Updates the JWT/OIDC auth plugin to v0.9.2 (#11157)
This commit is contained in:
Austin Gebauer
GitHub
parent
28aba513f2
commit
985fa230ce
2
go.mod
2
go.mod
|
|
@ -83,7 +83,7 @@ require (
|
|||
github.com/hashicorp/vault-plugin-auth-centrify v0.8.0
|
||||
github.com/hashicorp/vault-plugin-auth-cf v0.8.0
|
||||
github.com/hashicorp/vault-plugin-auth-gcp v0.9.0
|
||||
github.com/hashicorp/vault-plugin-auth-jwt v0.9.1
|
||||
github.com/hashicorp/vault-plugin-auth-jwt v0.9.2
|
||||
github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0
|
||||
github.com/hashicorp/vault-plugin-auth-kubernetes v0.9.0
|
||||
github.com/hashicorp/vault-plugin-auth-oci v0.7.0
|
||||
|
|
|
|||
4
go.sum
4
go.sum
|
|
@ -694,8 +694,8 @@ github.com/hashicorp/vault-plugin-auth-cf v0.8.0/go.mod h1:exPUMj8yNohKM7yRiHa7O
|
|||
github.com/hashicorp/vault-plugin-auth-gcp v0.5.1/go.mod h1:eLj92eX8MPI4vY1jaazVLF2sVbSAJ3LRHLRhF/pUmlI=
|
||||
github.com/hashicorp/vault-plugin-auth-gcp v0.9.0 h1:57uJ2Vqo+M+W7pD8xEONKJ1BBGS8V4xpm7VU56A9RWA=
|
||||
github.com/hashicorp/vault-plugin-auth-gcp v0.9.0/go.mod h1:sHDguHmyGScoalGLEjuxvDCrMPVlw2c3f+ieeiHcv6w=
|
||||
github.com/hashicorp/vault-plugin-auth-jwt v0.9.1 h1:8CnT8z+o26/c8PUUhvp+BaiDSIgA5giazyYbZlfNJ5Q=
|
||||
github.com/hashicorp/vault-plugin-auth-jwt v0.9.1/go.mod h1:Gn6ELc1X5nmZ/pxoXf0nA4lG2gwuGnY6SNyW40tR/ws=
|
||||
github.com/hashicorp/vault-plugin-auth-jwt v0.9.2 h1:ghOYlco5t4q+rNecMWC5Cb8jguLiig168jYlBc5QtKk=
|
||||
github.com/hashicorp/vault-plugin-auth-jwt v0.9.2/go.mod h1:Gn6ELc1X5nmZ/pxoXf0nA4lG2gwuGnY6SNyW40tR/ws=
|
||||
github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0 h1:QxW0gRevydrNfRvo1qI6p0jQkhedLUgiWqpCN36RXoQ=
|
||||
github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0/go.mod h1:h+7pLm4Z2EeKHOGPefX0bGzdUQCMBUlvM/BpSMNgTFw=
|
||||
github.com/hashicorp/vault-plugin-auth-kubernetes v0.9.0 h1:X/eXFuJqVW8YN73ohTaI5YyCwcjd6C3mpnMv/elkNrw=
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ import (
|
|||
"github.com/hashicorp/vault/sdk/helper/cidrutil"
|
||||
"github.com/hashicorp/vault/sdk/helper/strutil"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
"golang.org/x/oauth2"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -216,9 +217,15 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request,
|
|||
if oidcReq.idToken == "" {
|
||||
return logical.ErrorResponse(errLoginFailed + " No code or id_token received."), nil
|
||||
}
|
||||
|
||||
// Verify the ID token received from the authentication response.
|
||||
rawToken = oidc.IDToken(oidcReq.idToken)
|
||||
if _, err := provider.VerifyIDToken(ctx, rawToken, oidcReq); err != nil {
|
||||
return logical.ErrorResponse("%s %s", errTokenVerification, err.Error()), nil
|
||||
}
|
||||
} else {
|
||||
// ID token verification takes place in exchange
|
||||
// Exchange the authorization code for an ID token and access token.
|
||||
// ID token verification takes place in provider.Exchange.
|
||||
token, err = provider.Exchange(ctx, oidcReq, stateID, code)
|
||||
if err != nil {
|
||||
return logical.ErrorResponse(errLoginFailed+" Error exchanging oidc code: %q.", err.Error()), nil
|
||||
|
|
@ -256,15 +263,25 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request,
|
|||
return nil, errors.New("sub claim does not match bound subject")
|
||||
}
|
||||
|
||||
// Set the token source for the access token if it's available. It will only
|
||||
// be available for the authorization code flow (oidc_response_types=code).
|
||||
// The access token will be used for fetching additional user and group info.
|
||||
var tokenSource oauth2.TokenSource
|
||||
if token != nil {
|
||||
tokenSource = token.StaticTokenSource()
|
||||
}
|
||||
|
||||
// If we have a token, attempt to fetch information from the /userinfo endpoint
|
||||
// and merge it with the existing claims data. A failure to fetch additional information
|
||||
// from this endpoint will not invalidate the authorization flow.
|
||||
if err := provider.UserInfo(ctx, token.StaticTokenSource(), subject, &allClaims); err != nil {
|
||||
logFunc := b.Logger().Warn
|
||||
if strings.Contains(err.Error(), "user info endpoint is not supported") {
|
||||
logFunc = b.Logger().Info
|
||||
if tokenSource != nil {
|
||||
if err := provider.UserInfo(ctx, tokenSource, subject, &allClaims); err != nil {
|
||||
logFunc := b.Logger().Warn
|
||||
if strings.Contains(err.Error(), "user info endpoint is not supported") {
|
||||
logFunc = b.Logger().Info
|
||||
}
|
||||
logFunc("error reading /userinfo endpoint", "error", err)
|
||||
}
|
||||
logFunc("error reading /userinfo endpoint", "error", err)
|
||||
}
|
||||
|
||||
if role.VerboseOIDCLogging {
|
||||
|
|
@ -275,7 +292,7 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request,
|
|||
}
|
||||
}
|
||||
|
||||
alias, groupAliases, err := b.createIdentity(ctx, allClaims, role, token.StaticTokenSource())
|
||||
alias, groupAliases, err := b.createIdentity(ctx, allClaims, role, tokenSource)
|
||||
if err != nil {
|
||||
return logical.ErrorResponse(err.Error()), nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -563,7 +563,7 @@ github.com/hashicorp/vault-plugin-auth-cf/util
|
|||
# github.com/hashicorp/vault-plugin-auth-gcp v0.9.0
|
||||
github.com/hashicorp/vault-plugin-auth-gcp/plugin
|
||||
github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache
|
||||
# github.com/hashicorp/vault-plugin-auth-jwt v0.9.1
|
||||
# github.com/hashicorp/vault-plugin-auth-jwt v0.9.2
|
||||
github.com/hashicorp/vault-plugin-auth-jwt
|
||||
# github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0
|
||||
github.com/hashicorp/vault-plugin-auth-kerberos
|
||||
|
|
|
|||
Loading…
Reference in New Issue