Ofira jwt OIDC header1

[oburstein-hub]

Desired Outcome

Adding capability to do OIDC authentication when the ID Token is passed in header

Implemented Changes

The changes are done in controller and its helping classes relevant to OIDC
The changes are to handle requests that get ID Token in header instead of body of request
The request that comes without IDToken in body is trying to read Authorization token from header and
checks if it has a "Bearer " prefix. After it the prefix is cut-out and the token after it is passed as an ID Toke
to the existing validation mechanism

Connected Issue/Story

Resolves ONYX-23732

Definition of Done

OIDC authentication for UI is implemented and passed first testing

Changelog

• The CHANGELOG has been updated, or
• This PR does not include user-facing changes and doesn't require a
  CHANGELOG update

Test coverage

• This PR includes new unit and integration tests to go with the code
  changes, or
• The changes in this PR do not require tests

Documentation

• Docs (e.g. READMEs) were updated in this PR
• A follow-up issue to update official docs has been filed here: insert issue ID
• This PR does not require updating any documentation

Behavior

• [ x] This PR changes product behavior and has been reviewed by a PO, or
• These changes are part of a larger initiative that will be reviewed later, or
• No behavior was changed with this PR

Security

• Security architect has reviewed the changes in this PR,
• These changes are part of a larger initiative with a separate security review, or
• There are no security aspects to these changes

[rafis3]

@oburstein-hub thanks, please take a look at my comments.

Can you please elaborate more precisely in the description of the PR about the change? For example, the fallback mechanism between the body and header and the fact that we look for the Authorization: Bearer {token} structure specifically.

Also, it's missing the Jira issue it fixes and you also didn't update the checkboxes. Please fill those as well.

Lastly, please don't forget to organize the commits once all the other changes are in and it's ready

[rafis3]

Isn't the request and credentials overlapping? The credentials value is supposed to be taken from the body of the request, but then we send the entire request as another parameter, which contains the body as well.

[oburstein-hub]

This request parameter is generic (common) to all types of authenticators. If I will change it - I will damage all other authenticators. So - I think we should not touch it. WDYT ? @rafis3

[jvanderhoof]

@oburstein-hub, avoiding a cascading change feels like the right tradeoff. Mind adding a comment as to why we're adding the request object (so future engineers understand the decision)?

[aloncarmel111]

added comment

[rafis3]

Why does the test need this new content type? Doesn't that mean the API is broken from how it used to work?

[oburstein-hub]

fixed

[rafis3]

I think we are missing tests where the id_token key is not present in the body at all, that the body is totally empty

[oburstein-hub]

added

[jvanderhoof]

Doesn't the Bearer value come through as a Base64 encoded JWT?

[jvanderhoof]

Just saw the comment below. Maybe one of these is Base64 encoded to ensure the typical flow is tested?

[aloncarmel111]

The token is base64 encoded, we implemented same test as the id_token present in the body, will create integration test for Conjur cloud UI in different story

[jvanderhoof]

Please add at least a unit test here as well. I'm not comfortable adding functionality without tests to back it up. The Core team will be on the line for supporting this work.

[aloncarmel111]

added integration test

[jvanderhoof]

Thanks!

[rafis3]

In general, I see that the given token is expected to be in cleartext and not in base64. Will that work for our new flow we need to support?

[oburstein-hub]

yes - they both work - I have checked

[rafis3]

This test also puts the token in the body. The name above implies that it will check the token from the header but that won't be the case. Am I right?

[oburstein-hub]

We will check token from header. it is missing in bode in this case

[rafis3]

This context has the exact name as above. Can you update it to describe its true purpose?

[oburstein-hub]

deleted it

[rafis3]

Also in body, not just in header. Can you please update the description to be more accurate?

[oburstein-hub]

done

[rafis3]

Same as above, can you please update this description also with the state of the body of this test?

[oburstein-hub]

done

[rafis3]

Can you also add a test that checks that the Authorization header exists, with a value of Bearer but nothing after it?
Another test that I would add, is that there is an Authorization header, and the first word is not Bearer, while the second word is a valid token (should fail)

[oburstein-hub]

done

[jvanderhoof]

The mocked_decode_and_verify_id_token mock accepts and parses JSON: https://github.com/cyberark/conjur/blob/master/spec/app/domain/authentication/authn-oidc/update_input_with_username_from_id_token_spec.rb#L18.

It looks like this will fail if we pass Base64 encoded JSON. When the bearer token is passed in the body, is it passed as JSON?

[aloncarmel111]

yes, we implemented same test as the id_token in the body.

[jvanderhoof]

The @ denotes an instance variable, which means it's available outside the method. Unless we need @id_token outside this method, please use the local variable id_token.

[aloncarmel111]

fixed

[jvanderhoof]

Prior to this change, this method was a memoization method (the instance variable @decoded_credentials stored the value during the life of the class). If you'd like to maintain the memoization, this method can be rewritten like:

def decoded_credentials
  @decoded_credentials ||= begin
    credential_token = Hash[URI.decode_www_form(credentials)]
    if credential_token.fetch('id_token', "").empty?
      Hash[URI.decode_www_form("id_token=#{authorization_header_token(request.headers)}")]
    else
      credential_token
    end
  end
end

[aloncarmel111]

fixed

[codeclimate]

Lists should be surrounded by blank lines

[micahlee]

Hi @aloncarmel111 , most of this looks good, thanks! I had one suggestion for trying to make the logic a little easier to read/follower. Let me know what you think!

[micahlee]

Thanks @aloncarmel111 , the only blocker I have left is to squash the PR review commits into the one Support authorization token in header for OIDC authentication commit before approving.

It looks like there are still unresolved discussions around base64 encoding the header in the tests with Jason and Rafi. So you can wait to do that squash until that is resolved, and then ping me for approval. Thanks!

[codeclimate]

Complex method Authentication::AuthnOidc#token_from_header (21.3)

[jvanderhoof]

I like the move to break up these methods to better cover edge cases. I'd suggest passing the header in as an argument:

Suggested change

	def token_from_header
	def token_from_header(header)

Passing the header into the method will greatly simplify writing tests (which it looks like need to be written).

[micahlee]

@jvanderhoof

I'd suggest passing the header in as an argument:

These are internal private methods, so we wouldn't expect them to have unit tests for themselves. Rather, request is the input that would need to be manipulated for the public interface of UpdateInputWithUsernameFromIdToken. Adding parameters to these methods means we're passing internal class state between internal class methods. No?

If we want to unit tests these separately, that should be factored out and injected as dependencies here instead. I don't know that that's warranted in this case, but I don't think we should add parameters to them as class methods now.

[jvanderhoof]

Thanks @micahlee. I'm ok moving forward with what we have here.

[jvanderhoof]

Same suggestion as above, maybe move to something like:

token_from_body(Hash[URI.decode_www_form(credentials)]

def token_from_body(credential_token)
  # Return the parsed body if it include the token
  credential_token unless credential_token.fetch('id_token', "").empty?
end

The above change makes the method stateless and should simplify testing the happy and sad paths.

fixed all comments

[jvanderhoof]

Can you please use a valid JWT token for the ID token as one would expect for a JWT bearer token? It'll make me feel better to have one test with a base64 encoded value.

If this endpoint takes a JSON object, it's not really following the spirit of using JWT tokens in the header for authorization.

[jvanderhoof]

Never mind. I just found the JWT generation here:

conjur/cucumber/authenticators_oidc/features/support/authn_oidc_helper.rb

Line 100 in 0d12713

@oidc_id_token = (JSON.parse(@response_body))["id_token"]

[jvanderhoof]

Great work. Please rebase and cleanup commit history (ideally a single commit).

[codeclimate]

Code Climate has analyzed commit ff46ce5 and detected 2 issues on this pull request.

Here's the issue category breakdown:

Category	Count
Style	1
Complexity	1

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 90.0% (-1.5% change).

View more on Code Climate.

[oburstein-hub]

Looks good

[szh]

I know this was merged already but there are some unfixed codeclimate issues. Can you please open a new PR to fix that?
@aloncarmel111 @oburstein-hub

[aloncarmel111]

@szh they are false positive