sso/oidc: add support for acr_values request parameter (#11026)
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
This commit is contained in:
parent
d4e2834856
commit
ea8ab90968
|
@ -0,0 +1,3 @@
|
|||
```release-note:feature
|
||||
sso/oidc: **(Enterprise only)** Add support for providing acr_values in OIDC auth flow
|
||||
```
|
|
@ -388,6 +388,7 @@ type OIDCAuthMethodConfig struct {
|
|||
OIDCClientID string `json:",omitempty"`
|
||||
OIDCClientSecret string `json:",omitempty"`
|
||||
OIDCScopes []string `json:",omitempty"`
|
||||
OIDCACRValues []string `json:",omitempty"`
|
||||
AllowedRedirectURIs []string `json:",omitempty"`
|
||||
VerboseOIDCLogging bool `json:",omitempty"`
|
||||
// just for type=jwt
|
||||
|
@ -415,6 +416,7 @@ func (c *OIDCAuthMethodConfig) RenderToConfig() map[string]interface{} {
|
|||
"OIDCClientID": c.OIDCClientID,
|
||||
"OIDCClientSecret": c.OIDCClientSecret,
|
||||
"OIDCScopes": c.OIDCScopes,
|
||||
"OIDCACRValues": c.OIDCACRValues,
|
||||
"AllowedRedirectURIs": c.AllowedRedirectURIs,
|
||||
"VerboseOIDCLogging": c.VerboseOIDCLogging,
|
||||
// just for type=jwt
|
||||
|
|
|
@ -90,6 +90,11 @@ type Config struct {
|
|||
// Valid only if Type=oidc
|
||||
OIDCScopes []string
|
||||
|
||||
// Space-separated list of OIDC Authorization Context Class Reference values
|
||||
//
|
||||
// Valid only if Type=oidc
|
||||
OIDCACRValues []string
|
||||
|
||||
// Comma-separated list of allowed values for redirect_uri
|
||||
//
|
||||
// Valid only if Type=oidc
|
||||
|
@ -215,6 +220,8 @@ func (c *Config) Validate() error {
|
|||
return fmt.Errorf("'OIDCClientSecret' must not be set for type %q", c.Type)
|
||||
case len(c.OIDCScopes) != 0:
|
||||
return fmt.Errorf("'OIDCScopes' must not be set for type %q", c.Type)
|
||||
case len(c.OIDCACRValues) != 0:
|
||||
return fmt.Errorf("'OIDCACRValues' must not be set for type %q", c.Type)
|
||||
case len(c.AllowedRedirectURIs) != 0:
|
||||
return fmt.Errorf("'AllowedRedirectURIs' must not be set for type %q", c.Type)
|
||||
case c.VerboseOIDCLogging:
|
||||
|
|
|
@ -371,6 +371,14 @@ func TestConfigValidate(t *testing.T) {
|
|||
},
|
||||
expectErr: "must not be set for type",
|
||||
},
|
||||
"incompatible with OIDCACRValues": {
|
||||
config: Config{
|
||||
Type: TypeJWT,
|
||||
JWTValidationPubKeys: []string{testJWTPubKey},
|
||||
OIDCACRValues: []string{"acr1"},
|
||||
},
|
||||
expectErr: "must not be set for type",
|
||||
},
|
||||
"incompatible with AllowedRedirectURIs": {
|
||||
config: Config{
|
||||
Type: TypeJWT,
|
||||
|
|
|
@ -56,6 +56,9 @@ func (a *Authenticator) GetAuthCodeURL(ctx context.Context, redirectURI string,
|
|||
authCodeOpts := []oauth2.AuthCodeOption{
|
||||
oidc.Nonce(nonce),
|
||||
}
|
||||
if len(a.config.OIDCACRValues) > 0 {
|
||||
authCodeOpts = append(authCodeOpts, oauth2.SetAuthURLParam("acr_values", strings.Join(a.config.OIDCACRValues, " ")))
|
||||
}
|
||||
|
||||
return oauth2Config.AuthCodeURL(stateID, authCodeOpts...), nil
|
||||
}
|
||||
|
|
|
@ -27,6 +27,7 @@ func setupForOIDC(t *testing.T) (*Authenticator, *oidcauthtest.Server) {
|
|||
OIDCDiscoveryCACert: srv.CACert(),
|
||||
OIDCClientID: "abc",
|
||||
OIDCClientSecret: "def",
|
||||
OIDCACRValues: []string{"acr1", "acr2"},
|
||||
JWTSupportedAlgs: []string{"ES256"},
|
||||
BoundAudiences: []string{"abc"},
|
||||
AllowedRedirectURIs: []string{"https://example.com"},
|
||||
|
@ -43,6 +44,7 @@ func setupForOIDC(t *testing.T) (*Authenticator, *oidcauthtest.Server) {
|
|||
"/nested/Groups": "groups",
|
||||
},
|
||||
}
|
||||
|
||||
require.NoError(t, config.Validate())
|
||||
|
||||
oa, err := New(config, hclog.NewNullLogger())
|
||||
|
@ -72,6 +74,8 @@ func TestOIDC_AuthURL(t *testing.T) {
|
|||
"redirect_uri": "https://example.com",
|
||||
"response_type": "code",
|
||||
"scope": "openid",
|
||||
// optional values
|
||||
"acr_values": "acr1 acr2",
|
||||
}
|
||||
|
||||
au, err := url.Parse(authURL)
|
||||
|
|
|
@ -70,6 +70,8 @@ parameters are required to properly configure an auth method of type
|
|||
|
||||
- `OIDCScopes` `(array<string>)` - A list of OIDC scopes.
|
||||
|
||||
- `OIDCACRValues` `(array<string>)` - A list of Authentication Context Class Reference values to use for the authentication request. See [OIDC reference](https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1) for more info on this parameter. Added in v1.11.0.
|
||||
|
||||
- `JWTSupportedAlgs` `(array<string>)` - JWTSupportedAlgs is a list of
|
||||
supported signing algorithms. Defaults to `RS256`. ([Available
|
||||
algorithms](https://github.com/hashicorp/consul/blob/main/vendor/github.com/coreos/go-oidc/jose.go#L7))
|
||||
|
|
Loading…
Reference in New Issue