Commit graph

40 commits

Author SHA1 Message Date
Márk Sági-Kazár 258b2ef740
Upgrade go-jose library to v3 (#20559)
* upgrade go-jose library to v3

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

* chore: fix unnecessary import alias

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

* upgrade go-jose library to v2 in vault

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

---------

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2023-05-23 12:25:58 +00:00
Anton Averchenkov 31d33f189f
openapi: A few fixes for display attributes (#20549) 2023-05-11 17:20:11 -04:00
Anton Averchenkov f69bea9161
openapi: Add display attributes for identity/oidc (#19758) 2023-04-12 15:44:07 -04:00
Hamid Ghaf 27bb03bbc0
adding copyright header (#19555)
* adding copyright header

* fix fmt and a test
2023-03-15 09:00:52 -07:00
Max Bowsher 9d863a92ce
Fix multiple OpenAPI generation issues with new AST-based generator (#18554)
* Regexp metacharacter `.` should be escaped when used literally

The paths including `/.well-known/` in the Vault API could currently
technically be invoked with any random character in place of the dot.

* Replace implementation of OpenAPI path translator with regexp AST-based one

* Add changelog

* Typo fix from PR review - thanks!

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Add comment based on review feedback

* Change style of error handling as suggested in code review

* Make a further tweak to the handling of the error case

* Add more tests, testing cases which fail with the previous implementation

* Resolve issue with a test, and improve comment

---------

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-01-31 16:27:39 -05:00
Austin Gebauer 1ea50db6c6
identity/oidc: adds claims_supported to discovery document (#16992)
* identity/oidc: adds claims_supported to discovery document

* adds changelog
2022-09-02 09:19:25 -07:00
Austin Gebauer ed143c5678
identity/oidc: reorder authorization endpoint validation for invalid redirect uris (#16601)
* identity/oidc: reorder authorization endpoint validation for invalid redirect uris

* adds changelog

* use provider.allowedClientID
2022-08-08 09:02:18 -07:00
Austin Gebauer 59831a8d5c
identity/oidc: adds client_secret_post token endpoint authentication method (#16598)
* identity/oidc: adds client_secret_post token endpoint authentication method

* fix test

* adds changelog
2022-08-08 08:41:09 -07:00
Austin Gebauer 67339b71e8
identity/oidc: fixes validation of the request and request_uri parameters (#16600)
* identity/oidc: add request_parameter_supported to discovery document

* adds changelog
2022-08-05 11:55:15 -07:00
Austin Gebauer a2bc8cfb96
identity/oidc: change the state parameter to optional (#16599)
* identity/oidc: change the state parameter to optional

* adds changelog

* update docs
2022-08-05 11:37:24 -07:00
Austin Gebauer e2d3846a25
identity/oidc: adds detailed listing capability for clients and providers (#16567)
* identity/oidc: adds detailed listing capability for clients and providers

* change approach to use ListResponseWithInfo

* adds changelog
2022-08-04 10:10:28 -07:00
Austin Gebauer b3f138679c
identity/oidc: allow filtering the list providers response by an allowed_client_id (#16181)
* identity/oidc: allow filtering the list providers response by an allowed_client_id

* adds changelog

* adds api documentation

* use identity store view in list provider test
2022-07-28 09:47:53 -07:00
Austin Gebauer 462a924722
identity/oidc: Adds default provider, key, and allow_all assignment (#14119) 2022-02-22 08:33:19 -08:00
Austin Gebauer 34d295e28f
identity/oidc: Adds proof key for code exchange (PKCE) support (#13917) 2022-02-15 12:02:22 -08:00
Austin Gebauer 88a8103ad6
identity/oidc: use inherited group membership for client assignments (#14013) 2022-02-11 11:40:44 -08:00
Austin Gebauer 4c12c2bb42
identity/oidc: adds tests for validation of loopback IP redirect URIs (#13939)
* identity/oidc: adds tests for validation of loopback IP redirect URIs

* Update vault/identity_store_oidc_provider_test.go

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
2022-02-07 12:50:36 -08:00
Joe 8d169d48d3
identity/oidc: loopback redirect dynamic port (#13871)
* Add check for OIDC provider to permit a non-exact redirect URI from OIDC client if it is the IPv4 or IPv6 loopback address.

* Update changelog/13871.txt

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* Update redirectURI check to match that for the OIDC auth method.

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
2022-02-07 10:34:33 -08:00
Josh Black d249fad2df
reformat using 'make fmt' (#13794) 2022-01-27 10:06:34 -08:00
Austin Gebauer d5f4fbecc1
identity/oidc: optional nonce parameter for authorize request (#13231) 2021-11-22 09:42:22 -08:00
John-Michael Faircloth e6ffaaf835
OIDC: return full issuer uri on read provider (#13058)
* return full issuer uri on read provider

* remove err check

* simplify full issuer logic
2021-11-10 12:35:31 -06:00
Austin Gebauer 83dcbc0cd5
Deny access to UserInfo endpoint if client no longer allowed by provider (#12949) 2021-10-28 09:46:07 -07:00
Austin Gebauer e5b45b5416
Adds check to ensure authorization code can only be exchanged by the issuing provider (#12948) 2021-10-28 09:45:41 -07:00
Austin Gebauer b3fab954fe
Use mutex in OIDC configuration handlers (#12932) 2021-10-27 08:23:05 -07:00
Brian Kassouf c705adc79c
Fix some linting errors (#12860) 2021-10-18 17:29:47 -07:00
Austin Gebauer 4e5b865c4f
Rename scopes to scopes_supported for OIDC providers (#12851) 2021-10-15 19:33:32 -07:00
Austin Gebauer 0551f91068
Adds OIDC Token and UserInfo endpoints (#12711) 2021-10-13 18:59:36 -07:00
John-Michael Faircloth e72c15426b
OIDC: Unique prefix to client_secret (#12745)
* Unique prefix to client_id and client_secret

* only prefix client secret and use constants

* split client secret checks
2021-10-08 16:02:20 -05:00
vinay-gopalan 680e8515fa
[VAULT-3472] Cap Client id_token_ttl field to associated Key's verification_ttl (#12677) 2021-10-01 10:47:40 -07:00
Austin Gebauer b58913ad9f
Adds OIDC Authorization Endpoint to OIDC providers (#12538) 2021-09-27 10:55:29 -07:00
Austin Gebauer da394f34b1
Adds additional OIDC discovery metadata (#12623) 2021-09-27 10:05:55 -07:00
Austin Gebauer 93f8d248d3
Use durations for ID and access token TTLs (#12632) 2021-09-27 10:05:28 -07:00
John-Michael Faircloth bee9f25277
OIDC provider: show success message in CLI (#12574) 2021-09-17 11:41:08 -05:00
John-Michael Faircloth c42c9993a0
feature: OIDC keys endpoint (#12525)
* add keys path and initial handler

* read provider public keys

* add test cases

* remove some debug logs

* update tests after merging main

* refactor list all clients

* refactor logic to collect Key IDs
2021-09-14 15:37:53 -05:00
John-Michael Faircloth 01011973a3
feature: OIDC discovery endpoint (#12481)
* OIDC Provider: implement discovery endpoint

* handle case when provider does not exist

* refactor providerDiscover struct and add scopes_supported

* fix authz endpoint
2021-09-07 13:35:23 -05:00
vinay-gopalan c99cf35b6a
[VAULT-3347] Ensure Deduplication in Provider and Client APIs in OIDC Provider (#12460)
* add deduplication for Provider

* add deduplication to provider client API

* add changelog

* delete changelog

* update comments

* update test names
2021-08-30 13:57:28 -07:00
Nick Cabatoff 0762f9003d
Refactor usages of Core in IdentityStore so they can be decoupled. (#12461) 2021-08-30 15:31:11 -04:00
vinay-gopalan 6338f3dc62
feature: OIDC Provider API (#12279) 2021-08-26 10:13:51 -07:00
John-Michael Faircloth fec8e8b21a
feature: OIDC provider client API (#12272)
* initial commit

* add read and delete operations

* fix bug in delete and add list unit test

* func doc typo fix

* add existence check for assignment

* remove locking on the assignment resource

It is not needed at this time.

* convert Callbacks to Operations

- convert Callbacks to Operations
- add test case for update operations

* add CRUD operations and test cases

* add client api and tests

* remove use of oidcCache

* remove use of oidcCache

* add template validation and update tests

* remove usage of oidcCache

* refactor struct and var names

* harmonize test name conventions

* refactor struct and var names

* add changelog and refactor

- add changelog
- be more explicit in the case where we do not recieve a path field

* refactor

be more explicit in the case where a field is not provided

* remove extra period from changelog

* update scope path to be OIDC provider specific

* refactor naming conventions

* update assignment path

* update scope path

* enforce key existence on client creation

* removed unused name field

* removed unused name field

* removed unused name field

* prevent assignment deletion when ref'ed by a client

* enfoce assignment existence on client create/update

* update scope template description

* error when attempting to created scope with openid reserved name

* fix UT failures after requiring assignment existence

* disallow key deletion when ref'ed by existing client

* generate client_id and client_secret on CreateOp

* do not allow key modification on client update

* return client_id and client_secret on read ops

* small refactor

* fix bug in delete assignment op

* remove client secret get call
2021-08-23 08:42:31 -05:00
John-Michael Faircloth 2b3da872b3
feature: OIDC provider scope API (#12266)
* initial commit

* add read and delete operations

* fix bug in delete and add list unit test

* func doc typo fix

* add existence check for assignment

* remove locking on the assignment resource

It is not needed at this time.

* convert Callbacks to Operations

- convert Callbacks to Operations
- add test case for update operations

* add CRUD operations and test cases

* remove use of oidcCache

* remove use of oidcCache

* add template validation and update tests

* refactor struct and var names

* harmonize test name conventions

* refactor struct and var names

* add changelog and refactor

- add changelog
- be more explicit in the case where we do not recieve a path field

* refactor

be more explicit in the case where a field is not provided

* remove extra period from changelog

* update scope path to be OIDC provider specific

* update assignment path

* update scope path

* removed unused name field

* removed unused name field

* update scope template description

* error when attempting to created scope with openid reserved name
2021-08-18 13:20:27 -05:00
John-Michael Faircloth 40fd60342a
feature: OIDC provider assignment API (#12198)
* initial commit

* add read and delete operations

* fix bug in delete and add list unit test

* func doc typo fix

* add existence check for assignment

* remove locking on the assignment resource

It is not needed at this time.

* convert Callbacks to Operations

- convert Callbacks to Operations
- add test case for update operations

* remove use of oidcCache

* refactor struct and var names

* harmonize test name conventions

* add changelog and refactor

- add changelog
- be more explicit in the case where we do not recieve a path field

* remove extra period from changelog

* update assignment path

* removed unused name field
2021-08-17 15:55:06 -05:00