OIDC fixes (without encryption) #12766
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
The rp.RelyingParty is used for authentication via the UI, and the op.AccessTokenVerifier is used for authentication via the CLI. When instantiating the rp.RelyingParty, the zitadel library performs OIDC discovery by calling the /.well-known/openid-configuration endpoint. To limit the number of calls to this endpoint, we only set a new rp.RelyingParty if the request host changes (e.g. change of port, DNS change etc.) as this is required for creating a valid callback URL. Additionally, we add the "email" scope to the rp.RelyingParty OIDC scopes. Signed-off-by: Mark Laing <mark.laing@canonical.com>
We can use the refresh token to get a new identity token, so requests missing an identity token but containing a refresh token should be considered for OIDC auth. Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
The UI should be providing ID tokens (not access tokens). This method is for use with ID and refresh token cookies that are set via the UI login flow (e.g. /oidc/login, /oidc/logout, /oidc/callback). Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
The Auth method now calls an appropriate verification method depending on how the OIDC tokens are set in the request. For Bearer tokens we expect an access token, for cookies we expect ID and refresh tokens. Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
markylaing
force-pushed
the
oidc-fixes-sans-encryption
branch
from
5b624c3
to
f8985cd
Compare
Merged
tomponline
approved these changes
Jan 24, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements the OIDC fixes that can be found in #12628 except for encryption of identity and refresh tokens when accessing LXD via the UI. This is because we are awaiting a security review (https://warthogs.atlassian.net/browse/SECQ-60?atlOrigin=eyJpIjoiMGM5MzRlZTc1ZTc2NDQ4ODkyYjc0ZGFiMGIyODZkNzMiLCJwIjoiaiJ9).
Related to #12531