Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce ProviderVerifier to clean up OIDC discovery code #1559

Merged
merged 8 commits into from
Feb 19, 2022

Conversation

JoelSpeed
Copy link
Member

@JoelSpeed JoelSpeed commented Feb 16, 2022

Description

Further to the changes in #1555 this cleans up the OIDC discovery and verifier code into a package so that we are no longer depending on the OIDC discovery from go-oidc

Motivation and Context

This should makes things a lot cleaner in terms of separation of concerns and also, as everything here is now behind interfaces, should allow us to start testing using fake implementations of the interface for providers, which should make things a little easier when unit testing.

How Has This Been Tested?

New Unit tests and old Unit tests still pass

Checklist:

  • My change requires a change to the documentation or CHANGELOG.
  • I have updated the documentation/CHANGELOG accordingly.
  • I have created a feature (non-master) branch for my PR.

@JoelSpeed JoelSpeed requested a review from a team as a code owner February 16, 2022 15:41
@JoelSpeed JoelSpeed force-pushed the refactor-oidc-verifier branch 2 times, most recently from 5776779 to 7da9e06 Compare February 17, 2022 17:11
// We implement this here as opposed to using oidc.Provider so that we can override the Issuer verification check.
// As we have our own verifier and fetch the userinfo separately, the rest of the oidc.Provider implementation is not
// useful to us.
func NewProvider(ctx context.Context, issuerURL string, skipIssuerVerification bool) (EndpointProvider, error) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Starting with PKCE, there is more information which we may want to pull out of this than just Endpoints. For instance in RFC-8414 implemented by Google, Dex, and Auth0 (to name a few), there is now the code challenge methods that are supported in the payload.

It would be great to see a way to pull additional claims out of this response. We currently were able to do that in providers by using the oidcProvider.Claims(struct) to map extra claims to a struct.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point! Perhaps instead of this being an EndpointsProvider interface it should be a DiscoveryProvider and then we can extend the interface to include a new PKCE method to retrieve the PKCE information, WDYT?

Copy link
Collaborator

@braunsonm braunsonm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm marking this as request changes because the change being made here will make it not possible to pull code_challenge_methods_supported from the discovery document anymore unless they are in an Endpoint struct, which they don't really fit in.

@JoelSpeed JoelSpeed force-pushed the refactor-oidc-verifier branch from 7da9e06 to dd7b0d5 Compare February 18, 2022 15:14
@JoelSpeed
Copy link
Member Author

@braunsonm If you could take a look at the new changes, I think this should now cater for the PKCE stuff you're working on

braunsonm
braunsonm previously approved these changes Feb 19, 2022
Copy link
Collaborator

@braunsonm braunsonm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@JoelSpeed
Copy link
Member Author

Rebased to resolve changelog conflict, no other changes so will merge based on previous approval

@JoelSpeed JoelSpeed merged commit b547fe0 into master Feb 19, 2022
@JoelSpeed JoelSpeed deleted the refactor-oidc-verifier branch February 19, 2022 15:43
enj added a commit to enj/oauth2-proxy that referenced this pull request Feb 26, 2022
This change restores the implicit behavior of
github.com/coreos/go-oidc/v3/oidc.Provider.Verifier(...) which
automatically trusts all algorithms supported by the issuer.

Also drops use of github.com/dgrijalva/jwt-go

Both of these regressions were caused by oauth2-proxy#1559

Signed-off-by: Monis Khan <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants