Support for oidc providers where cors is not enabled for jwksUri (#270)

gardener · Jan 11, 2019 · 5f9b75d · 5f9b75d
1 parent 8a2e450
commit 5f9b75d
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 3 deletions.
diff --git a/backend/lib/api.js b/backend/lib/api.js
@@ -25,7 +25,7 @@ const logger = require('./logger')
 const routes = require('./routes')
 const io = require('./io')
 
-const { jwt, attachAuthorization, frontendConfig, notFound, sendError } = require('./middleware')
+const { jwt, attachAuthorization, frontendConfig, jsonWebKeySet, notFound, sendError } = require('./middleware')
 
 // configure router
 const router = express.Router()
@@ -46,5 +46,6 @@ router.use(sendError)
 module.exports = {
   router,
   io,
-  frontendConfig
+  frontendConfig,
+  jsonWebKeySet
 }
diff --git a/backend/lib/app.js b/backend/lib/app.js
@@ -72,6 +72,10 @@ app.use(helmet.hsts())
 app.use('/api', api.router)
 app.use('/webhook', githubWebhook.router)
 app.get('/config.json', api.frontendConfig)
+// if CORS is not supported by oidc provider proxy jwks
+if (_.get(config, 'frontend.oidc.metdata.jwks_uri') === '/keys') {
+  app.get('/keys', api.jsonWebKeySet)
+}
 
 if (_.has(config, 'prometheus.secret')) {
   app.get('/metrics',

diff --git a/backend/lib/middleware.js b/backend/lib/middleware.js
@@ -46,6 +46,16 @@ async function frontendConfig (req, res, next) {
   res.json(frontendConfig)
 }
 
+async function jsonWebKeySet (req, res, next) {
+  try {
+    const { jwksUri, ca, rejectUnauthorized = true } = config.jwks || {}
+    const response = await got(jwksUri, { json: true, ca, rejectUnauthorized })
+    res.json(response.body)
+  } catch (err) {
+    next(err)
+  }
+}
+
 function attachAuthorization (req, res, next) {
   const [scheme, bearer] = req.headers.authorization.split(' ')
   if (!/bearer/i.test(scheme)) {
@@ -192,6 +202,7 @@ module.exports = {
   jwtSecret,
   attachAuthorization,
   frontendConfig,
+  jsonWebKeySet,
   historyFallback,
   notFound,
   sendError,

diff --git a/charts/gardener-dashboard/templates/configmap.yaml b/charts/gardener-dashboard/templates/configmap.yaml
@@ -80,6 +80,14 @@ data:
 {{- else }}
         loadUserInfo: false
 {{- end }}
+{{- if .Values.oidc.metadata }}
+        metadata:
+{{ toYaml .Values.oidc.metadata | indent 10 }}
+{{- end }}
+{{- if .Values.oidc.signingKeys }}
+        signingKeys:
+{{ toYaml .Values.oidc.signingKeys | indent 8 }}
+{{- end }}
 {{- if .Values.frontendConfig.gitHubRepoUrl }}
       gitHubRepoUrl: {{ .Values.frontendConfig.gitHubRepoUrl }}
 {{- end }}

diff --git a/frontend/package.json b/frontend/package.json
@@ -35,7 +35,7 @@
     "marked": "^0.5.1",
     "md5": "^2.2.1",
     "moment-timezone": "^0.5.21",
-    "oidc-client": "^1.5.2",
+    "oidc-client": "^1.5.4",
     "semver": "^5.5.1",
     "semver-sort": "0.0.4",
     "socket.io-client": "^2.2.0",

diff --git a/frontend/vue.config.js b/frontend/vue.config.js
@@ -18,6 +18,9 @@ module.exports = {
       },
       '/config.json': {
         target: 'http://localhost:3030'
+      },
+      '/keys': {
+        target: 'http://localhost:3030'
       }
     }
   }