From 5f9b75d432f11f682629712347fe3a7e54bda9cb Mon Sep 17 00:00:00 2001 From: Holger Koser Date: Fri, 11 Jan 2019 15:33:31 +0100 Subject: [PATCH] Support for oidc providers where cors is not enabled for jwksUri (#270) --- backend/lib/api.js | 5 +++-- backend/lib/app.js | 4 ++++ backend/lib/middleware.js | 11 +++++++++++ charts/gardener-dashboard/templates/configmap.yaml | 8 ++++++++ frontend/package.json | 2 +- frontend/vue.config.js | 3 +++ 6 files changed, 30 insertions(+), 3 deletions(-) diff --git a/backend/lib/api.js b/backend/lib/api.js index 23e984b7ff..7d4a8ce4ce 100644 --- a/backend/lib/api.js +++ b/backend/lib/api.js @@ -25,7 +25,7 @@ const logger = require('./logger') const routes = require('./routes') const io = require('./io') -const { jwt, attachAuthorization, frontendConfig, notFound, sendError } = require('./middleware') +const { jwt, attachAuthorization, frontendConfig, jsonWebKeySet, notFound, sendError } = require('./middleware') // configure router const router = express.Router() @@ -46,5 +46,6 @@ router.use(sendError) module.exports = { router, io, - frontendConfig + frontendConfig, + jsonWebKeySet } diff --git a/backend/lib/app.js b/backend/lib/app.js index bafa258c0a..0121954fc9 100644 --- a/backend/lib/app.js +++ b/backend/lib/app.js @@ -72,6 +72,10 @@ app.use(helmet.hsts()) app.use('/api', api.router) app.use('/webhook', githubWebhook.router) app.get('/config.json', api.frontendConfig) +// if CORS is not supported by oidc provider proxy jwks +if (_.get(config, 'frontend.oidc.metdata.jwks_uri') === '/keys') { + app.get('/keys', api.jsonWebKeySet) +} if (_.has(config, 'prometheus.secret')) { app.get('/metrics', diff --git a/backend/lib/middleware.js b/backend/lib/middleware.js index 91df6be4c3..d38e05916f 100644 --- a/backend/lib/middleware.js +++ b/backend/lib/middleware.js @@ -46,6 +46,16 @@ async function frontendConfig (req, res, next) { res.json(frontendConfig) } +async function jsonWebKeySet (req, res, next) { + try { + const { jwksUri, ca, rejectUnauthorized = true } = config.jwks || {} + const response = await got(jwksUri, { json: true, ca, rejectUnauthorized }) + res.json(response.body) + } catch (err) { + next(err) + } +} + function attachAuthorization (req, res, next) { const [scheme, bearer] = req.headers.authorization.split(' ') if (!/bearer/i.test(scheme)) { @@ -192,6 +202,7 @@ module.exports = { jwtSecret, attachAuthorization, frontendConfig, + jsonWebKeySet, historyFallback, notFound, sendError, diff --git a/charts/gardener-dashboard/templates/configmap.yaml b/charts/gardener-dashboard/templates/configmap.yaml index 853d6c1137..7799902913 100644 --- a/charts/gardener-dashboard/templates/configmap.yaml +++ b/charts/gardener-dashboard/templates/configmap.yaml @@ -80,6 +80,14 @@ data: {{- else }} loadUserInfo: false {{- end }} +{{- if .Values.oidc.metadata }} + metadata: +{{ toYaml .Values.oidc.metadata | indent 10 }} +{{- end }} +{{- if .Values.oidc.signingKeys }} + signingKeys: +{{ toYaml .Values.oidc.signingKeys | indent 8 }} +{{- end }} {{- if .Values.frontendConfig.gitHubRepoUrl }} gitHubRepoUrl: {{ .Values.frontendConfig.gitHubRepoUrl }} {{- end }} diff --git a/frontend/package.json b/frontend/package.json index 74f048fb71..7bffbbe95b 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -35,7 +35,7 @@ "marked": "^0.5.1", "md5": "^2.2.1", "moment-timezone": "^0.5.21", - "oidc-client": "^1.5.2", + "oidc-client": "^1.5.4", "semver": "^5.5.1", "semver-sort": "0.0.4", "socket.io-client": "^2.2.0", diff --git a/frontend/vue.config.js b/frontend/vue.config.js index 9de6a0e34a..dd2a4a570e 100644 --- a/frontend/vue.config.js +++ b/frontend/vue.config.js @@ -18,6 +18,9 @@ module.exports = { }, '/config.json': { target: 'http://localhost:3030' + }, + '/keys': { + target: 'http://localhost:3030' } } }