OIDC - Add support for "Authentication code" flow #3088
Comments
ssurovich
added
the
enhancement
|
Hi, @ssurovich AFAIK, the The current Kiali OIDC implementation is using About the refresh token support, well... most (if not all) OIDC providers don't provide refresh tokens with the Implicit Flow (which Kiali is using). So, we must first solve the issue about adding support for |
OpenID Connect is a superset of OAuth2. https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html is the specification for
Do you have some way of encrypting cookies? If the backend storage isn't available then an encrypted cookie would work OK as well. A better implementation would be to support a reverse proxy's pass through authentication. similar to how the k8s dashboard works. Take the authorization header and pass it through to the API server. You could also support impersonation headers this way for deployments on managed clusters that don't support openid connect.
These do not mitigate the risk pointed out by @ssurovich as the API server does not use these mechanisms to validate |
|
Hi @israel-hdez - On the id_token, our bigger concern was that id_token could be used to generate an API call to the K8s API - I havent tested it, but with the id_token, someone could issue a curl -H "Authorization: Bearer https:///xxxxxxxxxxxxx |
|
@ssurovich Your concern is valid but I don't see how |
I partially agree. At the end, this depends a lot on the IdP. Anyway, if the concern is to avoid moving the
I think we could look into AES-GCM encryption.
This has already been requested in #2216. If you think it's better, please up-vote and drop a comment on that issue :-) The problem with the reverse proxy setup is that it doesn't work well with short-lived tokens (like in @ssurovich case). Once Kiali is loaded in the browser, if the session needs a refresh, Kiali will throw errors everywhere because it makes heavy use of Ajax which does not honor the redirection to the refresh endpoint of the proxy .We haven't found a way to catch the redirection on Ajax calls. There is only the workaround of manually refreshing the page on the browser, but this is a detrimental experience.
OK, I do agree with this. |
That's fair. We stumbled across this issue because OpenUnison doesn't implement the implicit flow due to security issues like the ones pointed out in this issue.
I don't think the issue is so much that the token will move across the network with
Can you store an expiration in your session cookie? Then have a timer in the javascript that looks for that expiration to hit and does a refresh. You can also have a background thread that polls the backend to see if the session is still alive and if not, forces a reload. In the case of Oidc this is able to refresh the token on its own without forcing you to do refresh. There are two big advantages to the reverse proxy model:
|
At the end, I think it depends a lot on the network. I mean, you did a mention of reverse proxies, and some proxies have the capabilities to inspect the bodies of the request (thinking of URL rewrite) and even parse POST params to do conditional load balancing. So, I think there is still a chance of the But I understand the concern. It's valid.
We are already doing that, but that's when the session is managed by Kiali. The session expiration issue is for the reverse-auth-proxy case. When using the proxy, we don't own the session, so Kiali can't know when it expires. If the auth proxy triggers a redirection for refresh/re-auth, this is an issue with Kiali -- this is what ambassador gateway is doing. However, if the auth proxy refreshes the session in the background, I think that can work fine. |
|
@ssurovich @mlbiam Personally, I would like to focus my efforts into supporting the OIDC "Authentication code" flow, which is (apparently) the most recommended. However, I think you are leaning towards the reverse proxy model and, alternatively, the |
|
@israel-hdez Thanks for the background and answers. You are correct that a post wouldnt help the in-transit data and it also wouldnt eliminate the logging concerns either - That was just my quick idea to attempt to run it on a development cluster I need to implement Kiali RBAC on. The reverse proxy was my favorite one from the way Dashboard implements it - It's secure and works well, and while I would love to help the project, I just need to find time before I can look at contributing anything. I may have to use token mode for now, which isnt ideal, but it works for the multi-tenant clusters I have right now. Just has a management overhead that I was hoping to avoid. |
|
Changing issue title to better reflect the ask about OIDC Code flow. |
israel-hdez
changed the title
|
@ssurovich OK, I'll leave this issue for the "Authentication code" flow. |
This initial implementation of the "authentication code" flow for OpenID authentication let's Kiali negotiate authentication with an extenal IdP provider. Kiali is acting as an "unauthenticated client" (i.e. no client secret is used). This is using AES-GCM encryption to encode the cookie which prevents revealing the OpenId id_token to the network and to the browser. Related to kiali#3088
* Initial implementation of OpenId's auth code flow This initial implementation of the "authentication code" flow for OpenID authentication let's Kiali negotiate authentication with an extenal IdP provider. Kiali is acting as an "unauthenticated client" (i.e. no client secret is used). This is using AES-GCM encryption to encode the cookie which prevents revealing the OpenId id_token to the network and to the browser. Related to #3088 * Refactor: cleanup and prepare to re-use some code Related #3088 * Mazz feedback: Unique error messages Co-authored-by: John Mazzitelli <mazz@redhat.com> * Feedback: Jay & Mazz * Feedback: Fix message Co-authored-by: John Mazzitelli <mazz@redhat.com>
When OIDC client should authenticate, we need the client-secret provided/configured by/in the OIDC server. For this, we re-use our old/reserved "kiali" secret that was used in the past for the already removed login authentication strategy avoiding another set of changes in the operator. This also: * Fixes logout * Fixes broken OIDC "implicit flow" (nonce cookie deleted early) Related kiali#3088
When OIDC client should authenticate, we need the client-secret provided/configured by/in the OIDC server. For this, we re-use our old/reserved "kiali" secret that was used in the past for the already removed login authentication strategy avoiding another set of changes in the operator. This also: * Fixes logout * Fixes broken OIDC "implicit flow" (nonce cookie deleted early) Related kiali#3088
RelatedBack-end PR is kiali/kiali#3215 Related issue is kiali/kiali#3088
…low) (#3215) * Support for acting as authenticated OIDC client When OIDC client should authenticate, we need the client-secret provided/configured by/in the OIDC server. For this, we re-use our old/reserved "kiali" secret that was used in the past for the already removed login authentication strategy avoiding another set of changes in the operator. This also: * Fixes logout * Fixes broken OIDC "implicit flow" (nonce cookie deleted early) Related #3088 * Unify oidc implicit flow code (deduplicate) This commit reuses the functions added to openid_auth.go created for the authorization code flow. Most of that code is shared. It's just the order of execution that changes. So, this is a small rework of performOpenIdAuthentication function in authentication.go file to remove code duplication.
…305) * Add documentation related to the OpenId "autorization code" support RelatedBack-end PR is kiali/kiali#3215 Related issue is kiali/kiali#3088 * Feedback: grammar
|
"Authorization code flow" has been implemented and going to be available in Kiali v1.24. |
* Initial implementation of OpenId's auth code flow This initial implementation of the "authentication code" flow for OpenID authentication let's Kiali negotiate authentication with an extenal IdP provider. Kiali is acting as an "unauthenticated client" (i.e. no client secret is used). This is using AES-GCM encryption to encode the cookie which prevents revealing the OpenId id_token to the network and to the browser. Related to kiali#3088 * Refactor: cleanup and prepare to re-use some code Related kiali#3088 * Mazz feedback: Unique error messages Co-authored-by: John Mazzitelli <mazz@redhat.com> * Feedback: Jay & Mazz * Feedback: Fix message Co-authored-by: John Mazzitelli <mazz@redhat.com>
…low) (kiali#3215) * Support for acting as authenticated OIDC client When OIDC client should authenticate, we need the client-secret provided/configured by/in the OIDC server. For this, we re-use our old/reserved "kiali" secret that was used in the past for the already removed login authentication strategy avoiding another set of changes in the operator. This also: * Fixes logout * Fixes broken OIDC "implicit flow" (nonce cookie deleted early) Related kiali#3088 * Unify oidc implicit flow code (deduplicate) This commit reuses the functions added to openid_auth.go created for the authorization code flow. Most of that code is shared. It's just the order of execution that changes. So, this is a small rework of performOpenIdAuthentication function in authentication.go file to remove code duplication.
…iali#305) * Add documentation related to the OpenId "autorization code" support RelatedBack-end PR is kiali/kiali#3215 Related issue is kiali/kiali#3088 * Feedback: grammar
Is your feature request related to a problem? Please describe.
Its a problem from a security side - assuming I understand how Kiali integrates with OIDC.
I was trying to use our OIDC provider, OpenUnison, and it failed to work. We did some tracing and discovered that Kiali wants the OIDC provider to send back the id_token in the response. The GET response is logged by any system that sees the traffic (ie: the K8s Ingress, the F5, etc...) - So if you can see the log, you have the K8s id_token.
Second - we use short lived id_tokens, and it appears that Kiali's OIDC implementation does not use refresh_tokens? With our timeout on the id_tokens, a user will need to re-authenticate every few minutes.
Describe the solution you'd like
A more secure method to access Kiali using OIDC with support for refresh_tokens.
Describe alternatives you've considered
My original thought is to use the auth_header method that the K8s Dashboard supports - This is an easy and secure method, using a reverse proxy that will send the auth_header from a link on our OIDC page.
OR
Change Kiali code to include a response_type=form_post in the auth request to a form post instead of a 302 redirect.
Additional context
I cant think of anything, if I can offer any information, please let me know.
If my understanding is way off base, let me know.
The text was updated successfully, but these errors were encountered: