feat(auth/oidc): OIDC authentication method support #1197
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1197 +/- ##
==========================================
- Coverage 80.19% 80.05% -0.14%
==========================================
Files 39 41 +2
Lines 2842 3113 +271
==========================================
+ Hits 2279 2492 +213
- Misses 459 499 +40
- Partials 104 122 +18
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
| if v.GetBool(fmt.Sprintf("authentication.methods.%s.enabled", k)) { | ||
| method["cleanup"] = map[string]any{ | ||
| "interval": time.Hour, | ||
| "grace_period": 30 * time.Minute, |
There was a problem hiding this comment.
outside of the scope of this PR, but we should also track modifying the cue and jsonschema schemas for these config additions, as well as docs changes
There was a problem hiding this comment.
Yeah good shout. Is this something we could potentially add as a CI step?
| // appropriate state parameter. It does so by wrapping any provided state parameter | ||
| // in a JSON object with an additional cryptographically-random generated security | ||
| // token. The payload is then encoded in base64 and added back to the state query param. | ||
| // The payload is then also encoded as a http cookie which is bound to the callback path. |
There was a problem hiding this comment.
love these docs/comments 🤩
| }) | ||
| if err != nil { | ||
| return nil, err | ||
|
|
| // with the login form. | ||
| // It collecs the hidden values into a url.Values so that we can post the form | ||
| // using our Go client. | ||
| func parseLoginFormHiddenValues(r io.Reader) (url.Values, error) { |
There was a problem hiding this comment.
😭 It definitely either sits-on or leaps over the line of acceptability 😂
I wanted to avoid bringing in more dependencies if I could. I just need to pull a particular form's hidden inputs out of an HTML page. But perhaps using a library would make this a lot more digestible.
What I really wanted was that test library to offer a way to get the code parameter without parsing HTML. I just haven't found it yet.
I guess, at-least, this is a little closer to what a user in a browser would do. Slightly more representative.
There was a problem hiding this comment.
haha totally understand. just saw html parsing as was like 🤯
feat(auth/oidc): implement authorize and callback refactor(oidc): switch to hashicorp/cap package test(oidc): add extra logging context for failure in CI chore: more test logging context chore: logging context around client cookie jar contents chore: print entire cookie jar fix(oidc): test use localhost over ip for cookie jar interactions chore: appears the linters refactor(internal/cmd): flatten bootstrapping package into one
GeorgeMac
force-pushed
the
gm/oidc-google
branch
from
238e53b
to
3c8cc8d
Compare
GeorgeMac
changed the title
* feat(oidc): support generic OIDC providers * refactor(config): support maps with keys containing underscore * chore: appease the linters * chore(config): update doc string Co-authored-by: Mark Phelps <209477+markphelps@users.noreply.github.com> * chore(config): update bind function doc * feat(oidc): add more standard OIDC claims * chore(oidc): remove redundent return statement Co-authored-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Fixes FLI-48
Fixes FLI-49
This implements the OIDC authorize URL and callback operations. Initially, just for the single provider, Google.
It uses HashiCorp
capas the wrapper around the Go OIDC library and Googles OAuth lib.This library has the added benefit of a nice testing authorization service implementation.
The two operations implemented in this PR are:
AuthorizeURL, which returns an authorize URL for the configuration associated with the requested provider.Callback, which handles exchanging an authentication code to verify authenticity and acquire an id_token. Once acquired, a Flipt client token is established with the user's metadata.Additionally, there are a number of utility middlewares and gRPC gateway options.
These additions ensure that when interacting with the OIDC authentication method, that the resulting client token is automatically established as an HTTP cookie. This is to support browser sessions.
Update:
This is now flexible enough to support various generic OIDC providers.
This is after merging in #1223