Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configurable JWT Issuer for the OIDC Discovery Provider #5657

Merged
merged 7 commits into from
Dec 3, 2024
Merged

Configurable JWT Issuer for the OIDC Discovery Provider #5657

merged 7 commits into from
Dec 3, 2024

Conversation

aluthra-37
Copy link
Contributor

@aluthra-37 aluthra-37 commented Nov 20, 2024
edited
Loading

Pull Request check list

  • Commit conforms to CONTRIBUTING.md?
  • Proper tests/regressions included?
  • Documentation updated?

Affected functionality
Added a config item to the OIDC provider (jwt_issuer). This config specifies the issuer for the OIDC provider configuration request. Previously, only the request host could be the issuer. This change allows users to define a different JWT issuer with a path.

Description of change

  • Updating OIDC provider config with new field (jwt_issuer)
  • Added validation for new config
  • Updated logic in handler to use newly created config in OIDC configuration response if config is defined.

Which issue this PR fixes
Fix for #5480

@aluthra-37
Adding support for configurable jwt issuer + test cases
c9e168e 
Signed-off-by: Luthra, Ayush <Ayush.Luthra@fmr.com>
@aluthra-37
Moving verifyhost check + adding more test cases
af2390d 
Signed-off-by: Luthra, Ayush <Ayush.Luthra@fmr.com>
@aluthra-37
Adding test case of jwt issuer with just a host
6fcbc11 
Signed-off-by: Luthra, Ayush <Ayush.Luthra@fmr.com>
@aluthra-37
Updating readme docs + fixing spacing
02afed5 
Signed-off-by: Luthra, Ayush <Ayush.Luthra@fmr.com>
@aluthra-37
Fixing spacing in readme table
9ea3cfc 
Signed-off-by: Luthra, Ayush <Ayush.Luthra@fmr.com>
rturner3
rturner3 reviewed Nov 22, 2024
View reviewed changes
Copy link
Collaborator

@rturner3 rturner3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks pretty good overall to me, but I see some of the Windows OIDC Discovery Provider tests that were added in this PR are failing. @aluthra-37, would you mind fixing those up?

support/oidc-discovery-provider/handler.go Outdated Show resolved Hide resolved
@aluthra-37
fixing windows test cases + minor refactor
c3663a4 
Signed-off-by: Luthra, Ayush <Ayush.Luthra@fmr.com>
@kayhern kayhern force-pushed the configurable-jwt-issuer-oidc-discovery-provider branch from b468464 to c3663a4 Compare December 3, 2024 15:13
@amartinezfayo amartinezfayo added this to the 1.11.1 milestone Dec 3, 2024
@amartinezfayo amartinezfayo merged commit 40fb0df into spiffe:main Dec 3, 2024
34 checks passed
@amartinezfayo amartinezfayo mentioned this pull request Dec 5, 2024
Closed
@kfox1111
Copy link
Contributor

kfox1111 commented Dec 8, 2024
edited
Loading

This change has a bug....

When setting the issuer:

  "jwt_issuer": "https://oidc-discovery-provider.example.org",

The generated oidc config:

# curl https://oidc-discovery-provider.example.org:8181/.well-known/openid-configuration  -k
{
  "issuer": "https://oidc-discovery-provider.example.org",
  "jwks_uri": "https://oidc-discovery-provider.example.org/keys",
<SNIP>

Does not have the contacting port in the jwks_url, so it is invalid. The issuer override should only apply to issuer.

@kfox1111 kfox1111 mentioned this pull request Dec 8, 2024
Closed
@kfox1111
Copy link
Contributor

kfox1111 commented Dec 8, 2024
edited
Loading

It also now ignores the hostname contacted in favor of the hostname in jwt_issuer making the domains allowlist only work with the jwt_issuer as the entry. It allows any hostname in. This does not seem to be correct behavior.

I think we need to talk more about the indended use cases. For my use case, I only need issuer set to jwt_issuer and nothing more.

This was referenced Dec 10, 2024
Closed
Open
Open
@jer8me jer8me mentioned this pull request Dec 13, 2024
Open
@kfox1111 kfox1111 mentioned this pull request Dec 15, 2024
Open
graceajibade pushed a commit to graceajibade/spire that referenced this pull request Dec 17, 2024
@aluthra-37
Configurable JWT Issuer for the OIDC Discovery Provider (spiffe#5657)
fd4e602 
* Adding support for configurable jwt issuer + test cases

Signed-off-by: Luthra, Ayush <Ayush.Luthra@fmr.com>

* Moving verifyhost check + adding more test cases

Signed-off-by: Luthra, Ayush <Ayush.Luthra@fmr.com>

* Adding test case of jwt issuer with just a host

Signed-off-by: Luthra, Ayush <Ayush.Luthra@fmr.com>

* Updating readme docs + fixing spacing

Signed-off-by: Luthra, Ayush <Ayush.Luthra@fmr.com>

* Fixing spacing in readme table

Signed-off-by: Luthra, Ayush <Ayush.Luthra@fmr.com>

* fixing windows test cases + minor refactor

Signed-off-by: Luthra, Ayush <Ayush.Luthra@fmr.com>

---------

Signed-off-by: Luthra, Ayush <Ayush.Luthra@fmr.com>
Signed-off-by: gajibade <gajibade@bloomberg.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rturner3 rturner3 rturner3 approved these changes

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo amartinezfayo is a code owner

@azdagron azdagron Awaiting requested review from azdagron azdagron is a code owner

@MarcosDY MarcosDY Awaiting requested review from MarcosDY MarcosDY is a code owner

Assignees

@rturner3 rturner3

Labels
None yet
Projects
None yet
Milestone
1.11.1
Development

Successfully merging this pull request may close these issues.
4 participants
@aluthra-37 @kfox1111 @rturner3 @amartinezfayo