luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

identity/oidc: fixes validation of the request and request_uri parameters (#16600) 

* identity/oidc: add request_parameter_supported to discovery document

* adds changelog
This commit is contained in:
Austin Gebauer 2022-08-05 11:55:15 -07:00 committed by GitHub
parent a2bc8cfb96
commit 67339b71e8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/16600.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
identity/oidc: Fixes validation of the `request` and `request_uri` parameters.
```

4
ui/app/controllers/vault/cluster/oidc-provider.js
View File

@ -13,6 +13,8 @@ export default class VaultClusterOidcProviderController extends Controller {
'max_age', 'max_age',
'code_challenge', 'code_challenge',
'code_challenge_method', 'code_challenge_method',
'request',
'request_uri',
]; ];
scope = null; scope = null;
response_type = null; response_type = null;
@ -25,4 +27,6 @@ export default class VaultClusterOidcProviderController extends Controller {
max_age = null; max_age = null;
code_challenge = null; code_challenge = null;
code_challenge_method = null; code_challenge_method = null;
request = null;
request_uri = null;
} }

2
vault/identity_store_oidc_provider.go
View File

@ -154,6 +154,7 @@ type providerDiscovery struct {
AuthorizationEndpoint string `json:"authorization_endpoint"` AuthorizationEndpoint string `json:"authorization_endpoint"`
TokenEndpoint string `json:"token_endpoint"` TokenEndpoint string `json:"token_endpoint"`
UserinfoEndpoint string `json:"userinfo_endpoint"` UserinfoEndpoint string `json:"userinfo_endpoint"`
RequestParameter bool `json:"request_parameter_supported"`
RequestURIParameter bool `json:"request_uri_parameter_supported"` RequestURIParameter bool `json:"request_uri_parameter_supported"`
IDTokenAlgs []string `json:"id_token_signing_alg_values_supported"` IDTokenAlgs []string `json:"id_token_signing_alg_values_supported"`
ResponseTypes []string `json:"response_types_supported"` ResponseTypes []string `json:"response_types_supported"`
@ -1473,6 +1474,7 @@ func (i *IdentityStore) pathOIDCProviderDiscovery(ctx context.Context, req *logi
UserinfoEndpoint: p.effectiveIssuer + "/userinfo", UserinfoEndpoint: p.effectiveIssuer + "/userinfo",
IDTokenAlgs: supportedAlgs, IDTokenAlgs: supportedAlgs,
Scopes: scopes, Scopes: scopes,
RequestParameter: false,
RequestURIParameter: false, RequestURIParameter: false,
ResponseTypes: []string{"code"}, ResponseTypes: []string{"code"},
Subjects: []string{"public"}, Subjects: []string{"public"},

2
vault/identity_store_oidc_provider_test.go
View File

@ -3614,6 +3614,7 @@ func TestOIDC_Path_OpenIDProviderConfig(t *testing.T) {
UserinfoEndpoint: basePath + "/userinfo", UserinfoEndpoint: basePath + "/userinfo",
GrantTypes: []string{"authorization_code"}, GrantTypes: []string{"authorization_code"},
AuthMethods: []string{"none", "client_secret_basic"}, AuthMethods: []string{"none", "client_secret_basic"},
RequestParameter: false,
RequestURIParameter: false, RequestURIParameter: false,
} }
discoveryResp := &providerDiscovery{} discoveryResp := &providerDiscovery{}
@ -3668,6 +3669,7 @@ func TestOIDC_Path_OpenIDProviderConfig(t *testing.T) {
UserinfoEndpoint: basePath + "/userinfo", UserinfoEndpoint: basePath + "/userinfo",
GrantTypes: []string{"authorization_code"}, GrantTypes: []string{"authorization_code"},
AuthMethods: []string{"none", "client_secret_basic"}, AuthMethods: []string{"none", "client_secret_basic"},
RequestParameter: false,
RequestURIParameter: false, RequestURIParameter: false,
} }
discoveryResp = &providerDiscovery{} discoveryResp = &providerDiscovery{}

1
website/content/api-docs/secret/identity/oidc-provider.mdx
View File

@ -577,6 +577,7 @@ $ curl \
"authorization_endpoint": "http://127.0.0.1:8200/ui/vault/identity/oidc/provider/test-provider/authorize", "authorization_endpoint": "http://127.0.0.1:8200/ui/vault/identity/oidc/provider/test-provider/authorize",
"token_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/token", "token_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/token",
"userinfo_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/userinfo", "userinfo_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/userinfo",
"request_parameter_supported": false,
"request_uri_parameter_supported": false, "request_uri_parameter_supported": false,
"id_token_signing_alg_values_supported": [ "id_token_signing_alg_values_supported": [
"RS256", "RS256",

1
website/content/docs/secrets/identity/oidc-provider.mdx
View File

@ -100,6 +100,7 @@ Any Vault auth method may be used within the OIDC flow. For simplicity, enable t
"authorization_endpoint": "http://127.0.0.1:8200/ui/vault/identity/oidc/provider/default/authorize", "authorization_endpoint": "http://127.0.0.1:8200/ui/vault/identity/oidc/provider/default/authorize",
"token_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/default/token", "token_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/default/token",
"userinfo_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/default/userinfo", "userinfo_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/default/userinfo",
"request_parameter_supported": false,
"request_uri_parameter_supported": false, "request_uri_parameter_supported": false,
"id_token_signing_alg_values_supported": [ "id_token_signing_alg_values_supported": [
"RS256", "RS256",