Matt Moyer
02d96d731f
Finish TestTokenExchange unit tests and add missing scope check.
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-09 13:56:53 -06:00
Ryan Richard
cac3a3520f
Merge branch 'main' into token-refresh
2020-12-09 09:58:21 -08:00
Matt Moyer
b04db6ad2b
Fix some false positive gosec warnings.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:42:37 -06:00
Matt Moyer
f1aff2faab
Start extending TestSupervisorLogin to test the token exchange flow (WIP).
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:23:10 -06:00
Matt Moyer
b1542be7b1
In oidcclient token exchange request, pass client_id but don't bother with authorization header.
...
I think this should be more correct. In the server we're authenticating the request primarily via the `subject_token` parameter anyway, and Fosite needs the `client_id` to be set.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:08:41 -06:00
Matt Moyer
1db2ae3a45
Add more parameter validations and refactor internal/oidc/token_exchange.go.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:04:58 -06:00
Matt Moyer
e25d090ca9
Merge branch 'main' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint
2020-12-09 10:00:54 -06:00
Andrew Keesler
5f4348c57d
Merge pull request #266 from ankeesler/fix-jwt-auth-ca-bundle
...
Fix `JWTAuthenticator` CA bundle
2020-12-09 10:43:33 -05:00
Matt Moyer
644cb687b9
Grant the Pinniped STS scope in authorize/callback handlers.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 09:36:45 -06:00
Matt Moyer
bebe25c32e
Merge branch 'main' of github.com:vmware-tanzu/pinniped into token-exchange-endpoint
2020-12-09 09:25:58 -06:00
Andrew Keesler
4c0fb12cf6
test/integration: only set JWTAuthenticator CA bundle when it exists
...
See comment in code.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-09 10:15:53 -05:00
Andrew Keesler
93cfd8c93a
Fix prepare-for-integration-tests.sh and Tiltfile for kubectl 1.20
...
kubectl 1.20 prints "Kubernetes control plane" instead of "Kubernetes master".
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-09 10:15:34 -05:00
Matt Moyer
5f1bd5ec31
Update TestNullStorage_GetClient with adjusted pinniped-cli scopes.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 09:12:32 -06:00
Andrew Keesler
8fcc176d8b
Merge pull request #258 from ankeesler/jwt-authenticator
...
Add JWTAuthenticator API and initial controller
2020-12-09 08:21:04 -05:00
Ryan Richard
6420caca94
Bring back the test that was skipped by the previous commit
...
- This test is still a work in progress. Some TODO comments
have been added to give hints for next steps.
2020-12-08 18:25:01 -08:00
Ryan Richard
f84dda937b
Merge branch 'token-refresh' into token-exchange-endpoint
2020-12-08 18:12:12 -08:00
Ryan Richard
ef4ef583dc
token_handler_test.go: Refactor how we specify the expected results
...
- This is to make it easier for the token exchange branch to also edit
this test without causing a lot of merge conflicts with the
refresh token branch, to enable parallel development of closely
related stories.
2020-12-08 18:10:55 -08:00
Margo Crawford
f103c02408
Add check for grant type in tokenexchangehandler,
...
- also started writing a test for the tokenexchangehandler, skipping for
now
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-08 17:33:08 -08:00
Margo Crawford
ef3f837800
Merge remote-tracking branch 'origin/token-refresh' into token-exchange-endpoint
2020-12-08 16:58:35 -08:00
Ryan Richard
170982a688
refactor token_handler_test.go: easier to make more requests after initial authcode exchange
...
- This refactor will allow us to add new test tables for the
refresh and token exchange requests, which both must come after
an initial successful authcode exchange has already happened
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-08 16:54:58 -08:00
Margo Crawford
a852baac75
Merge remote-tracking branch 'origin/token-refresh' into token-exchange-endpoint
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-08 12:55:44 -08:00
Andrew Keesler
381a2e749a
impotent -> idempotent
...
These words do not mean the same thing...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:49 -05:00
Aram Price
9ed5dcb031
Only create underlying jwt authenticator when spec has changed
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:49 -05:00
Andrew Keesler
e0ee18a993
Always close JWTAuthenticator underlying authenticator
...
Otherwise we will leak goroutines.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00
Andrew Keesler
0efc19a1b7
Support JWTAuthenticator in pinniped CLI
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00
Andrew Keesler
57103e0a9f
Add JWTAuthenticator controller
...
See https://github.com/vmware-tanzu/pinniped/issues/260 for UX bummer.
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00
Andrew Keesler
946b0539d2
Add JWTAuthenticator API type
...
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00
Ryan Richard
a9111f39af
Merge branch 'main' into token-refresh
2020-12-08 12:32:41 -08:00
Ryan Richard
18d90a727e
token_handler_test.go: refresh token gets deleted when authcode reused
2020-12-08 12:12:55 -08:00
Ryan Richard
c090eb6a62
Supervisor token endpoint returns refresh tokens when requested
2020-12-08 11:47:39 -08:00
Andrew Keesler
8f51993db2
Merge pull request #265 from vmware-tanzu/scope-constants
...
Use constants for scope values
2020-12-08 14:32:09 -05:00
aram price
8d2b8ae6b5
Use constants for scope values
2020-12-08 10:46:05 -08:00
Matt Moyer
afbef23a51
WIP implementing TokenExchangeHandler methods
...
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-08 10:17:03 -08:00
Margo Crawford
e5ecaf01a0
WIP stubbing out tokenexchangehandler
2020-12-08 09:28:19 -08:00
Margo Crawford
b7b6816531
Merge pull request #259 from mattmoyer/add-cli-request-audience
...
Add a `--request-audience` flag to the `pinniped login oidc` CLI command
2020-12-08 09:26:19 -08:00
Matt Moyer
bfcd2569e9
Add a --request-audience
flag to the pinniped login oidc
CLI command.
...
Signed-off-by: Matt Moyer <moyerm@vmware.com>
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-08 10:22:20 -06:00
Aram Price
d91baba240
authorize and callback endpoints now handle the offline_access scope
...
- This is in preparation for the token endpoint to support the refresh
grant
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-07 17:22:34 -08:00
Ryan Richard
6a90a10123
Merge pull request #249 from vmware-tanzu/token-endpoint
...
OIDC token endpoint supports authcode flow
2020-12-07 15:08:07 -08:00
Ryan Richard
12e5f94e75
Merge branch 'main' into token-endpoint
2020-12-07 14:23:40 -08:00
Ryan Richard
e1ae48f2e4
Discovery does not return token_endpoint_auth_signing_alg_values_supported
...
`token_endpoint_auth_signing_alg_values_supported` is only related to
private_key_jwt and client_secret_jwt client authentication methods
at the token endpoint, which we do not support. See
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
for more details.
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-07 14:15:31 -08:00
Matt Moyer
dcaf9166dc
Merge pull request #261 from mattmoyer/remove-goerr113-linter
...
Disable the goerr113 linter.
2020-12-07 16:07:11 -06:00
Matt Moyer
9e945d7547
Disable the goerr113 linter.
...
This linter is nice in principle, but I've found it more annoying than helpful in practice.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-07 15:53:41 -06:00
Aram Price
648fa4b9ba
Backfill test for token endpoint error when JWK is not yet available
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-07 11:53:24 -08:00
Ryan Richard
e0b6133bf1
Integration tests call supervisor token endpoint and validate response
...
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-04 17:07:04 -08:00
Aram Price
ac19782405
Merge branch 'main' into token-endpoint
...
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-04 15:52:49 -08:00
Ryan Richard
858356610c
Make assertions about how many secrets were stored by fosite in tests
...
In both callback_handler_test.go and token_handler_test.go
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-04 15:40:17 -08:00
Matt Moyer
040ad3293a
Merge pull request #255 from mattmoyer/reduce-default-cli-scopes
...
Remove "email" and "profile" from default scopes requested by CLI.
2020-12-04 17:04:03 -06:00
Matt Moyer
66270fded0
Merge pull request #257 from mattmoyer/prefactoring-for-cli-request-audience
...
Prefactor before adding CLI "request audience" functionality.
2020-12-04 17:03:38 -06:00
Aram Price
26a8747509
Use the more specific label name of "storage.pinniped.dev/type"
...
Instead of the less specific "storage.pinniped.dev"
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-04 14:39:11 -08:00
Ryan Richard
ac83633888
Add fosite kube storage for access and refresh tokens
...
Also switched the token_handler_test.go to use kube storage.
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-04 14:31:06 -08:00