Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

identity/oidc: optional nonce parameter for authorize request #13231

Merged
merged 3 commits into from
Nov 22, 2021
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Updates documentation
austingebauer committed Nov 19, 2021
commit 84e50b99be252f2f68b458a38af7b8f6bb0a4382
10 changes: 5 additions & 5 deletions website/content/api-docs/secret/identity/oidc-provider.mdx
Original file line number Diff line number Diff line change
@@ -37,7 +37,7 @@ This endpoint creates or updates a Provider.
### Sample Request

```shell-session
$ curl \
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
@@ -154,7 +154,7 @@ This endpoint creates or updates a scope.
### Sample Request

```shell-session
$ curl \
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
@@ -281,7 +281,7 @@ This endpoint creates or updates a client.
### Sample Request

```shell-session
$ curl \
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
@@ -402,7 +402,7 @@ This endpoint creates or updates an assignment.
### Sample Request

```shell-session
$ curl \
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
@@ -620,7 +620,7 @@ to be used for the [Authorization Code Flow](https://openid.net/specs/openid-con

- `state` `(string: <required>)` - A value used to maintain state between the authentication request and client.

- `nonce` `(string: <required>)` - A value that is returned in the ID token nonce claim. It is used to mitigate replay attacks.
- `nonce` `(string: <optional>)` - A value that is returned in the ID token nonce claim. It is used to mitigate replay attacks, so we *strongly encourage* providing this optional parameter.

### Sample Request

4 changes: 2 additions & 2 deletions website/content/docs/concepts/oidc-provider.mdx
Original file line number Diff line number Diff line change
@@ -137,11 +137,11 @@ Each provider offers an unauthenticated endpoint that provides the public portio

### Authorization Endpoint

Each provider offers an authenticated [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint). The authorization endpoint for each provider is added to Vault's [default policy](/docs/concepts/policies#default-policy) using the `identity/oidc/provider/+/authorize` path. The endpoint incorporates all required [authentication request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) parameters as input. Additionally, the `state` and `nonce` parameters are required.
Each provider offers an authenticated [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint). The authorization endpoint for each provider is added to Vault's [default policy](/docs/concepts/policies#default-policy) using the `identity/oidc/provider/+/authorize` path. The endpoint incorporates all required [authentication request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) parameters as input. Additionally, the `state` parameter is required.

The endpoint [validates](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation) client requests and ensures that all required parameters are present and valid. The `redirect_uri` of the request is validated against the client's `redirect_uris`. The requesting Vault entity will be validated against the client's `assignments`. An appropriate [error code](https://openid.net/specs/openid-connect-core-1_0.html#AuthError) is returned for invalid requests.

An authorization code is generated with a successful validation of the request. The authorization code is single-use and cached with a lifetime of approximately 5 minutes, which mitigates the risk of leaks. A response including the original `state` presented by the client and `code` will be returned to the Vault UI which initiated the request. Vault will issue an HTTP 302 redirect to the `redirect_uri` of the request, which includes the `code`, `state`, and `nonce` as query parameters.
An authorization code is generated with a successful validation of the request. The authorization code is single-use and cached with a lifetime of approximately 5 minutes, which mitigates the risk of leaks. A response including the original `state` presented by the client and `code` will be returned to the Vault UI which initiated the request. Vault will issue an HTTP 302 redirect to the `redirect_uri` of the request, which includes the `code` and `state` as query parameters.

### Token Endpoint

5 changes: 3 additions & 2 deletions website/content/docs/secrets/identity/oidc-provider.mdx
Original file line number Diff line number Diff line change
@@ -16,9 +16,10 @@ identity. Clients can configure their authentication logic to talk to Vault.
Once enabled, Vault will act as the bridge to identity providers via its
existing authentication methods. Clients will also obtain identity information
for their end-users by leveraging custom templating of Vault identity
information.
information. For more information on the configuration resources and OIDC endpoints,
please visit the [OIDC provider](/docs/concepts/oidc-provider) concepts page.

The Vault OIDC provider feature currently only supports the
The Vault OIDC provider feature currently only supports the
[authorization code flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth).

## OIDC Provider Configuration