sso/oidc: add support for acr_values request parameter (#11026)
Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
This commit is contained in:
parent
d4e2834856
commit
ea8ab90968
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:feature
|
||||||
|
sso/oidc: **(Enterprise only)** Add support for providing acr_values in OIDC auth flow
|
||||||
|
```
|
|
@ -388,6 +388,7 @@ type OIDCAuthMethodConfig struct {
|
||||||
OIDCClientID string `json:",omitempty"`
|
OIDCClientID string `json:",omitempty"`
|
||||||
OIDCClientSecret string `json:",omitempty"`
|
OIDCClientSecret string `json:",omitempty"`
|
||||||
OIDCScopes []string `json:",omitempty"`
|
OIDCScopes []string `json:",omitempty"`
|
||||||
|
OIDCACRValues []string `json:",omitempty"`
|
||||||
AllowedRedirectURIs []string `json:",omitempty"`
|
AllowedRedirectURIs []string `json:",omitempty"`
|
||||||
VerboseOIDCLogging bool `json:",omitempty"`
|
VerboseOIDCLogging bool `json:",omitempty"`
|
||||||
// just for type=jwt
|
// just for type=jwt
|
||||||
|
@ -415,6 +416,7 @@ func (c *OIDCAuthMethodConfig) RenderToConfig() map[string]interface{} {
|
||||||
"OIDCClientID": c.OIDCClientID,
|
"OIDCClientID": c.OIDCClientID,
|
||||||
"OIDCClientSecret": c.OIDCClientSecret,
|
"OIDCClientSecret": c.OIDCClientSecret,
|
||||||
"OIDCScopes": c.OIDCScopes,
|
"OIDCScopes": c.OIDCScopes,
|
||||||
|
"OIDCACRValues": c.OIDCACRValues,
|
||||||
"AllowedRedirectURIs": c.AllowedRedirectURIs,
|
"AllowedRedirectURIs": c.AllowedRedirectURIs,
|
||||||
"VerboseOIDCLogging": c.VerboseOIDCLogging,
|
"VerboseOIDCLogging": c.VerboseOIDCLogging,
|
||||||
// just for type=jwt
|
// just for type=jwt
|
||||||
|
|
|
@ -90,6 +90,11 @@ type Config struct {
|
||||||
// Valid only if Type=oidc
|
// Valid only if Type=oidc
|
||||||
OIDCScopes []string
|
OIDCScopes []string
|
||||||
|
|
||||||
|
// Space-separated list of OIDC Authorization Context Class Reference values
|
||||||
|
//
|
||||||
|
// Valid only if Type=oidc
|
||||||
|
OIDCACRValues []string
|
||||||
|
|
||||||
// Comma-separated list of allowed values for redirect_uri
|
// Comma-separated list of allowed values for redirect_uri
|
||||||
//
|
//
|
||||||
// Valid only if Type=oidc
|
// Valid only if Type=oidc
|
||||||
|
@ -215,6 +220,8 @@ func (c *Config) Validate() error {
|
||||||
return fmt.Errorf("'OIDCClientSecret' must not be set for type %q", c.Type)
|
return fmt.Errorf("'OIDCClientSecret' must not be set for type %q", c.Type)
|
||||||
case len(c.OIDCScopes) != 0:
|
case len(c.OIDCScopes) != 0:
|
||||||
return fmt.Errorf("'OIDCScopes' must not be set for type %q", c.Type)
|
return fmt.Errorf("'OIDCScopes' must not be set for type %q", c.Type)
|
||||||
|
case len(c.OIDCACRValues) != 0:
|
||||||
|
return fmt.Errorf("'OIDCACRValues' must not be set for type %q", c.Type)
|
||||||
case len(c.AllowedRedirectURIs) != 0:
|
case len(c.AllowedRedirectURIs) != 0:
|
||||||
return fmt.Errorf("'AllowedRedirectURIs' must not be set for type %q", c.Type)
|
return fmt.Errorf("'AllowedRedirectURIs' must not be set for type %q", c.Type)
|
||||||
case c.VerboseOIDCLogging:
|
case c.VerboseOIDCLogging:
|
||||||
|
|
|
@ -371,6 +371,14 @@ func TestConfigValidate(t *testing.T) {
|
||||||
},
|
},
|
||||||
expectErr: "must not be set for type",
|
expectErr: "must not be set for type",
|
||||||
},
|
},
|
||||||
|
"incompatible with OIDCACRValues": {
|
||||||
|
config: Config{
|
||||||
|
Type: TypeJWT,
|
||||||
|
JWTValidationPubKeys: []string{testJWTPubKey},
|
||||||
|
OIDCACRValues: []string{"acr1"},
|
||||||
|
},
|
||||||
|
expectErr: "must not be set for type",
|
||||||
|
},
|
||||||
"incompatible with AllowedRedirectURIs": {
|
"incompatible with AllowedRedirectURIs": {
|
||||||
config: Config{
|
config: Config{
|
||||||
Type: TypeJWT,
|
Type: TypeJWT,
|
||||||
|
|
|
@ -56,6 +56,9 @@ func (a *Authenticator) GetAuthCodeURL(ctx context.Context, redirectURI string,
|
||||||
authCodeOpts := []oauth2.AuthCodeOption{
|
authCodeOpts := []oauth2.AuthCodeOption{
|
||||||
oidc.Nonce(nonce),
|
oidc.Nonce(nonce),
|
||||||
}
|
}
|
||||||
|
if len(a.config.OIDCACRValues) > 0 {
|
||||||
|
authCodeOpts = append(authCodeOpts, oauth2.SetAuthURLParam("acr_values", strings.Join(a.config.OIDCACRValues, " ")))
|
||||||
|
}
|
||||||
|
|
||||||
return oauth2Config.AuthCodeURL(stateID, authCodeOpts...), nil
|
return oauth2Config.AuthCodeURL(stateID, authCodeOpts...), nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,6 +27,7 @@ func setupForOIDC(t *testing.T) (*Authenticator, *oidcauthtest.Server) {
|
||||||
OIDCDiscoveryCACert: srv.CACert(),
|
OIDCDiscoveryCACert: srv.CACert(),
|
||||||
OIDCClientID: "abc",
|
OIDCClientID: "abc",
|
||||||
OIDCClientSecret: "def",
|
OIDCClientSecret: "def",
|
||||||
|
OIDCACRValues: []string{"acr1", "acr2"},
|
||||||
JWTSupportedAlgs: []string{"ES256"},
|
JWTSupportedAlgs: []string{"ES256"},
|
||||||
BoundAudiences: []string{"abc"},
|
BoundAudiences: []string{"abc"},
|
||||||
AllowedRedirectURIs: []string{"https://example.com"},
|
AllowedRedirectURIs: []string{"https://example.com"},
|
||||||
|
@ -43,6 +44,7 @@ func setupForOIDC(t *testing.T) (*Authenticator, *oidcauthtest.Server) {
|
||||||
"/nested/Groups": "groups",
|
"/nested/Groups": "groups",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
require.NoError(t, config.Validate())
|
require.NoError(t, config.Validate())
|
||||||
|
|
||||||
oa, err := New(config, hclog.NewNullLogger())
|
oa, err := New(config, hclog.NewNullLogger())
|
||||||
|
@ -72,6 +74,8 @@ func TestOIDC_AuthURL(t *testing.T) {
|
||||||
"redirect_uri": "https://example.com",
|
"redirect_uri": "https://example.com",
|
||||||
"response_type": "code",
|
"response_type": "code",
|
||||||
"scope": "openid",
|
"scope": "openid",
|
||||||
|
// optional values
|
||||||
|
"acr_values": "acr1 acr2",
|
||||||
}
|
}
|
||||||
|
|
||||||
au, err := url.Parse(authURL)
|
au, err := url.Parse(authURL)
|
||||||
|
|
|
@ -70,6 +70,8 @@ parameters are required to properly configure an auth method of type
|
||||||
|
|
||||||
- `OIDCScopes` `(array<string>)` - A list of OIDC scopes.
|
- `OIDCScopes` `(array<string>)` - A list of OIDC scopes.
|
||||||
|
|
||||||
|
- `OIDCACRValues` `(array<string>)` - A list of Authentication Context Class Reference values to use for the authentication request. See [OIDC reference](https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1) for more info on this parameter. Added in v1.11.0.
|
||||||
|
|
||||||
- `JWTSupportedAlgs` `(array<string>)` - JWTSupportedAlgs is a list of
|
- `JWTSupportedAlgs` `(array<string>)` - JWTSupportedAlgs is a list of
|
||||||
supported signing algorithms. Defaults to `RS256`. ([Available
|
supported signing algorithms. Defaults to `RS256`. ([Available
|
||||||
algorithms](https://github.com/hashicorp/consul/blob/main/vendor/github.com/coreos/go-oidc/jose.go#L7))
|
algorithms](https://github.com/hashicorp/consul/blob/main/vendor/github.com/coreos/go-oidc/jose.go#L7))
|
||||||
|
|
Loading…
Reference in New Issue