Part 5/n - Add jwt plugin #103
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Improve context lifetime handling for OIDC provider
This PR adds OIDC support to the plugin as well as a CLI login helper that can be imported by Vault. It also adds for both OIDC/JWT: * default role support (fixes openbao#6) * the ability to copy claims into metadata, whether using OIDC or the existing JWT flow. (see discussion on openbao#14) It removes the "group_delimiter" method of specifying claims, replacing it with [JSONPointer](https://tools.ietf.org/html/rfc6901).
8300 is used by Consul.
- verify bound_claims in all paths - verify bound_claims against /userinfo data - verify bound_audiences in all paths - review bound_audiences check when using static keys to conform to our docs - more tests
Vault must not accept signed JWT tokens through /login path when role has role_type oidc, since there might be a situation when the client secret could be compromised, and thus the malicious might be able to illegitimately get a token with the right aud claim, which Vault would accept through the /login path.
Bumps [github.com/hashicorp/vault/api](https://github.com/hashicorp/vault) from 1.9.0 to 1.9.1. - [Release notes](https://github.com/hashicorp/vault/releases) - [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md) - [Commits](hashicorp/vault@v1.9.0...v1.9.1) --- updated-dependencies: - dependency-name: github.com/hashicorp/vault/api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Update dependencies, changelog, go version.
Co-authored-by: hc-github-team-secure-vault-ecosystem <hc-github-team-secure-vault-ecosystem@users.noreply.github.com>
Co-authored-by: hc-github-team-secure-vault-ecosystem <hc-github-team-secure-vault-ecosystem@users.noreply.github.com>
* Support ADC for Google Workspace (dwd/no-dwd) This commit adds support for authenticating to the Google Workspace Directory API through [Application Default Credentials](https://cloud.google.com/docs/authentication/application-default-credentials). ADC is assumed if `ServiceAccount` is left empty. Authentication can be performed through domain-wide delegation of authority by impersonating a workspace user, or directly by granting the service account the necessary admin roles. See the [docs](https://cloud.google.com/identity/docs/how-to/setup#auth-no-dwd) for authenticating as a service account without domain-wide delegation of authority. This commit introduces a new config field, `ImpersonatePrincipal`. This field is used as a target service account to create a signed JWT for the Workspace user to impersonate. This is useful in a scenario where you are doing ADC with [External Account Credentials](https://google.aip.dev/auth/4117) but still need to impersonate a Workspace user through DWDoA. Since you don't have access to the service account's private key, you need an extra hop to the Service Account Credentials API to generate the signed JWT. * Update comments based on review
As described in hashicorp/vault#21949 endpoints with non-path parameters that can be made use of during ReadOperation callbacks should have those fields marked as `Query: true` to ensure the OpenAPI spec truly reflects how the endpoints can be called. This should also provide a proper fix to hashicorp/vault-client-go#155. I'm also changing the operation ID to reflect that GET and POST on `oidc/callback` are **not** at all the same operation with and without parameters, but in fact play substantially different roles in the overall OIDC login flow.
Co-authored-by: hc-github-team-secure-vault-ecosystem <hc-github-team-secure-vault-ecosystem@users.noreply.github.com>
Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.0 to 3.0.1. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Changelog](https://github.com/go-jose/go-jose/blob/v3/CHANGELOG.md) - [Commits](go-jose/go-jose@v3.0.0...v3.0.1) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: hc-github-team-secure-vault-ecosystem <hc-github-team-secure-vault-ecosystem@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.12.0 to 0.17.0. - [Commits](golang/crypto@v0.12.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.5+incompatible to 24.0.7+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v24.0.5...v24.0.7) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* v0.18.0: adds changelog entry * update fix text
* Support numeric claims * Use the same code for both types due to limitation in Go compiler for switch-on-types * Use json.Number to wrap the string representation of numbers * Add tests for numeric bound_claims * =Add changelog entry for the feature
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
This moves the plugin to the built-in command directory naming format. Cherry-pick of a59871f. Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
This switches all references to the JWT plugin to use the new internal location for the plugin over the external, HashiCorp owned plugin. Cherry-pick of e55805e. Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
cipherboy
force-pushed
the
add-jwt-plugin
branch
from
1777da6
to
6efe0a1
Compare
|
@naphelps Updated :-) |
naphelps
approved these changes
Feb 2, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This imports the JWT plugin as discussed in #64, bringing it in-tree with history.
This is part of #68, broken up to make review easier.
@naphelps When it comes time for merge, I'd suggest making this one a rebase merge if you can to preserve history. Thanks!