From 67339b71e8c791955f6cc549d652e9f762868ed1 Mon Sep 17 00:00:00 2001 From: Austin Gebauer <34121980+austingebauer@users.noreply.github.com> Date: Fri, 5 Aug 2022 11:55:15 -0700 Subject: [PATCH] identity/oidc: fixes validation of the request and request_uri parameters (#16600) * identity/oidc: add request_parameter_supported to discovery document * adds changelog --- changelog/16600.txt | 3 +++ ui/app/controllers/vault/cluster/oidc-provider.js | 4 ++++ vault/identity_store_oidc_provider.go | 2 ++ vault/identity_store_oidc_provider_test.go | 2 ++ website/content/api-docs/secret/identity/oidc-provider.mdx | 1 + website/content/docs/secrets/identity/oidc-provider.mdx | 1 + 6 files changed, 13 insertions(+) create mode 100644 changelog/16600.txt diff --git a/changelog/16600.txt b/changelog/16600.txt new file mode 100644 index 000000000..e0855f680 --- /dev/null +++ b/changelog/16600.txt @@ -0,0 +1,3 @@ +```release-note:bug +identity/oidc: Fixes validation of the `request` and `request_uri` parameters. +``` diff --git a/ui/app/controllers/vault/cluster/oidc-provider.js b/ui/app/controllers/vault/cluster/oidc-provider.js index 4030378fe..cd92bfcfc 100644 --- a/ui/app/controllers/vault/cluster/oidc-provider.js +++ b/ui/app/controllers/vault/cluster/oidc-provider.js @@ -13,6 +13,8 @@ export default class VaultClusterOidcProviderController extends Controller { 'max_age', 'code_challenge', 'code_challenge_method', + 'request', + 'request_uri', ]; scope = null; response_type = null; @@ -25,4 +27,6 @@ export default class VaultClusterOidcProviderController extends Controller { max_age = null; code_challenge = null; code_challenge_method = null; + request = null; + request_uri = null; } diff --git a/vault/identity_store_oidc_provider.go b/vault/identity_store_oidc_provider.go index cd935a8ef..d8eac8643 100644 --- a/vault/identity_store_oidc_provider.go +++ b/vault/identity_store_oidc_provider.go @@ -154,6 +154,7 @@ type providerDiscovery struct { AuthorizationEndpoint string `json:"authorization_endpoint"` TokenEndpoint string `json:"token_endpoint"` UserinfoEndpoint string `json:"userinfo_endpoint"` + RequestParameter bool `json:"request_parameter_supported"` RequestURIParameter bool `json:"request_uri_parameter_supported"` IDTokenAlgs []string `json:"id_token_signing_alg_values_supported"` ResponseTypes []string `json:"response_types_supported"` @@ -1473,6 +1474,7 @@ func (i *IdentityStore) pathOIDCProviderDiscovery(ctx context.Context, req *logi UserinfoEndpoint: p.effectiveIssuer + "/userinfo", IDTokenAlgs: supportedAlgs, Scopes: scopes, + RequestParameter: false, RequestURIParameter: false, ResponseTypes: []string{"code"}, Subjects: []string{"public"}, diff --git a/vault/identity_store_oidc_provider_test.go b/vault/identity_store_oidc_provider_test.go index b75b78b7d..1215121b1 100644 --- a/vault/identity_store_oidc_provider_test.go +++ b/vault/identity_store_oidc_provider_test.go @@ -3614,6 +3614,7 @@ func TestOIDC_Path_OpenIDProviderConfig(t *testing.T) { UserinfoEndpoint: basePath + "/userinfo", GrantTypes: []string{"authorization_code"}, AuthMethods: []string{"none", "client_secret_basic"}, + RequestParameter: false, RequestURIParameter: false, } discoveryResp := &providerDiscovery{} @@ -3668,6 +3669,7 @@ func TestOIDC_Path_OpenIDProviderConfig(t *testing.T) { UserinfoEndpoint: basePath + "/userinfo", GrantTypes: []string{"authorization_code"}, AuthMethods: []string{"none", "client_secret_basic"}, + RequestParameter: false, RequestURIParameter: false, } discoveryResp = &providerDiscovery{} diff --git a/website/content/api-docs/secret/identity/oidc-provider.mdx b/website/content/api-docs/secret/identity/oidc-provider.mdx index 0e896e46a..3867a3e46 100644 --- a/website/content/api-docs/secret/identity/oidc-provider.mdx +++ b/website/content/api-docs/secret/identity/oidc-provider.mdx @@ -577,6 +577,7 @@ $ curl \ "authorization_endpoint": "http://127.0.0.1:8200/ui/vault/identity/oidc/provider/test-provider/authorize", "token_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/token", "userinfo_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/userinfo", + "request_parameter_supported": false, "request_uri_parameter_supported": false, "id_token_signing_alg_values_supported": [ "RS256", diff --git a/website/content/docs/secrets/identity/oidc-provider.mdx b/website/content/docs/secrets/identity/oidc-provider.mdx index 46278c47f..05527ceba 100644 --- a/website/content/docs/secrets/identity/oidc-provider.mdx +++ b/website/content/docs/secrets/identity/oidc-provider.mdx @@ -100,6 +100,7 @@ Any Vault auth method may be used within the OIDC flow. For simplicity, enable t "authorization_endpoint": "http://127.0.0.1:8200/ui/vault/identity/oidc/provider/default/authorize", "token_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/default/token", "userinfo_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/default/userinfo", + "request_parameter_supported": false, "request_uri_parameter_supported": false, "id_token_signing_alg_values_supported": [ "RS256",