Add oidc callback mode that is direct to server #318
Conversation
DrDaveD
force-pushed
the
oidc-code-flow-to-server
branch
2 times, most recently
from
e578eca
to
33438e3
Compare
DrDaveD
force-pushed
the
oidc-code-flow-to-server
branch
from
33438e3
to
933fef4
Compare
| } | ||
|
|
||
| callbackPort, ok := m[FieldCallbackPort] | ||
| if !ok { | ||
| callbackPort = port | ||
| if serverURL != nil { | ||
| callbackPort = serverURL.Port() + "/v1/auth/" + mount |
There was a problem hiding this comment.
Since I'm thinking about this, this precludes namespaces right? I think you'd need path.Join(namespace, mount) in the general case, for this to work with Vault Enterprise fwiw.
There was a problem hiding this comment.
I don't know anything about namespaces, and it doesn't otherwise occur in cli.go. There is another case in cli.go that already uses "/v1/auth" with mount so I think we should stick with the precedent.
| }, | ||
| }, | ||
| Operations: map[logical.Operation]framework.OperationHandler{ | ||
| logical.UpdateOperation: &framework.PathOperation{ |
There was a problem hiding this comment.
Should this be a logical.ReadOperation? I don't really view this poll as having updated the state, logically, to a user. Other read operations can update the state from time to time (PKI's CRL read for instance perhaps?), so I don't think we need to expose API operation == storage operation(s).
There was a problem hiding this comment.
|
Thanks for all the detailed comments. This is just to tell you that I won't be able to look at them closely this week, but should be able to the following week. |
|
I was waiting to write the docs until I had interest shown that the PR would be accepted. I have updated the docs now but am waiting to commit until I do some more testing. |
Signed-off-by: Dave Dykstra <[email protected]>
DrDaveD
force-pushed
the
oidc-code-flow-to-server
branch
from
933fef4
to
d621a33
Compare
|
I decided to go ahead and push it as-is but mark the PR as draft for now until I am able to do further testing |
This adds a new option to the oidc auth method role option called
callback_mode. When set todirectit enables the callback from the Authorization Server to be direct to bao instead of to the client. This allows clients from multiple users to share a machine because they do not need to share a port to listen on, and it also makes for easier management of firewalls, etc, because only the bao server needs to be configured to accept connections from the Authorization Server instead of every client.When
callback_mode=directis set, theoidc/auth_urlclient API returns additional parameters 'state' and 'poll_interval'. The client is then expected to call a new APIoidc/poll(instead ofoidc/callback) and try again everypoll_intervalseconds while the response is an http 400 errorauthorization_pending. When the Authorization Server instead calls theoidc/callbackapi, the response is in html because it goes to the user's web browser, and the authorization information is stored in the state entry until the next call to oidc/poll.The cli also has a new option
callbackmode=direct(without an underscore) to apply different defaults for theredirect_uriparameter, based on the $VAULT_ADDR environment variable. That is a convenience and is not strictly necessary in order to make it work. When there is astatein the response to theoidc/auth_urlAPI, instead of starting a listener the client calls back tooidc/polleverypoll_intervalseconds.cli_responses.go is renamed to html_responses.go because it's not used exclusively for cli (and in fact it already wasn't).
Essentially the same PR has been pending in hashicorp/vault-plugin-auth-jwt#130 for several years, and although several other people expressed an interest in it, no action has been taken to merge it yet there. It has been in production use for a couple of years through https://github.com/fermitools/htvault-config.