Auth: Add OIDC identities to identity cache and extract identity provider groups #12827
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
Documentation
tomponline
changed the title
markylaing
force-pushed
the
cache-oidc-identities
branch
2 times, most recently
from
dfc9bb9
to
86eff12
Compare
|
@tomponline this is ready for review now. Also, do we prefer |
I would say, as it allows us to use oidc.groups.foo later if needed |
tomponline
reviewed
Feb 9, 2024
tomponline
reviewed
Feb 9, 2024
tomponline
reviewed
Feb 9, 2024
tomponline
reviewed
Feb 9, 2024
tomponline
reviewed
Feb 9, 2024
tomponline
reviewed
Feb 9, 2024
tomponline
reviewed
Feb 9, 2024
tomponline
reviewed
Feb 9, 2024
tomponline
requested changes
Feb 9, 2024
markylaing
force-pushed
the
cache-oidc-identities
branch
from
86eff12
to
705e19e
Compare
markylaing
commented
Feb 9, 2024
What would the extension be for? This doesn't add any functionality (yet). Or is it just because we're adding a new config key? |
Yep the new config key is new functionality |
🤔 I suppose it is. You can set some config. I'll update the PR on Monday and will add an API extension check in the client for adding this config key. |
markylaing
force-pushed
the
cache-oidc-identities
branch
from
705e19e
to
8a6206a
Compare
Signed-off-by: Mark Laing <mark.laing@canonical.com>
This indicates to the client that it needs to request the additional scope. Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
AuthError implements xerrors.Wrapper so we can use that to inspect the error instead of type assertion. Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
markylaing
force-pushed
the
cache-oidc-identities
branch
from
8a6206a
to
c93a157
Compare
|
@tomponline I've made the requested changes. I haven't checked for the |
tomponline
reviewed
Feb 12, 2024
tomponline
requested changes
Feb 12, 2024
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
This is a false positive. Signed-off-by: Mark Laing <mark.laing@canonical.com>
markylaing
force-pushed
the
cache-oidc-identities
branch
from
c93a157
to
458b87c
Compare
tomponline
approved these changes
Feb 12, 2024
markylaing
added a commit
to markylaing/lxd
that referenced
this pull request
Feb 20, 2024
When the `oidc.groups.claim` config key was added in canonical#12827, the logic governing optional configuration of the OIDC verifier was incorrect. This caused the config expiry interval to be set to zero if not passed in by the caller. This caused the verifier to rotate the encryption keys of the relying party on every call. These keys are used to encrypt the `state` and `pkce` cookies that OIDC needs to work. As they had been rotated during the OIDC flow, the callback handler to failed to decrypt the cookies, and so login was failing. Signed-off-by: Mark Laing <mark.laing@canonical.com>
markylaing
added a commit
to markylaing/lxd
that referenced
this pull request
Feb 20, 2024
When the `oidc.groups.claim` config key was added in canonical#12827, the logic governing optional configuration of the OIDC verifier was incorrect. This caused the config expiry interval to be set to zero if not passed in by the caller. This caused the verifier to rotate the encryption keys of the relying party on every call. These keys are used to encrypt the `state` and `pkce` cookies that OIDC needs to work. As they had been rotated during the OIDC flow, the callback handler to failed to decrypt the cookies, and so login was failing. Signed-off-by: Mark Laing <mark.laing@canonical.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a new server configuration key
oidc.groups_claim. If set, the value of this config key is:scopeof the Authorization Code Flow (UI).X-LXD-OIDC-groups-claimheader, to be added to the scope for the Device Authorization Grant Flow (CLI).X-LXD-forwarded-identity-provider-groupsheader. The value of this header is a JSON encoded string.#12816 must be merged first.