ryan Richard
5b7c510577 Fixed error handling for token exchange when openid scope missing
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 15:15:50 -08:00
Matt Moyer
02d96d731f
Finish TestTokenExchange unit tests and add missing scope check.
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 13:56:53 -06:00
Matt Moyer
b04db6ad2b
Fix some false positive gosec warnings.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:42:37 -06:00
Matt Moyer
1db2ae3a45
Add more parameter validations and refactor internal/oidc/token_exchange.go.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:04:58 -06:00
Margo Crawford
f103c02408 Add check for grant type in tokenexchangehandler,
- also started writing a test for the tokenexchangehandler, skipping for
now

Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-08 17:33:08 -08:00
Matt Moyer
afbef23a51 WIP implementing TokenExchangeHandler methods
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-08 10:17:03 -08:00
Margo Crawford
e5ecaf01a0 WIP stubbing out tokenexchangehandler 2020-12-08 09:28:19 -08:00