sso/oidc: add support for acr_values request parameter (#11026)

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
This commit is contained in:
Evan Culver 2021-09-17 18:10:05 +02:00 committed by GitHub
parent d4e2834856
commit ea8ab90968
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 29 additions and 0 deletions

3
.changelog/11026.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:feature
sso/oidc: **(Enterprise only)** Add support for providing acr_values in OIDC auth flow
```

View File

@ -388,6 +388,7 @@ type OIDCAuthMethodConfig struct {
OIDCClientID string `json:",omitempty"` OIDCClientID string `json:",omitempty"`
OIDCClientSecret string `json:",omitempty"` OIDCClientSecret string `json:",omitempty"`
OIDCScopes []string `json:",omitempty"` OIDCScopes []string `json:",omitempty"`
OIDCACRValues []string `json:",omitempty"`
AllowedRedirectURIs []string `json:",omitempty"` AllowedRedirectURIs []string `json:",omitempty"`
VerboseOIDCLogging bool `json:",omitempty"` VerboseOIDCLogging bool `json:",omitempty"`
// just for type=jwt // just for type=jwt
@ -415,6 +416,7 @@ func (c *OIDCAuthMethodConfig) RenderToConfig() map[string]interface{} {
"OIDCClientID": c.OIDCClientID, "OIDCClientID": c.OIDCClientID,
"OIDCClientSecret": c.OIDCClientSecret, "OIDCClientSecret": c.OIDCClientSecret,
"OIDCScopes": c.OIDCScopes, "OIDCScopes": c.OIDCScopes,
"OIDCACRValues": c.OIDCACRValues,
"AllowedRedirectURIs": c.AllowedRedirectURIs, "AllowedRedirectURIs": c.AllowedRedirectURIs,
"VerboseOIDCLogging": c.VerboseOIDCLogging, "VerboseOIDCLogging": c.VerboseOIDCLogging,
// just for type=jwt // just for type=jwt

View File

@ -90,6 +90,11 @@ type Config struct {
// Valid only if Type=oidc // Valid only if Type=oidc
OIDCScopes []string OIDCScopes []string
// Space-separated list of OIDC Authorization Context Class Reference values
//
// Valid only if Type=oidc
OIDCACRValues []string
// Comma-separated list of allowed values for redirect_uri // Comma-separated list of allowed values for redirect_uri
// //
// Valid only if Type=oidc // Valid only if Type=oidc
@ -215,6 +220,8 @@ func (c *Config) Validate() error {
return fmt.Errorf("'OIDCClientSecret' must not be set for type %q", c.Type) return fmt.Errorf("'OIDCClientSecret' must not be set for type %q", c.Type)
case len(c.OIDCScopes) != 0: case len(c.OIDCScopes) != 0:
return fmt.Errorf("'OIDCScopes' must not be set for type %q", c.Type) return fmt.Errorf("'OIDCScopes' must not be set for type %q", c.Type)
case len(c.OIDCACRValues) != 0:
return fmt.Errorf("'OIDCACRValues' must not be set for type %q", c.Type)
case len(c.AllowedRedirectURIs) != 0: case len(c.AllowedRedirectURIs) != 0:
return fmt.Errorf("'AllowedRedirectURIs' must not be set for type %q", c.Type) return fmt.Errorf("'AllowedRedirectURIs' must not be set for type %q", c.Type)
case c.VerboseOIDCLogging: case c.VerboseOIDCLogging:

View File

@ -371,6 +371,14 @@ func TestConfigValidate(t *testing.T) {
}, },
expectErr: "must not be set for type", expectErr: "must not be set for type",
}, },
"incompatible with OIDCACRValues": {
config: Config{
Type: TypeJWT,
JWTValidationPubKeys: []string{testJWTPubKey},
OIDCACRValues: []string{"acr1"},
},
expectErr: "must not be set for type",
},
"incompatible with AllowedRedirectURIs": { "incompatible with AllowedRedirectURIs": {
config: Config{ config: Config{
Type: TypeJWT, Type: TypeJWT,

View File

@ -56,6 +56,9 @@ func (a *Authenticator) GetAuthCodeURL(ctx context.Context, redirectURI string,
authCodeOpts := []oauth2.AuthCodeOption{ authCodeOpts := []oauth2.AuthCodeOption{
oidc.Nonce(nonce), oidc.Nonce(nonce),
} }
if len(a.config.OIDCACRValues) > 0 {
authCodeOpts = append(authCodeOpts, oauth2.SetAuthURLParam("acr_values", strings.Join(a.config.OIDCACRValues, " ")))
}
return oauth2Config.AuthCodeURL(stateID, authCodeOpts...), nil return oauth2Config.AuthCodeURL(stateID, authCodeOpts...), nil
} }

View File

@ -27,6 +27,7 @@ func setupForOIDC(t *testing.T) (*Authenticator, *oidcauthtest.Server) {
OIDCDiscoveryCACert: srv.CACert(), OIDCDiscoveryCACert: srv.CACert(),
OIDCClientID: "abc", OIDCClientID: "abc",
OIDCClientSecret: "def", OIDCClientSecret: "def",
OIDCACRValues: []string{"acr1", "acr2"},
JWTSupportedAlgs: []string{"ES256"}, JWTSupportedAlgs: []string{"ES256"},
BoundAudiences: []string{"abc"}, BoundAudiences: []string{"abc"},
AllowedRedirectURIs: []string{"https://example.com"}, AllowedRedirectURIs: []string{"https://example.com"},
@ -43,6 +44,7 @@ func setupForOIDC(t *testing.T) (*Authenticator, *oidcauthtest.Server) {
"/nested/Groups": "groups", "/nested/Groups": "groups",
}, },
} }
require.NoError(t, config.Validate()) require.NoError(t, config.Validate())
oa, err := New(config, hclog.NewNullLogger()) oa, err := New(config, hclog.NewNullLogger())
@ -72,6 +74,8 @@ func TestOIDC_AuthURL(t *testing.T) {
"redirect_uri": "https://example.com", "redirect_uri": "https://example.com",
"response_type": "code", "response_type": "code",
"scope": "openid", "scope": "openid",
// optional values
"acr_values": "acr1 acr2",
} }
au, err := url.Parse(authURL) au, err := url.Parse(authURL)

View File

@ -70,6 +70,8 @@ parameters are required to properly configure an auth method of type
- `OIDCScopes` `(array<string>)` - A list of OIDC scopes. - `OIDCScopes` `(array<string>)` - A list of OIDC scopes.
- `OIDCACRValues` `(array<string>)` - A list of Authentication Context Class Reference values to use for the authentication request. See [OIDC reference](https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1) for more info on this parameter. Added in v1.11.0.
- `JWTSupportedAlgs` `(array<string>)` - JWTSupportedAlgs is a list of - `JWTSupportedAlgs` `(array<string>)` - JWTSupportedAlgs is a list of
supported signing algorithms. Defaults to `RS256`. ([Available supported signing algorithms. Defaults to `RS256`. ([Available
algorithms](https://github.com/hashicorp/consul/blob/main/vendor/github.com/coreos/go-oidc/jose.go#L7)) algorithms](https://github.com/hashicorp/consul/blob/main/vendor/github.com/coreos/go-oidc/jose.go#L7))