oidcccl: generate JWT auth token for cluster SSO

Epic: CC-24814 A new branch is added to the OIDC login flow that, instead of logging the user in, renders a JWT from the resulting credentials in a new web UI, suitable for use with cluster SSO. This feature is configured by a few new cluster settings, all in the server.oidc_authentication.generate_cluster_sso_token namespace: - `.enabled` enables the feature. - `.use_token` selects whether to use the `id_token` or the `access_token` from the credentials. - `.sql_host` and `.sql_port` are used to render the resulting full connection string. (These are necessary because the cluster may be behind a load balancer.) For configuring cluster SSO and DB Console SSO, see: - https://www.cockroachlabs.com/docs/stable/sso-sql.html - https://www.cockroachlabs.com/docs/stable/sso-db-console.html Release note (enterprise change): New cluster settings in the server.oidc_authentication.generate_cluster_sso_token namespace support using OIDC to generate a JWT auth token for cluster SSO. Release justification: Customer commitment.
fqazi · Jun 27, 2023 · 91291a5 · 91291a5
1 parent b0ef999
commit 91291a5
Show file tree

Hide file tree

Showing 20 changed files with 679 additions and 26 deletions.
diff --git a/docs/generated/settings/settings-for-tenants.txt b/docs/generated/settings/settings-for-tenants.txt
@@ -63,7 +63,7 @@ server.log_gc.max_deletions_per_cycle	integer	1000	the maximum number of entries
 server.log_gc.period	duration	1h0m0s	the period at which log-like system tables are checked for old entries
 server.max_connections_per_gateway	integer	-1	the maximum number of non-superuser SQL connections per gateway allowed at a given time (note: this will only limit future connection attempts and will not affect already established connections). Negative values result in unlimited number of connections. Superusers are not affected by this limit.
 server.oidc_authentication.autologin	boolean	false	if true, logged-out visitors to the DB Console will be automatically redirected to the OIDC login endpoint
-server.oidc_authentication.button_text	string	Login with your OIDC provider	text to show on button on DB Console login page to login with your OIDC provider (only shown if OIDC is enabled)
+server.oidc_authentication.button_text	string	Log in with your OIDC provider	text to show on button on DB Console login page to login with your OIDC provider (only shown if OIDC is enabled)
 server.oidc_authentication.claim_json_key	string		sets JSON key of principal to extract from payload after OIDC authentication completes (usually email or sid)
 server.oidc_authentication.client_id	string		sets OIDC client id
 server.oidc_authentication.client_secret	string		sets OIDC client secret

diff --git a/docs/generated/settings/settings.html b/docs/generated/settings/settings.html
@@ -93,7 +93,7 @@
 <tr><td><div id="setting-server-log-gc-period" class="anchored"><code>server.log_gc.period</code></div></td><td>duration</td><td><code>1h0m0s</code></td><td>the period at which log-like system tables are checked for old entries</td></tr>
 <tr><td><div id="setting-server-max-connections-per-gateway" class="anchored"><code>server.max_connections_per_gateway</code></div></td><td>integer</td><td><code>-1</code></td><td>the maximum number of non-superuser SQL connections per gateway allowed at a given time (note: this will only limit future connection attempts and will not affect already established connections). Negative values result in unlimited number of connections. Superusers are not affected by this limit.</td></tr>
 <tr><td><div id="setting-server-oidc-authentication-autologin" class="anchored"><code>server.oidc_authentication.autologin</code></div></td><td>boolean</td><td><code>false</code></td><td>if true, logged-out visitors to the DB Console will be automatically redirected to the OIDC login endpoint</td></tr>
-<tr><td><div id="setting-server-oidc-authentication-button-text" class="anchored"><code>server.oidc_authentication.button_text</code></div></td><td>string</td><td><code>Login with your OIDC provider</code></td><td>text to show on button on DB Console login page to login with your OIDC provider (only shown if OIDC is enabled)</td></tr>
+<tr><td><div id="setting-server-oidc-authentication-button-text" class="anchored"><code>server.oidc_authentication.button_text</code></div></td><td>string</td><td><code>Log in with your OIDC provider</code></td><td>text to show on button on DB Console login page to login with your OIDC provider (only shown if OIDC is enabled)</td></tr>
 <tr><td><div id="setting-server-oidc-authentication-claim-json-key" class="anchored"><code>server.oidc_authentication.claim_json_key</code></div></td><td>string</td><td><code></code></td><td>sets JSON key of principal to extract from payload after OIDC authentication completes (usually email or sid)</td></tr>
 <tr><td><div id="setting-server-oidc-authentication-client-id" class="anchored"><code>server.oidc_authentication.client_id</code></div></td><td>string</td><td><code></code></td><td>sets OIDC client id</td></tr>
 <tr><td><div id="setting-server-oidc-authentication-client-secret" class="anchored"><code>server.oidc_authentication.client_secret</code></div></td><td>string</td><td><code></code></td><td>sets OIDC client secret</td></tr>

diff --git a/pkg/ccl/oidcccl/BUILD.bazel b/pkg/ccl/oidcccl/BUILD.bazel
@@ -12,13 +12,17 @@ go_library(
     importpath = "github.com/cockroachdb/cockroach/pkg/ccl/oidcccl",
     visibility = ["//visibility:public"],
     deps = [
+        "//pkg/ccl/jwtauthccl",
         "//pkg/ccl/utilccl",
         "//pkg/roachpb",
+        "//pkg/security/username",
         "//pkg/server",
         "//pkg/server/serverpb",
         "//pkg/server/telemetry",
         "//pkg/settings",
         "//pkg/settings/cluster",
+        "//pkg/sql/pgwire",
+        "//pkg/sql/pgwire/identmap",
         "//pkg/ui",
         "//pkg/util/log",
         "//pkg/util/protoutil",