From a9230fb0b72e76134d4fa76db14d22b09488c8a2 Mon Sep 17 00:00:00 2001 From: Piotr Kazmierczak <470696+pkazmierczak@users.noreply.github.com> Date: Thu, 26 Jan 2023 15:54:16 +0100 Subject: [PATCH] acl: JWT auth method --- nomad/structs/acl.go | 65 ++++++++++++++++--- website/content/api-docs/acl/auth-methods.mdx | 5 +- 2 files changed, 58 insertions(+), 12 deletions(-) diff --git a/nomad/structs/acl.go b/nomad/structs/acl.go index 43f0910b3..7bb7f8fea 100644 --- a/nomad/structs/acl.go +++ b/nomad/structs/acl.go @@ -915,16 +915,61 @@ func (a *ACLAuthMethod) TokenLocalityIsGlobal() bool { return a.TokenLocality == // ACLAuthMethodConfig is used to store configuration of an auth method type ACLAuthMethodConfig struct { - OIDCDiscoveryURL string - OIDCClientID string - OIDCClientSecret string - OIDCScopes []string - BoundAudiences []string + // A list of PEM-encoded public keys to use to authenticate signatures + // locally + JWTValidationPubKeys []string + + // JSON Web Key Sets url for authenticating signatures + JWKSURL string + + // The OIDC Discovery URL, without any .well-known component (base path) + OIDCDiscoveryURL string + + // The OAuth Client ID configured with the OIDC provider + OIDCClientID string + + // The OAuth Client Secret configured with the OIDC provider + OIDCClientSecret string + + // List of OIDC scopes + OIDCScopes []string + + // List of auth claims that are valid for login + BoundAudiences []string + + // The value against which to match the iss claim in a JWT + BoundIssuer []string + + // A list of allowed values for redirect_uri AllowedRedirectURIs []string - DiscoveryCaPem []string - SigningAlgs []string - ClaimMappings map[string]string - ListClaimMappings map[string]string + + // PEM encoded CA certs for use by the TLS client used to talk with the + // OIDC Discovery URL. + DiscoveryCaPem []string + + // PEM encoded CA cert for use by the TLS client used to talk with the JWKS + // URL + JWKSCACert string + + // A list of supported signing algorithms + SigningAlgs []string + + // Duration in seconds of leeway when validating expiration of a token to + // account for clock skew + ExpirationLeeway time.Duration + + // Duration in seconds of leeway when validating not before values of a + // token to account for clock skew. + NotBeforeLeeway time.Duration + + // Duration in seconds of leeway when validating all claims to account for + // clock skew. + ClockSkewLeeway time.Duration + + // Mappings of claims (key) that will be copied to a metadata field + // (value). + ClaimMappings map[string]string + ListClaimMappings map[string]string } func (a *ACLAuthMethodConfig) Copy() *ACLAuthMethodConfig { @@ -935,8 +980,10 @@ func (a *ACLAuthMethodConfig) Copy() *ACLAuthMethodConfig { c := new(ACLAuthMethodConfig) *c = *a + c.JWTValidationPubKeys = slices.Clone(a.JWTValidationPubKeys) c.OIDCScopes = slices.Clone(a.OIDCScopes) c.BoundAudiences = slices.Clone(a.BoundAudiences) + c.BoundIssuer = slices.Clone(a.BoundIssuer) c.AllowedRedirectURIs = slices.Clone(a.AllowedRedirectURIs) c.DiscoveryCaPem = slices.Clone(a.DiscoveryCaPem) c.SigningAlgs = slices.Clone(a.SigningAlgs) diff --git a/website/content/api-docs/acl/auth-methods.mdx b/website/content/api-docs/acl/auth-methods.mdx index 7ad9b02a6..3a39a7322 100644 --- a/website/content/api-docs/acl/auth-methods.mdx +++ b/website/content/api-docs/acl/auth-methods.mdx @@ -31,8 +31,7 @@ The table below shows this endpoint's support for Method. The name can contain alphanumeric characters, dashes, and underscores. This name must be unique and must not exceed 128 characters. -- `Type` `(string: )` - ACL Auth Role SSO identifier. Currently, the - only supported Type is "OIDC." +- `Type` `(string: )` - ACL Auth Role SSO identifier. - `TokenLocality` `(string: )` - Defines whether the ACL Auth Method creates a local or global token when performing SSO login. This field must be @@ -62,7 +61,7 @@ The table below shows this endpoint's support for - `OIDCScopes` `(array)` - List of OIDC scopes. - - `BoundAudiences` `(array)` - List of aud claims that are valid for + - `BoundAudiences` `(array)` - List of auth claims that are valid for login; any match is sufficient. - `AllowedRedirectURIs` `(array)` - A list of allowed values for