Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OIDC fixes (without encryption) #12766

Merged
merged 11 commits into from
Jan 24, 2024

Conversation

markylaing
Copy link
Contributor

@markylaing markylaing commented Jan 23, 2024

This PR implements the OIDC fixes that can be found in #12628 except for encryption of identity and refresh tokens when accessing LXD via the UI. This is because we are awaiting a security review (https://warthogs.atlassian.net/browse/SECQ-60?atlOrigin=eyJpIjoiMGM5MzRlZTc1ZTc2NDQ4ODkyYjc0ZGFiMGIyODZkNzMiLCJwIjoiaiJ9).

Related to #12531

@markylaing markylaing self-assigned this Jan 23, 2024
The rp.RelyingParty is used for authentication via the UI, and the
op.AccessTokenVerifier is used for authentication via the CLI. When
instantiating the rp.RelyingParty, the zitadel library performs
OIDC discovery by calling the /.well-known/openid-configuration endpoint.
To limit the number of calls to this endpoint, we only set a new
rp.RelyingParty if the request host changes (e.g. change of port, DNS
change etc.) as this is required for creating a valid callback URL.

Additionally, we add the "email" scope to the rp.RelyingParty OIDC
scopes.

Signed-off-by: Mark Laing <[email protected]>
We can use the refresh token to get a new identity token, so requests
missing an identity token but containing a refresh token should be
considered for OIDC auth.

Signed-off-by: Mark Laing <[email protected]>
The UI should be providing ID tokens (not access tokens). This method is
for use with ID and refresh token cookies that are set via the UI login
flow (e.g. /oidc/login, /oidc/logout, /oidc/callback).

Signed-off-by: Mark Laing <[email protected]>
The Auth method now calls an appropriate verification method depending
on how the OIDC tokens are set in the request. For Bearer tokens we
expect an access token, for cookies we expect ID and refresh tokens.

Signed-off-by: Mark Laing <[email protected]>
@markylaing markylaing force-pushed the oidc-fixes-sans-encryption branch from 5b624c3 to f8985cd Compare January 23, 2024 14:21
@tomponline tomponline merged commit 6612e64 into canonical:main Jan 24, 2024
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants