ContainerImage.Pinniped/internal/oidc
Andrew Keesler 080bb594b2 Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones
- To better support having multiple downstream providers configured,
  the authorize endpoint will share a CSRF cookie between all
  downstream providers' authorize endpoints. The first time a
  user's browser hits the authorize endpoint of any downstream
  provider, that endpoint will set the cookie. Then if the user
  starts an authorize flow with that same downstream provider or with
  any other downstream provider which shares the same domain name
  (i.e. differentiated by issuer path), then the same cookie will be
  submitted and respected.
- Just in case we are sharing the domain name with some other app,
  we sign the value of any new CSRF cookie and check the signature
  when we receive the cookie. This wasn't strictly necessary since
  we probably won't share a domain name with other apps, but it
  wasn't hard to add this cookie signing.

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-12 15:36:59 -08:00
..
auth Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones 2020-11-12 15:36:59 -08:00
csrftoken WIP for saving authorize endpoint state into upstream state param 2020-11-10 17:58:00 -08:00
discovery Implement per-issuer OIDC JWKS endpoint 2020-10-16 17:51:40 -07:00
jwks Implement per-issuer OIDC JWKS endpoint 2020-10-16 17:51:40 -07:00
provider Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones 2020-11-12 15:36:59 -08:00
nullstorage_test.go Add NullStorage for the authorize endpoint to use 2020-11-11 14:49:24 -08:00
nullstorage.go Add NullStorage for the authorize endpoint to use 2020-11-11 14:49:24 -08:00
oidc.go Also run OIDC validations in supervisor authorize endpoint 2020-11-06 14:44:58 -08:00