Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(oidc): OIDC Prompt #4054

Merged
merged 1 commit into from
Nov 21, 2023
Merged

feat(oidc): OIDC Prompt #4054

merged 1 commit into from
Nov 21, 2023

Conversation

elimt
Copy link
Member

@elimt elimt commented Nov 21, 2023

Cherrypick changes from #4053 to 0.14.x

Changes

Boundary OIDC method does not currently support passing in prompts during authentication. This change adds the capability of passing OIDC prompts. Prompts are optional OIDC parameters that determine the behaviour of the authentication server: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

API

  1. Create OIDC auth method with select_account prompt
curl --location 'http://127.0.0.1:9200/v1/auth-methods' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer $TOKEN' \
--data '{
    "type": "oidc",
    "name": "OIDC Name",
    "description": "OIDC Description",
    "scope_id": "global",
    "attributes": {
        "issuer": "https://sts.windows.net/TENANT_ID/",
        "client_id": "$CLIENT_ID",
        "client_secret": "$CLIENT_SECRET",
        "api_url_prefix": "http://localhost:9200",
        "disable_discovered_config_validation": false,
        "dry_run": false,
        "signing_algorithms": ["RS256"],
        "prompts": ["select_account"]
    }
}'
  1. Update OIDC auth method with multiple prompts
curl --location --request PATCH 'http://127.0.0.1:9200/v1/auth-methods/{id}' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer $TOKEN' \
--data '{
    "version": 1,
    "attributes": {
        "prompts": ["select_account", "consent"]
    }
}'

CLI

  1. Create OIDC auth method with select_account prompt
boundary auth-methods create oidc \                                         
  -issuer "https://sts.windows.net/TENANT_ID/" \
  -client-id "$CLIENT_ID" \
  -client-secret "$CLIENT_SECRET" \
  -signing-algorithm RS256 \
  -api-url-prefix "$API_URL_PREFIX" \
  -name "azure" \
  -prompts "select_account"
  
Auth Method information:
  Created Time:         Thu, 16 Nov 2023 16:35:09 EST
  ID:                   amoidc_CFZkkKFTct
  Name:                 azure
  Type:                 oidc
  Updated Time:         Thu, 16 Nov 2023 16:35:09 EST
  Version:              1

  Scope:
    ID:                 global
    Name:               global
    Type:               global

  Authorized Actions:
    no-op
    read
    update
    delete
    change-state
    authenticate

  Authorized Actions on Auth Method's Collections:
    accounts:
      create
      list
    managed-groups:
      create
      list

  Attributes:
    api_url_prefix:     http://localhost:9200
    callback_url:       http://localhost:9200/v1/auth-methods/oidc:authenticate:callback
    client_id:         <CLIENT_ID>
    client_secret_hmac: <HMAC>
    issuer:             https://sts.windows.net/TENANT_ID/
    prompts:            [select_account]
    signing_algorithms: [RS256]
    state:              inactive
  1. Update OIDC auth method with multiple prompts
boundary auth-methods update oidc -id amoidc_CFZkkKFTct -prompts 'select_account' -prompts 'consent'

Auth Method information:
  Created Time:           Thu, 16 Nov 2023 16:35:09 EST
  ID:                     amoidc_CFZkkKFTct
  Is Primary For Scope:   true
  Name:                   azure
  Type:                   oidc
  Updated Time:           Thu, 16 Nov 2023 16:37:52 EST
  Version:                3

  Scope:
    ID:                   global
    Name:                 global
    Type:                 global

  Authorized Actions:
    no-op
    read
    update
    delete
    change-state
    authenticate

  Authorized Actions on Auth Method's Collections:
    accounts:
      create
      list
    managed-groups:
      create
      list

  Attributes:
    api_url_prefix:       http://localhost:9200
    callback_url:         http://localhost:9200/v1/auth-methods/oidc:authenticate:callback
    client_id:            <CLIENT_ID>
    client_secret_hmac:   <HMAC>
    issuer:               https://sts.windows.net/TENANT_ID/
    prompts:              [consent select_account]
    signing_algorithms:   [RS256]
    state:                active-public

@elimt
feat(oidc): OIDC Prompt (#4053)
06b7a94 
Boundary OIDC method does not currently support passing in prompts during authentication. This change adds the capability of passing OIDC prompts. Prompts are optional OIDC parameters that determine the behaviour of the authentication server: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

## Changes

- New `auth_oidc_prompt` table which contains all the prompts for OIDC auth method
- New `auth_oidc_prompt_enm` table which contains possible enum values for a prompt
  - Currently supported:
    - `none`: 
The Authorization Server MUST NOT display any authentication or consent user interface pages
    - `login`: The Authorization Server SHOULD prompt the End-User for reauthentication
    - `consent`: The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client
    - `select_account`: The Authorization Server SHOULD prompt the End-User to select a user account
- `oidc_auth_method_with_value_obj` view has been updated to return `prompt` value
- Add `prompt` option for OIDC auth method CLI create and update
- Pass configured prompt during OIDC authentication
- Add `prompt` API validation for create and update
@elimt elimt added this to the 0.14.x milestone Nov 21, 2023
@elimt elimt requested a review from jimlambrt November 21, 2023 16:53
@github-actions GitHub Actions
Copy link

Database schema diff between release/0.14.x and elimt-cherrypick-oidc-prompt @ 06b7a94

To understand how these diffs are generated and some limitations see the
documentation of the script.

Functions

Unchanged

Tables

diff --git a/.schema-diff/tables_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt.sql b/.schema-diff/tables_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt.sql
new file mode 100644
index 000000000..a888e2cc6
--- /dev/null
+++ b/.schema-diff/tables_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt.sql
@@ -0,0 +1,44 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.13
+-- dumped by pg_dump version 14.10 (ubuntu 14.10-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: auth_oidc_prompt; type: table; schema: public; owner: -
+--
+
+create table public.auth_oidc_prompt (
+    create_time public.wt_timestamp,
+    oidc_method_id public.wt_public_id not null,
+    prompt text not null
+);
+
+
+--
+-- name: table auth_oidc_prompt; type: comment; schema: public; owner: -
+--
+
+comment on table public.auth_oidc_prompt is 'auth_oidc_prompt entries are the prompts allowed for an oidc auth method.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt_enm.sql b/.schema-diff/tables_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt_enm.sql
new file mode 100644
index 000000000..d76f67889
--- /dev/null
+++ b/.schema-diff/tables_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt_enm.sql
@@ -0,0 +1,36 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.13
+-- dumped by pg_dump version 14.10 (ubuntu 14.10-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: auth_oidc_prompt_enm; type: table; schema: public; owner: -
+--
+
+create table public.auth_oidc_prompt_enm (
+    name text not null,
+    constraint only_predefined_auth_oidc_prompts_allowed check ((name = any (array['none'::text, 'login'::text, 'consent'::text, 'select_account'::text])))
+);
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_cf40a16eee8503ab811b8fe21385ae84d2ff880a/public auth_oidc_prompt.sql b/.schema-diff/tables_cf40a16eee8503ab811b8fe21385ae84d2ff880a/public auth_oidc_prompt.sql
new file mode 100644
index 000000000..983a687da
--- /dev/null
+++ b/.schema-diff/tables_cf40a16eee8503ab811b8fe21385ae84d2ff880a/public auth_oidc_prompt.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.13
+-- dumped by pg_dump version 14.10 (ubuntu 14.10-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_cf40a16eee8503ab811b8fe21385ae84d2ff880a/public auth_oidc_prompt_enm.sql b/.schema-diff/tables_cf40a16eee8503ab811b8fe21385ae84d2ff880a/public auth_oidc_prompt_enm.sql
new file mode 100644
index 000000000..983a687da
--- /dev/null
+++ b/.schema-diff/tables_cf40a16eee8503ab811b8fe21385ae84d2ff880a/public auth_oidc_prompt_enm.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.13
+-- dumped by pg_dump version 14.10 (ubuntu 14.10-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+

Views

diff --git a/.schema-diff/views_b8ee08489d0477591827c31a754680812eb0d065/oidc_auth_method_with_value_obj.sql b/.schema-diff/views_cf40a16eee8503ab811b8fe21385ae84d2ff880a/oidc_auth_method_with_value_obj.sql
index 34ff1f0c8..a85cdadfa 100644
--- a/.schema-diff/views_b8ee08489d0477591827c31a754680812eb0d065/oidc_auth_method_with_value_obj.sql
+++ b/.schema-diff/views_cf40a16eee8503ab811b8fe21385ae84d2ff880a/oidc_auth_method_with_value_obj.sql
@@ -43,6 +43,7 @@ select
     null::text as auds,
     null::bytea as certs,
     null::text as claims_scopes,
+    null::text as prompts,
     null::text as account_claim_maps;
 
 
@@ -50,7 +51,7 @@ select
 -- name: view oidc_auth_method_with_value_obj; type: comment; schema: public; owner: -
 --
 
-comment on view public.oidc_auth_method_with_value_obj is 'oidc auth method with its associated value objects (algs, auds, certs, scopes) as columns with | delimited values';
+comment on view public.oidc_auth_method_with_value_obj is 'oidc auth method with its associated value objects (algs, auds, certs, scopes, prompts) as columns with | delimited values';
 
 
 --

Triggers

diff --git a/.schema-diff/triggers_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt default_create_time_column.sql b/.schema-diff/triggers_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt default_create_time_column.sql
new file mode 100644
index 000000000..b12e11932
--- /dev/null
+++ b/.schema-diff/triggers_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt default_create_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.13
+-- dumped by pg_dump version 14.10 (ubuntu 14.10-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_oidc_prompt default_create_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger default_create_time_column before insert on public.auth_oidc_prompt for each row execute function public.default_create_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt immutable_columns.sql b/.schema-diff/triggers_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt immutable_columns.sql
new file mode 100644
index 000000000..f3a094bd3
--- /dev/null
+++ b/.schema-diff/triggers_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt immutable_columns.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.13
+-- dumped by pg_dump version 14.10 (ubuntu 14.10-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_oidc_prompt immutable_columns; type: trigger; schema: public; owner: -
+--
+
+create trigger immutable_columns before update on public.auth_oidc_prompt for each row execute function public.immutable_columns('create_time', 'oidc_method_id', 'prompt');
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt_enm immutable_columns.sql b/.schema-diff/triggers_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt_enm immutable_columns.sql
new file mode 100644
index 000000000..4014ef273
--- /dev/null
+++ b/.schema-diff/triggers_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt_enm immutable_columns.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.13
+-- dumped by pg_dump version 14.10 (ubuntu 14.10-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_oidc_prompt_enm immutable_columns; type: trigger; schema: public; owner: -
+--
+
+create trigger immutable_columns before update on public.auth_oidc_prompt_enm for each row execute function public.immutable_columns('name');
+
+
+--
+-- postgresql database dump complete
+--
+

Indexes

Unchanged

Constraints

diff --git a/.schema-diff/constraints_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt_enm_pkey.sql b/.schema-diff/constraints_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt_enm_pkey.sql
new file mode 100644
index 000000000..2f1b73caa
--- /dev/null
+++ b/.schema-diff/constraints_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt_enm_pkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_oidc_prompt_enm auth_oidc_prompt_enm_pkey; type: constraint; schema: public; owner: -
+    add constraint auth_oidc_prompt_enm_pkey primary key (name);
diff --git a/.schema-diff/constraints_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt_pkey.sql b/.schema-diff/constraints_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt_pkey.sql
new file mode 100644
index 000000000..64de46a37
--- /dev/null
+++ b/.schema-diff/constraints_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt_pkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_oidc_prompt auth_oidc_prompt_pkey; type: constraint; schema: public; owner: -
+    add constraint auth_oidc_prompt_pkey primary key (oidc_method_id, prompt);

Foreign Key Constraints

diff --git a/.schema-diff/fk_constraints_b8ee08489d0477591827c31a754680812eb0d065/auth_oidc_method_fkey.sql b/.schema-diff/fk_constraints_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_method_fkey.sql
index 978c3d5dc..89a20f6af 100644
--- a/.schema-diff/fk_constraints_b8ee08489d0477591827c31a754680812eb0d065/auth_oidc_method_fkey.sql
+++ b/.schema-diff/fk_constraints_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_method_fkey.sql
@@ -12,3 +12,5 @@
     add constraint auth_oidc_method_fkey foreign key (oidc_method_id) references public.auth_oidc_method(public_id) on update cascade on delete cascade;
 -- name: auth_oidc_managed_group auth_oidc_method_fkey; type: fk constraint; schema: public; owner: -
     add constraint auth_oidc_method_fkey foreign key (auth_method_id) references public.auth_oidc_method(public_id) on update cascade on delete cascade;
+-- name: auth_oidc_prompt auth_oidc_method_fkey; type: fk constraint; schema: public; owner: -
+    add constraint auth_oidc_method_fkey foreign key (oidc_method_id) references public.auth_oidc_method(public_id) on update cascade on delete cascade;
diff --git a/.schema-diff/fk_constraints_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt_enm_fkey.sql b/.schema-diff/fk_constraints_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt_enm_fkey.sql
new file mode 100644
index 000000000..2af2b5a7d
--- /dev/null
+++ b/.schema-diff/fk_constraints_cf40a16eee8503ab811b8fe21385ae84d2ff880a/auth_oidc_prompt_enm_fkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_oidc_prompt auth_oidc_prompt_enm_fkey; type: fk constraint; schema: public; owner: -
+    add constraint auth_oidc_prompt_enm_fkey foreign key (prompt) references public.auth_oidc_prompt_enm(name) on update cascade on delete restrict;

@elimt elimt merged commit 2cd2d4e into release/0.14.x Nov 21, 2023
50 checks passed
@elimt elimt deleted the elimt-cherrypick-oidc-prompt branch November 21, 2023 17:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jimlambrt jimlambrt jimlambrt approved these changes

Assignees
No one assigned
Labels
api/authmethods api core/auth core/daemon core/db core/proto core/sql core
Projects
None yet
Milestone
0.14.x
Development

Successfully merging this pull request may close these issues.
2 participants
@elimt @jimlambrt