Merge remote-tracking branch 'origin' into passcode2clipboard

* origin: fix: upgrade org.springframework.security.oauth:spring-security-oauth2 from 2.5.0.RELEASE to 2.5.1.RELEASE (#1642) [Snyk] Upgrade com.unboundid.product.scim:scim-sdk from 1.8.24 to 1.8.25 (#1634) Bump k8s.io/client-go from 0.21.3 to 0.22.0 in /k8s (#1639) Bump k8s.io/api from 0.21.3 to 0.22.0 in /k8s (#1638) fix generateDocs PKCE support in IDP (OIDC) proxy authorization flow (#1606) fix: upgrade org.springframework.security.oauth:spring-security-oauth2 from 2.4.0.RELEASE to 2.5.1.RELEASE (#1632) fix: upgrade org.passay:passay from 1.2.0 to 1.6.0 (#1633)
cloudfoundry · Aug 6, 2021 · 8ded040 · 8ded040
2 parents 67e9d46 + eeec3c4
commit 8ded040
Show file tree

Hide file tree

Showing 17 changed files with 219 additions and 64 deletions.
diff --git a/dependencies.gradle b/dependencies.gradle
@@ -109,7 +109,7 @@ libraries.tomcatEmbed = "org.apache.tomcat.embed:tomcat-embed-core"
 libraries.tomcatJasperEl = "org.apache.tomcat.embed:tomcat-embed-jasper"
 libraries.tomcatJdbc = "org.apache.tomcat:tomcat-jdbc"
 libraries.unboundIdLdapSdk = "com.unboundid:unboundid-ldapsdk"
-libraries.unboundIdScimSdk = "com.unboundid.product.scim:scim-sdk:1.8.24"
+libraries.unboundIdScimSdk = "com.unboundid.product.scim:scim-sdk:1.8.25"
 libraries.velocity = "org.apache.velocity:velocity-engine-core:2.2"
 libraries.zxing = "com.google.zxing:javase:3.4.0"
 libraries.nimbusJwt = "com.nimbusds:nimbus-jose-jwt"

diff --git a/docs/okta-public-oidc-provider.md b/docs/okta-public-oidc-provider.md
@@ -0,0 +1,33 @@
+# Registering Okta as external, public OIDC provider in UAA
+
+Okta can be setup as an [OIDC provider](https://developer.okta.com/docs/guides/add-an-external-idp/openidconnect/configure-idp-in-okta/) for UAA login.
+In order to prevent storing a client secret in UAA configuration and all of it's successor problems like secret rotation and so on, register the
+external OIDC provider with a public client.
+
+1. Create an OIDC application and set it with [PKCE public](https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#use-pkce-to-make-your-apps-more-secure).
+   Register the "Redirect URIs" in the application section "OpenID Connect Configuration"
+
+   Add following URI in list field:
+   `http://{UAA_HOST}/login/callback/{origin}`. [Additional documentation for achieving this can be found here](https://developer.okta.com/docs/guides/implement-auth-code-pkce/overview/).
+
+2. Copy client id.
+
+3. Minimal OIDC configuration needs to be added in login.ym.
+   Read configuration refer to 'https://<your-tenant>.okta.com/.well-known/openid-configuration' for discoveryUrl and issuer
+
+        login:
+          oauth:
+            providers:
+              okta.public:
+                type: oidc1.0
+                discoveryUrl: https://trailaccount.okta.com/.well-known/openid-configuration
+                issuer: https://trailaccount.okta.com
+                scopes:
+                  - openid
+                linkText: Login with Okta-Public
+                showLinkText: true
+                relyingPartyId: 0iak4aiaC4HV39L6g123
+
+4. Ensure that the scope `openid` is included in the`scopes` property.
+
+5. Restart UAA. You will see `Login with Okta-Public` link on your login page.
diff --git a/docs/sap-public-oidc-provider.md b/docs/sap-public-oidc-provider.md
@@ -0,0 +1,36 @@
+# Registering SAP IAS as external, public OIDC provider in UAA
+
+SAP IAS can be setup as an [OIDC provider](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/a789c9c8c0f5439da8c30b5d9e43bece.htm) for UAA login.
+In order to prevent storing a client secret in UAA configuration and all of it's successor problems like secret rotation and so on, register the
+external OIDC provider with a public client.
+
+1. Create an OIDC application and set it with [type public](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/a721157cd40544eb9bad40085cf8ec15.html).
+   Register the "Redirect URIs" in the application section "OpenID Connect Configuration"
+
+   Add following URI in list field:
+   `http://{UAA_HOST}/login/callback/{origin}`. [Additional documentation for achieving this can be found here](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/1ae324ee3b2d4a728650eb022d5fd910.html).
+
+2. Copy client id.
+
+3. Minimal OIDC configuration needs to be added in login.ym.
+   Read configuration refer to '[https://<tenant ID>.accounts.ondemand.com/.well-known/openid-configuration](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/c297516bae4547eb82eeed80fea2b937.html)' for discoveryUrl and issuer
+
+        login:
+          oauth:
+            providers:
+              ias.public:
+                type: oidc1.0
+                discoveryUrl: https://trailaccount.accounts.ondemand.com/.well-known/openid-configuration
+                issuer: https://trailaccount.accounts.ondemand.com
+                scopes:
+                  - openid
+                  - email
+                  - profile
+                linkText: Login with IAS-Public
+                showLinkText: true
+                relyingPartyId: 3feb7ecb-d106-4432-b335-aca2689ad123
+
+4. Ensure that the scope `openid`, `email` and `profile` is included in the`scopes` property. Then UAA shadow user (if addShadowUserOnLogin=true) is created
+   with all properties. 
+
+5. Restart UAA. You will see `Login with IAS-Public` link on your login page.
diff --git a/k8s/go.mod b/k8s/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/onsi/ginkgo v1.16.4
 	github.com/onsi/gomega v1.14.0
 	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/api v0.21.3
-	k8s.io/apimachinery v0.21.3
-	k8s.io/client-go v0.21.3
+	k8s.io/api v0.22.0
+	k8s.io/apimachinery v0.22.0
+	k8s.io/client-go v0.22.0
 )