-
Notifications
You must be signed in to change notification settings - Fork 933
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC fixes (without encryption) #12766
Merged
tomponline
merged 11 commits into
canonical:main
from
markylaing:oidc-fixes-sans-encryption
Jan 24, 2024
Merged
OIDC fixes (without encryption) #12766
tomponline
merged 11 commits into
canonical:main
from
markylaing:oidc-fixes-sans-encryption
Jan 24, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
The rp.RelyingParty is used for authentication via the UI, and the op.AccessTokenVerifier is used for authentication via the CLI. When instantiating the rp.RelyingParty, the zitadel library performs OIDC discovery by calling the /.well-known/openid-configuration endpoint. To limit the number of calls to this endpoint, we only set a new rp.RelyingParty if the request host changes (e.g. change of port, DNS change etc.) as this is required for creating a valid callback URL. Additionally, we add the "email" scope to the rp.RelyingParty OIDC scopes. Signed-off-by: Mark Laing <[email protected]>
We can use the refresh token to get a new identity token, so requests missing an identity token but containing a refresh token should be considered for OIDC auth. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
The UI should be providing ID tokens (not access tokens). This method is for use with ID and refresh token cookies that are set via the UI login flow (e.g. /oidc/login, /oidc/logout, /oidc/callback). Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
The Auth method now calls an appropriate verification method depending on how the OIDC tokens are set in the request. For Bearer tokens we expect an access token, for cookies we expect ID and refresh tokens. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
markylaing
force-pushed
the
oidc-fixes-sans-encryption
branch
from
January 23, 2024 14:21
5b624c3
to
f8985cd
Compare
Merged
tomponline
approved these changes
Jan 24, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements the OIDC fixes that can be found in #12628 except for encryption of identity and refresh tokens when accessing LXD via the UI. This is because we are awaiting a security review (https://warthogs.atlassian.net/browse/SECQ-60?atlOrigin=eyJpIjoiMGM5MzRlZTc1ZTc2NDQ4ODkyYjc0ZGFiMGIyODZkNzMiLCJwIjoiaiJ9).
Related to #12531