Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add 'check oidc-config' command #4146

Merged
merged 9 commits into from
Nov 27, 2023
Merged

Add 'check oidc-config' command #4146

merged 9 commits into from
Nov 27, 2023

Conversation

makkes
Copy link
Member

@makkes makkes commented Nov 23, 2023

What changed?

A new command check oidc-config is introduced that validates a given OIDC configuration, either from a referenced Secret or from CLI flags.

Example for an invalid configuration:

$ gitops check oidc-config --scopes foobar -n weave-gitops
► Fetching OIDC configuration from Secret "weave-gitops/oidc-auth"
◎ Please open the following URL in your browser:

https://login.microsoftonline.com/XXX/oauth2/v2.0/authorize?access_type=offline&client_id=XXX&redirect_uri=http%3A%2F%2Flocalhost%3A9876&response_type=code&scope=foobar&state=state

Error: received error from identity provider: invalid_client (AADSTS650053: The application 'max-wego-oidc' asked for scope 'foobar' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor. Trace ID: 06344505-ac86-47ad-acf9-d5c01efb1601 Correlation ID: b0c677e7-f13b-4d8b-8552-4859437cd877 Timestamp: 2023-11-22 11:14:06Z)

Example for a valid configuration:

$ go run ./cmd/gitops check oidc-config -n weave-gitops
► Fetching OIDC configuration from Secret "weave-gitops/oidc-auth"
◎ Opening browser. If this does not work, please open the following URL in your browser:

https://login.microsoftonline.com/XXX/oauth2/v2.0/authorize?access_type=offline&client_id=XXX&redirect_uri=http%3A%2F%2Flocalhost%3A9876&response_type=code&scope=openid+email+profile&state=state

✔ received response from OIDC provider
► exchanging code for token
user: tRbZyWwP7gpn-[...]-bkHbRdOKRmo0
groups: 579c2ee8-[...]-68bdb1a9fbf0

Why was this change made?

This will help users debug issues with Weave GitOps OIDC configuration as well as provide a way to validate a configuration before putting it on a cluster.

How was this change implemented?

The command consumes OIDC configuration from CLI flags or from a Secret on a cluster and sends the user through an OIDC authorization code flow. If it succeeds, the username and groups claims are logged to stdout. The command validates the Secret for missing fields and also prints all errors returned from the OIDC provider so that users know what went wrong.

How did you validate the change?

There are unit tests and I manually validated the command with Azure, Google and on-prem Keycloak as IdPs.

Release notes

New check oidc-config command for validating and debugging OIDC configuration.

Documentation Changes

added a link to the reference page at the bottom of this paragraph

@makkes makkes force-pushed the check-oidc-config branch 3 times, most recently from 6e61967 to d1e9c95 Compare November 24, 2023 10:15
@makkes makkes marked this pull request as ready for review November 24, 2023 10:24
@makkes makkes requested review from squaremo and bigkevmcd November 24, 2023 10:24
@makkes
Copy link
Member Author

makkes commented Nov 24, 2023

Not sure why the test TestRefreshInvalidToken fails. It should really not be affected by anything within this PR.

@makkes makkes force-pushed the check-oidc-config branch 2 times, most recently from 1b3ea90 to 24ecb2d Compare November 24, 2023 14:54
The command validates a given OIDC configuration, either from a referenced
Secret or from CLI flags. This will help users debug issues with Weave GitOps
OIDC configuration as well as provide a way to validate a configuration before
putting it on a cluster.

The command consumes OIDC configuration from CLI flags or from a Secret on a
cluster and sends the user through an OIDC authorization code flow. If it
succeeds, the username and groups claims are logged to stdout. The command
validates the Secret for missing fields and also prints all errors returned
from the OIDC provider so that users know what went wrong.

This will work out of the box with OIDC providers given they are configured to
accept "http://localhost:9876" as a redirect URI.
cmd/gitops/check/oidcconfig/cmd.go Show resolved Hide resolved
pkg/oidc/check/flow.go Outdated Show resolved Hide resolved
cmd/gitops/check/oidcconfig/cmd.go Outdated Show resolved Hide resolved
pkg/oidc/check/flow.go Outdated Show resolved Hide resolved
Max Jonas Werner added 3 commits November 24, 2023 16:44
This commit also aligns the existing `--claim-username` flag with the
K8s one and renames it to `--username-claim`.
@makkes makkes requested a review from bigkevmcd November 24, 2023 16:16
pkg/oidc/check/flow.go Show resolved Hide resolved
@makkes makkes requested a review from bigkevmcd November 24, 2023 16:24
Max Jonas Werner added 3 commits November 24, 2023 17:55
The generated files have been updated to reflect the updated version
of the buf command.
golang.org/x/oauth2 changed its error handling in v0.8.0
(https://go-review.googlesource.com/c/oauth2/+/451076) to actually
parse error responses and return the error code in the returned error
variable.
@yiannistri yiannistri merged commit 301d4d1 into main Nov 27, 2023
19 checks passed
@yiannistri yiannistri deleted the check-oidc-config branch November 27, 2023 12:44
@yiannistri
Copy link
Contributor

Thank you @makkes 🥇

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants