Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encrypt OIDC cookies #12628

Merged
merged 12 commits into from
Feb 6, 2024
Merged

Encrypt OIDC cookies #12628

merged 12 commits into from
Feb 6, 2024

Conversation

markylaing
Copy link
Contributor

@markylaing markylaing commented Dec 6, 2023

This PR encrypts the OIDC cookies that are set in the response after logging in to LXD. It finishes the implementation of changes to handling of OIDC authentication as discussed in #12531.

To ensure that the encryption key is the same on all cluster members, we are deriving the key from the cluster private key using HKDF.

Closes #12531

Copy link
Contributor

@gabrielmougard gabrielmougard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of comments but it looks good

lxd/auth/oidc/oidc.go Outdated Show resolved Hide resolved
lxd/auth/oidc/oidc.go Outdated Show resolved Hide resolved
lxd/auth/oidc/oidc.go Outdated Show resolved Hide resolved
lxd/auth/oidc/oidc.go Outdated Show resolved Hide resolved
lxd/auth/oidc/oidc.go Outdated Show resolved Hide resolved
lxd/auth/oidc/oidc.go Outdated Show resolved Hide resolved
lxd/auth/oidc/oidc.go Outdated Show resolved Hide resolved
lxd/auth/oidc/oidc.go Outdated Show resolved Hide resolved
Copy link
Contributor

@roosterfish roosterfish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, looks very good overall. Just a few smaller suggestions.

lxd/auth/oidc/oidc.go Outdated Show resolved Hide resolved
lxd/auth/oidc/oidc.go Outdated Show resolved Hide resolved
lxd/auth/oidc/oidc.go Show resolved Hide resolved
@markylaing markylaing force-pushed the oidc-fixes branch 2 times, most recently from 994e007 to 76a2445 Compare December 12, 2023 10:50
@markylaing
Copy link
Contributor Author

@nsklikas In the OIDC login handler I have re-added the audience parameter. While it may not form part of the full OIDC specification, it is required if we want to add custom claims to tokens (e.g. group membership) which we will need.

roosterfish
roosterfish previously approved these changes Dec 12, 2023
Copy link
Contributor

@roosterfish roosterfish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clarifications, LGTM.

lxd/auth/oidc/oidc.go Outdated Show resolved Hide resolved
lxd/auth/oidc/oidc.go Outdated Show resolved Hide resolved
lxd/auth/oidc/oidc.go Outdated Show resolved Hide resolved
Copy link
Member

@tobhe tobhe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks pretty good to me now. I think you addressed all of the changes we requested:

  • You are using salt and context information for the keys
  • sessionId (the salt) is regenerated for each token refresh
  • salt size of 64 is also sufficient

I agree with @tomponline that a few places could benefit from some more documentation.

Copy link

@chrisccoulson chrisccoulson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I've left a couple of minor comments

lxd/auth/oidc/oidc.go Outdated Show resolved Hide resolved
lxd/auth/oidc/oidc.go Outdated Show resolved Hide resolved
tomponline
tomponline previously approved these changes Feb 6, 2024
These cookies do not need to be decrypted by other cluster members,
so it is ok to use secure key generation that is built-in to the
securecookie library. This also reduces the exposure of our private key.

Signed-off-by: Mark Laing <[email protected]>
Copy link
Member

@tomponline tomponline left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@tomponline tomponline merged commit 5e6202c into canonical:main Feb 6, 2024
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

OIDC implementation discussion
8 participants