Commit Graph

67 Commits

Author SHA1 Message Date
Ryan Richard
ddc632b99c Show the error_description when it is included in authorization response 2021-04-19 18:08:52 -07:00
Ryan Richard
c176d15aa7 Add Supervisor upstream LDAP login to the Pinniped CLI
- Also enhance prepare-supervisor-on-kind.sh to allow setup of
  a working LDAP upstream IDP.
2021-04-19 17:59:46 -07:00
Ryan Richard
4c2a0b4872 Add new command-line flags to the login oidc command
- Also some light prefactoring in login.go to make room for LDAP-style
  login, which is not implemented yet in this commit. TODOs are added.
- And fix a test pollution problem in login_oidc_test.go where it was
  using a real on-disk CLI cache file, so the tests were polluted by
  the contents of that file and would sometimes cause each other to
  fail.
2021-04-16 18:30:31 -07:00
Matt Moyer
04c4cd9534
Upgrade to github.com/coreos/go-oidc v3.0.0.
See https://github.com/coreos/go-oidc/releases/tag/v3.0.0 for release notes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-21 12:08:14 -06:00
Matt Moyer
8527c363bb
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience".
This is a bit more clear. We're changing this now because it is a non-backwards-compatible change that we can make now since none of this RFC8693 token exchange stuff has been released yet.

There is also a small typo fix in some flag usages (s/RF8693/RFC8693/)

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 14:24:13 -06:00
Matt Moyer
01b6bf7850
Tweak timeouts in oidcclient package.
- The overall timeout for logins is increased to 90 minutes.
- The timeout for token refresh is increased from 30 seconds to 60 seconds to be a bit more tolerant of extremely slow networks.
- A new, matching timeout of 60 seconds has been added for the OIDC discovery, auth code exchange, and RFC8693 token exchange operations.

The new code uses the `http.Client.Timeout` field rather than managing contexts on individual requests. This is easier because the OIDC package stores a context at creation time and tries to use it later when performing key refresh operations.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 13:47:08 -06:00
Matt Moyer
9d3c98232b
Fix bug in handling response content-type in oidcclient.
Before this, we weren't properly parsing the `Content-Type` header. This breaks in integration with the Supervisor since it sends an extra encoding parameter like `application/json;charset=UTF-8`.

This change switches to properly parsing with the `mime.ParseMediaType` function, and adds test cases to match the supervisor behavior.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-10 10:12:56 -06:00
Matt Moyer
b1542be7b1
In oidcclient token exchange request, pass client_id but don't bother with authorization header.
I think this should be more correct. In the server we're authenticating the request primarily via the `subject_token` parameter anyway, and Fosite needs the `client_id` to be set.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:08:41 -06:00
aram price
8d2b8ae6b5 Use constants for scope values 2020-12-08 10:46:05 -08:00
Matt Moyer
bfcd2569e9
Add a --request-audience flag to the pinniped login oidc CLI command.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-08 10:22:20 -06:00
Matt Moyer
8c3be3ffb2
Refactor UpstreamOIDCIdentityProviderI claim handling.
This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-04 15:35:35 -06:00
Matt Moyer
fde56164cd
Add a redirectURI parameter to ExchangeAuthcodeAndValidateTokens() method.
We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3).

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:33 -06:00
Matt Moyer
4fe691de92
Save an http.Client with each upstreamoidc.ProviderConfig object.
This allows the token exchange request to be performed with the correct TLS configuration.

We go to a bit of extra work to make sure the `http.Client` object is cached between reconcile operations so that connection pooling works as expected.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:33 -06:00
Ryan Richard
f38c150f6a Finished tests for pkce storage and added it to kubestorage
- Also fixed some lint errors with v1.33.0 of the linter

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-01 14:53:22 -08:00
Matt Moyer
b272b3f331
Refactor oidcclient.Login to use new upstreamoidc package.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 17:37:14 -06:00
Matt Moyer
d32583dd7f
Move OIDC Token structs into a new oidctypes package.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 17:02:03 -06:00
Matt Moyer
e0a9bef6ce
Move ./internal/oidcclient to ./pkg/oidcclient.
This will allow it to be imported by Go code outside of our repository, which was something we have planned for since this code was written.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 14:53:32 -06:00