-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add oidc callback mode that is direct to server #318
base: main
Are you sure you want to change the base?
Conversation
e578eca
to
33438e3
Compare
33438e3
to
933fef4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this, it is looking fairly comprehensive @DrDaveD! One thing missing that I see off the top of my head are doc updates?
} | ||
|
||
callbackPort, ok := m[FieldCallbackPort] | ||
if !ok { | ||
callbackPort = port | ||
if serverURL != nil { | ||
callbackPort = serverURL.Port() + "/v1/auth/" + mount |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since I'm thinking about this, this precludes namespaces right? I think you'd need path.Join(namespace, mount)
in the general case, for this to work with Vault Enterprise fwiw.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know anything about namespaces, and it doesn't otherwise occur in cli.go. There is another case in cli.go that already uses "/v1/auth" with mount so I think we should stick with the precedent.
}, | ||
}, | ||
Operations: map[logical.Operation]framework.OperationHandler{ | ||
logical.UpdateOperation: &framework.PathOperation{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be a logical.ReadOperation
? I don't really view this poll as having updated the state, logically, to a user. Other read operations can update the state from time to time (PKI's CRL read for instance perhaps?), so I don't think we need to expose API operation == storage operation(s).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for all the detailed comments. This is just to tell you that I won't be able to look at them closely this week, but should be able to the following week. |
I was waiting to write the docs until I had interest shown that the PR would be accepted. I have updated the docs now but am waiting to commit until I do some more testing. |
Signed-off-by: Dave Dykstra <[email protected]>
933fef4
to
d621a33
Compare
I decided to go ahead and push it as-is but mark the PR as draft for now until I am able to do further testing |
This adds a new option to the oidc auth method role option called
callback_mode
. When set todirect
it enables the callback from the Authorization Server to be direct to bao instead of to the client. This allows clients from multiple users to share a machine because they do not need to share a port to listen on, and it also makes for easier management of firewalls, etc, because only the bao server needs to be configured to accept connections from the Authorization Server instead of every client.When
callback_mode=direct
is set, theoidc/auth_url
client API returns additional parameters 'state' and 'poll_interval'. The client is then expected to call a new APIoidc/poll
(instead ofoidc/callback
) and try again everypoll_interval
seconds while the response is an http 400 errorauthorization_pending
. When the Authorization Server instead calls theoidc/callback
api, the response is in html because it goes to the user's web browser, and the authorization information is stored in the state entry until the next call to oidc/poll.The cli also has a new option
callbackmode=direct
(without an underscore) to apply different defaults for theredirect_uri
parameter, based on the $VAULT_ADDR environment variable. That is a convenience and is not strictly necessary in order to make it work. When there is astate
in the response to theoidc/auth_url
API, instead of starting a listener the client calls back tooidc/poll
everypoll_interval
seconds.cli_responses.go is renamed to html_responses.go because it's not used exclusively for cli (and in fact it already wasn't).
Essentially the same PR has been pending in hashicorp/vault-plugin-auth-jwt#130 for several years, and although several other people expressed an interest in it, no action has been taken to merge it yet there. It has been in production use for a couple of years through https://github.com/fermitools/htvault-config.