acl: JWT auth method

2023-01-26 15:54:16 +01:00 · 2023-01-26 15:54:16 +01:00 · a9230fb0b7
parent 76284a09a0
commit a9230fb0b7
2 changed files with 58 additions and 12 deletions
--- a/nomad/structs/acl.go
+++ b/nomad/structs/acl.go
@ -915,16 +915,61 @@ func (a *ACLAuthMethod) TokenLocalityIsGlobal() bool { return a.TokenLocality ==

 // ACLAuthMethodConfig is used to store configuration of an auth method
 type ACLAuthMethodConfig struct {
-	OIDCDiscoveryURL    string
-	OIDCClientID        string
-	OIDCClientSecret    string
-	OIDCScopes          []string
-	BoundAudiences      []string
+	// A list of PEM-encoded public keys to use to authenticate signatures
+	// locally
+	JWTValidationPubKeys []string
+
+	// JSON Web Key Sets url for authenticating signatures
+	JWKSURL string
+
+	// The OIDC Discovery URL, without any .well-known component (base path)
+	OIDCDiscoveryURL string
+
+	// The OAuth Client ID configured with the OIDC provider
+	OIDCClientID string
+
+	// The OAuth Client Secret configured with the OIDC provider
+	OIDCClientSecret string
+
+	// List of OIDC scopes
+	OIDCScopes []string
+
+	// List of auth claims that are valid for login
+	BoundAudiences []string
+
+	// The value against which to match the iss claim in a JWT
+	BoundIssuer []string
+
+	// A list of allowed values for redirect_uri
 	AllowedRedirectURIs []string
-	DiscoveryCaPem      []string
-	SigningAlgs         []string
-	ClaimMappings       map[string]string
-	ListClaimMappings   map[string]string
+
+	// PEM encoded CA certs for use by the TLS client used to talk with the
+	// OIDC Discovery URL.
+	DiscoveryCaPem []string
+
+	// PEM encoded CA cert for use by the TLS client used to talk with the JWKS
+	// URL
+	JWKSCACert string
+
+	// A list of supported signing algorithms
+	SigningAlgs []string
+
+	// Duration in seconds of leeway when validating expiration of a token to
+	// account for clock skew
+	ExpirationLeeway time.Duration
+
+	// Duration in seconds of leeway when validating not before values of a
+	// token to account for clock skew.
+	NotBeforeLeeway time.Duration
+
+	// Duration in seconds of leeway when validating all claims to account for
+	// clock skew.
+	ClockSkewLeeway time.Duration
+
+	// Mappings of claims (key) that will be copied to a metadata field
+	// (value).
+	ClaimMappings     map[string]string
+	ListClaimMappings map[string]string
 }

 func (a *ACLAuthMethodConfig) Copy() *ACLAuthMethodConfig {
@ -935,8 +980,10 @@ func (a *ACLAuthMethodConfig) Copy() *ACLAuthMethodConfig {
 	c := new(ACLAuthMethodConfig)
 	*c = *a

+	c.JWTValidationPubKeys = slices.Clone(a.JWTValidationPubKeys)
 	c.OIDCScopes = slices.Clone(a.OIDCScopes)
 	c.BoundAudiences = slices.Clone(a.BoundAudiences)
+	c.BoundIssuer = slices.Clone(a.BoundIssuer)
 	c.AllowedRedirectURIs = slices.Clone(a.AllowedRedirectURIs)
 	c.DiscoveryCaPem = slices.Clone(a.DiscoveryCaPem)
 	c.SigningAlgs = slices.Clone(a.SigningAlgs)
--- a/website/content/api-docs/acl/auth-methods.mdx
+++ b/website/content/api-docs/acl/auth-methods.mdx
@ -31,8 +31,7 @@ The table below shows this endpoint's support for
  Method.  The name can contain alphanumeric characters, dashes, and underscores.
  This name must be unique and must not exceed 128 characters.

- `Type` `(string: <required>)` - ACL Auth Role SSO identifier. Currently, the
-  only supported Type is "OIDC."
+- `Type` `(string: <required>)` - ACL Auth Role SSO identifier.

 - `TokenLocality` `(string: <required>)` - Defines whether the ACL Auth Method
  creates a local or global token when performing SSO login. This field must be
@ -62,7 +61,7 @@ The table below shows this endpoint's support for

  - `OIDCScopes` `(array<string>)` - List of OIDC scopes.

-  - `BoundAudiences` `(array<string>)` - List of aud claims that are valid for
+  - `BoundAudiences` `(array<string>)` - List of auth claims that are valid for
    login; any match is sufficient.

  - `AllowedRedirectURIs` `(array<string>)` - A list of allowed values for