feat(server/auth): validate flipt_client_token cookie in middleware #1139
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1139 +/- ##
==========================================
+ Coverage 79.87% 80.15% +0.27%
==========================================
Files 38 38
Lines 2758 2796 +38
==========================================
+ Hits 2203 2241 +38
Misses 451 451
Partials 104 104
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
| // which skips authentication when the provided server instance matches the intercepted | ||
| // calls parent server instance. | ||
| // This allows the caller to registers servers which explicitly skip authentication (e.g. OIDC). | ||
| func WithServerSkipsAuthentication(server any) containers.Option[InterceptorOptions] { |
There was a problem hiding this comment.
is there anyway to identify a server by name instead of doing pointer comparison (when checking for if it's in the o.skippedServers[])?
There was a problem hiding this comment.
I think there might be. We could do a comparison on the string of the full method: https://pkg.go.dev/google.golang.org/grpc#UnaryServerInfo
However, I felt this was relatively more concrete. Since it is direct pointer comparison with the instance we want to skip auth on. We compare with the method name and then someone renames a package or type, and it moves under us.
While this does use any you still have to pass it something and if that something gets renamed it won't compile until you correct it.
Supports #779
Fixes FLI-50
This adds support for passing a Flipt client token via the
flipt_client_tokenkey in theCookieheader.This is necessary to support browser/cookie-based sessions.
The middleware now checks for the presence of either header key
AuthorizationorCookie.Depending on which key is present, it parses them appropriately.
One additional change is optional support for skipping auth.
This is done by passing the pointer of the server instance to
WithServerSkipsAuthentication(server).The OIDC server implementation itself requires open access. Since it provides delegated authentication via an Authentication Server.
The authorize URL action simply returns a string which points to the delegated authenticator.
The callback URL must be provided with a valid and verifiable
codefor auth to be granted.