Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(oidc): OIDC Prompt #4053

Merged
merged 3 commits into from
Nov 21, 2023
Merged

feat(oidc): OIDC Prompt #4053

merged 3 commits into from
Nov 21, 2023

Conversation

elimt
Copy link
Member

@elimt elimt commented Nov 20, 2023
edited
Loading

Boundary OIDC method does not currently support passing in prompts during authentication. This change adds the capability of passing OIDC prompts. Prompts are optional OIDC parameters that determine the behaviour of the authentication server: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

API

  1. Create OIDC auth method with select_account prompt
curl --location 'http://127.0.0.1:9200/v1/auth-methods' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer $TOKEN' \
--data '{
    "type": "oidc",
    "name": "OIDC Name",
    "description": "OIDC Description",
    "scope_id": "global",
    "attributes": {
        "issuer": "https://sts.windows.net/TENANT_ID/",
        "client_id": "$CLIENT_ID",
        "client_secret": "$CLIENT_SECRET",
        "api_url_prefix": "http://localhost:9200",
        "disable_discovered_config_validation": false,
        "dry_run": false,
        "signing_algorithms": ["RS256"],
        "prompts": ["select_account"]
    }
}'
  1. Update OIDC auth method with multiple prompts
curl --location --request PATCH 'http://127.0.0.1:9200/v1/auth-methods/{id}' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer $TOKEN' \
--data '{
    "version": 1,
    "attributes": {
        "prompts": ["select_account", "consent"]
    }
}'

CLI

  1. Create OIDC auth method with select_account prompt
boundary auth-methods create oidc \                                         
  -issuer "https://sts.windows.net/TENANT_ID/" \
  -client-id "$CLIENT_ID" \
  -client-secret "$CLIENT_SECRET" \
  -signing-algorithm RS256 \
  -api-url-prefix "$API_URL_PREFIX" \
  -name "azure" \
  -prompts "select_account"
  
Auth Method information:
  Created Time:         Thu, 16 Nov 2023 16:35:09 EST
  ID:                   amoidc_CFZkkKFTct
  Name:                 azure
  Type:                 oidc
  Updated Time:         Thu, 16 Nov 2023 16:35:09 EST
  Version:              1

  Scope:
    ID:                 global
    Name:               global
    Type:               global

  Authorized Actions:
    no-op
    read
    update
    delete
    change-state
    authenticate

  Authorized Actions on Auth Method's Collections:
    accounts:
      create
      list
    managed-groups:
      create
      list

  Attributes:
    api_url_prefix:     http://localhost:9200
    callback_url:       http://localhost:9200/v1/auth-methods/oidc:authenticate:callback
    client_id:         <CLIENT_ID>
    client_secret_hmac: <HMAC>
    issuer:             https://sts.windows.net/TENANT_ID/
    prompts:            [select_account]
    signing_algorithms: [RS256]
    state:              inactive
  1. Update OIDC auth method with multiple prompts
boundary auth-methods update oidc -id amoidc_CFZkkKFTct -prompts 'select_account' -prompts 'consent'

Auth Method information:
  Created Time:           Thu, 16 Nov 2023 16:35:09 EST
  ID:                     amoidc_CFZkkKFTct
  Is Primary For Scope:   true
  Name:                   azure
  Type:                   oidc
  Updated Time:           Thu, 16 Nov 2023 16:37:52 EST
  Version:                3

  Scope:
    ID:                   global
    Name:                 global
    Type:                 global

  Authorized Actions:
    no-op
    read
    update
    delete
    change-state
    authenticate

  Authorized Actions on Auth Method's Collections:
    accounts:
      create
      list
    managed-groups:
      create
      list

  Attributes:
    api_url_prefix:       http://localhost:9200
    callback_url:         http://localhost:9200/v1/auth-methods/oidc:authenticate:callback
    client_id:            <CLIENT_ID>
    client_secret_hmac:   <HMAC>
    issuer:               https://sts.windows.net/TENANT_ID/
    prompts:              [consent select_account]
    signing_algorithms:   [RS256]
    state:                active-public

elimt added 3 commits November 14, 2023 16:06
@elimt
feat(oidc-prompt): schema changes for auth_oidc_prompt (#4032)
ec240c3 
Boundary OIDC method today does not support passing in prompts during authentication. Prompts are optional OIDC parameters that determine the behaviour of authentication server: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

## Changes
Schema changes for supporting `prompts` for OIDC auth method.

- New `auth_oidc_prompt` table which contains all the prompts for OIDC auth method
- New `auth_oidc_prompt_enm` table which contains possible enum values for a prompt
  - Currently supported:
    - `none`: 
The Authorization Server MUST NOT display any authentication or consent user interface pages
    - `login`: The Authorization Server SHOULD prompt the End-User for reauthentication
    - `consent`: The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client
    - `select_account`: The Authorization Server SHOULD prompt the End-User to select a user account
- `oidc_auth_method_with_value_obj` view has been updated to return `prompt` value
@elimt
feat(oidc-prompt): repository changes for OIDC Prompt (#4044)
ef71794 
* feat(oidc-prompt): repository changes for OIDC Prompt

Boundary OIDC method does not currently support passing in prompts during authentication. This change adds the capability of passing OIDC prompts. Prompts are optional OIDC parameters that determine the behaviour of the authentication server: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

### Changes

- Update create, read, write and delete  repository changes to support new `Prompt` option for OIDC auth method
- Update test helper functions to support creating a test auth method with prompts
@elimt
feat(oidc-prompt): OIDC Prompt API & CLI (#4048)
0bf3f83 
* feat(oidc-prompt): OIDC Prompt API

Boundary OIDC method does not currently support passing in prompts during authentication. This change adds the capability of passing OIDC prompts. Prompts are optional OIDC parameters that determine the behaviour of the authentication server: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

### Changes

- Add `prompt` option for OIDC auth method CLI create and update
- Pass configured prompt during OIDC authentication
- Add `prompt` API validation for create and update
- Add missed tests for prompt, immutable fields test, handler test
@elimt elimt added this to the 0.14.x milestone Nov 20, 2023
@elimt elimt requested a review from jimlambrt November 20, 2023 15:38
@github-actions GitHub Actions
Copy link

Database schema diff between main and llb-oidc-select-account @ 0bf3f83

To understand how these diffs are generated and some limitations see the
documentation of the script.

Functions

Unchanged

Tables

diff --git a/.schema-diff/tables_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt.sql b/.schema-diff/tables_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt.sql
new file mode 100644
index 000000000..a888e2cc6
--- /dev/null
+++ b/.schema-diff/tables_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt.sql
@@ -0,0 +1,44 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.13
+-- dumped by pg_dump version 14.10 (ubuntu 14.10-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: auth_oidc_prompt; type: table; schema: public; owner: -
+--
+
+create table public.auth_oidc_prompt (
+    create_time public.wt_timestamp,
+    oidc_method_id public.wt_public_id not null,
+    prompt text not null
+);
+
+
+--
+-- name: table auth_oidc_prompt; type: comment; schema: public; owner: -
+--
+
+comment on table public.auth_oidc_prompt is 'auth_oidc_prompt entries are the prompts allowed for an oidc auth method.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt_enm.sql b/.schema-diff/tables_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt_enm.sql
new file mode 100644
index 000000000..d76f67889
--- /dev/null
+++ b/.schema-diff/tables_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt_enm.sql
@@ -0,0 +1,36 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.13
+-- dumped by pg_dump version 14.10 (ubuntu 14.10-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: auth_oidc_prompt_enm; type: table; schema: public; owner: -
+--
+
+create table public.auth_oidc_prompt_enm (
+    name text not null,
+    constraint only_predefined_auth_oidc_prompts_allowed check ((name = any (array['none'::text, 'login'::text, 'consent'::text, 'select_account'::text])))
+);
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_4dca1fbedefd52566a98102fe5dd9af3d16428a8/public auth_oidc_prompt.sql b/.schema-diff/tables_4dca1fbedefd52566a98102fe5dd9af3d16428a8/public auth_oidc_prompt.sql
new file mode 100644
index 000000000..983a687da
--- /dev/null
+++ b/.schema-diff/tables_4dca1fbedefd52566a98102fe5dd9af3d16428a8/public auth_oidc_prompt.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.13
+-- dumped by pg_dump version 14.10 (ubuntu 14.10-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_4dca1fbedefd52566a98102fe5dd9af3d16428a8/public auth_oidc_prompt_enm.sql b/.schema-diff/tables_4dca1fbedefd52566a98102fe5dd9af3d16428a8/public auth_oidc_prompt_enm.sql
new file mode 100644
index 000000000..983a687da
--- /dev/null
+++ b/.schema-diff/tables_4dca1fbedefd52566a98102fe5dd9af3d16428a8/public auth_oidc_prompt_enm.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.13
+-- dumped by pg_dump version 14.10 (ubuntu 14.10-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+

Views

diff --git a/.schema-diff/views_b6df5693b53b6d3f3e12e6328b19199b756884cb/oidc_auth_method_with_value_obj.sql b/.schema-diff/views_4dca1fbedefd52566a98102fe5dd9af3d16428a8/oidc_auth_method_with_value_obj.sql
index 34ff1f0c8..a85cdadfa 100644
--- a/.schema-diff/views_b6df5693b53b6d3f3e12e6328b19199b756884cb/oidc_auth_method_with_value_obj.sql
+++ b/.schema-diff/views_4dca1fbedefd52566a98102fe5dd9af3d16428a8/oidc_auth_method_with_value_obj.sql
@@ -43,6 +43,7 @@ select
     null::text as auds,
     null::bytea as certs,
     null::text as claims_scopes,
+    null::text as prompts,
     null::text as account_claim_maps;
 
 
@@ -50,7 +51,7 @@ select
 -- name: view oidc_auth_method_with_value_obj; type: comment; schema: public; owner: -
 --
 
-comment on view public.oidc_auth_method_with_value_obj is 'oidc auth method with its associated value objects (algs, auds, certs, scopes) as columns with | delimited values';
+comment on view public.oidc_auth_method_with_value_obj is 'oidc auth method with its associated value objects (algs, auds, certs, scopes, prompts) as columns with | delimited values';
 
 
 --

Triggers

diff --git a/.schema-diff/triggers_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt default_create_time_column.sql b/.schema-diff/triggers_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt default_create_time_column.sql
new file mode 100644
index 000000000..b12e11932
--- /dev/null
+++ b/.schema-diff/triggers_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt default_create_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.13
+-- dumped by pg_dump version 14.10 (ubuntu 14.10-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_oidc_prompt default_create_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger default_create_time_column before insert on public.auth_oidc_prompt for each row execute function public.default_create_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt immutable_columns.sql b/.schema-diff/triggers_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt immutable_columns.sql
new file mode 100644
index 000000000..f3a094bd3
--- /dev/null
+++ b/.schema-diff/triggers_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt immutable_columns.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.13
+-- dumped by pg_dump version 14.10 (ubuntu 14.10-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_oidc_prompt immutable_columns; type: trigger; schema: public; owner: -
+--
+
+create trigger immutable_columns before update on public.auth_oidc_prompt for each row execute function public.immutable_columns('create_time', 'oidc_method_id', 'prompt');
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt_enm immutable_columns.sql b/.schema-diff/triggers_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt_enm immutable_columns.sql
new file mode 100644
index 000000000..4014ef273
--- /dev/null
+++ b/.schema-diff/triggers_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt_enm immutable_columns.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.13
+-- dumped by pg_dump version 14.10 (ubuntu 14.10-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_oidc_prompt_enm immutable_columns; type: trigger; schema: public; owner: -
+--
+
+create trigger immutable_columns before update on public.auth_oidc_prompt_enm for each row execute function public.immutable_columns('name');
+
+
+--
+-- postgresql database dump complete
+--
+

Indexes

Unchanged

Constraints

diff --git a/.schema-diff/constraints_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt_enm_pkey.sql b/.schema-diff/constraints_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt_enm_pkey.sql
new file mode 100644
index 000000000..2f1b73caa
--- /dev/null
+++ b/.schema-diff/constraints_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt_enm_pkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_oidc_prompt_enm auth_oidc_prompt_enm_pkey; type: constraint; schema: public; owner: -
+    add constraint auth_oidc_prompt_enm_pkey primary key (name);
diff --git a/.schema-diff/constraints_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt_pkey.sql b/.schema-diff/constraints_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt_pkey.sql
new file mode 100644
index 000000000..64de46a37
--- /dev/null
+++ b/.schema-diff/constraints_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt_pkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_oidc_prompt auth_oidc_prompt_pkey; type: constraint; schema: public; owner: -
+    add constraint auth_oidc_prompt_pkey primary key (oidc_method_id, prompt);

Foreign Key Constraints

diff --git a/.schema-diff/fk_constraints_b6df5693b53b6d3f3e12e6328b19199b756884cb/auth_oidc_method_fkey.sql b/.schema-diff/fk_constraints_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_method_fkey.sql
index 978c3d5dc..89a20f6af 100644
--- a/.schema-diff/fk_constraints_b6df5693b53b6d3f3e12e6328b19199b756884cb/auth_oidc_method_fkey.sql
+++ b/.schema-diff/fk_constraints_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_method_fkey.sql
@@ -12,3 +12,5 @@
     add constraint auth_oidc_method_fkey foreign key (oidc_method_id) references public.auth_oidc_method(public_id) on update cascade on delete cascade;
 -- name: auth_oidc_managed_group auth_oidc_method_fkey; type: fk constraint; schema: public; owner: -
     add constraint auth_oidc_method_fkey foreign key (auth_method_id) references public.auth_oidc_method(public_id) on update cascade on delete cascade;
+-- name: auth_oidc_prompt auth_oidc_method_fkey; type: fk constraint; schema: public; owner: -
+    add constraint auth_oidc_method_fkey foreign key (oidc_method_id) references public.auth_oidc_method(public_id) on update cascade on delete cascade;
diff --git a/.schema-diff/fk_constraints_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt_enm_fkey.sql b/.schema-diff/fk_constraints_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt_enm_fkey.sql
new file mode 100644
index 000000000..2af2b5a7d
--- /dev/null
+++ b/.schema-diff/fk_constraints_4dca1fbedefd52566a98102fe5dd9af3d16428a8/auth_oidc_prompt_enm_fkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_oidc_prompt auth_oidc_prompt_enm_fkey; type: fk constraint; schema: public; owner: -
+    add constraint auth_oidc_prompt_enm_fkey foreign key (prompt) references public.auth_oidc_prompt_enm(name) on update cascade on delete restrict;

jimlambrt
jimlambrt approved these changes Nov 21, 2023
View reviewed changes
Copy link
Collaborator

@jimlambrt jimlambrt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing work. ty!

@elimt elimt merged commit 8b8d282 into main Nov 21, 2023
58 checks passed
@elimt elimt deleted the llb-oidc-select-account branch November 21, 2023 16:30
@elimt elimt mentioned this pull request Nov 21, 2023
Merged
elimt added a commit that referenced this pull request Dec 5, 2023
@elimt
chore: Update Changelog
3ec692e 
Update changelog with OIDC Prompts feature

#4053
@elimt elimt mentioned this pull request Dec 5, 2023
Closed
elimt added a commit that referenced this pull request Dec 5, 2023
@elimt
chore: Update Changelog
ceb155d 
Update changelog with OIDC Prompts feature

#4053
@elimt elimt mentioned this pull request Dec 5, 2023
Merged
psekar pushed a commit that referenced this pull request Dec 5, 2023
@elimt
chore: Update Changelog (#4104)
b06340c 
Update changelog with OIDC Prompts feature

#4053
@anando-chatterjee anando-chatterjee mentioned this pull request Nov 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jimlambrt jimlambrt jimlambrt approved these changes

Assignees
No one assigned
Labels
api/authmethods api core/auth core/daemon core/db core/proto core/sql core
Projects
None yet
Milestone
0.14.x
Development

Successfully merging this pull request may close these issues.
2 participants
@elimt @jimlambrt