-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add oauth2_metadata config option #320
Conversation
fdc980c
to
bf835da
Compare
bf835da
to
43c7f56
Compare
@cipherboy If this can be merged along with #318 and #319 that would be awesome. |
43c7f56
to
20f62c0
Compare
20f62c0
to
579a2a2
Compare
Yes they are independent. It's just that my application needs both. |
579a2a2
to
85655b8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two minor comments.
I think I'm happy with this change, but I'd like to see it called out better in the docs as something to be mindful of: previously an OpenBao OIDC-bound token could not be used to pivot to other systems natively (if a token was compromised), but with this in the metadata, it could potentially be used to pivot now (depending on claims?).
(That is, assuming I'm correct about the former, which I believe is correct, but might be wrong about the existing client-bound OIDC workflow that existed in upstream -- I don't believe it currently sees either of these tokens and they're internal to upstream/OpenBao even in that workflow, but my understanding could be wrong.)
85655b8
to
d0ba771
Compare
I added a caution to the web documentation. |
Signed-off-by: Dave Dykstra <2129743+DrDaveD@users.noreply.github.com>
d0ba771
to
0e24902
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, thanks @DrDaveD for the changes!
Looks like there's a flake in a different test with the data race detector: 2024-08-13T22:35:33.2621062Z === �[31mFailed�[0m
2024-08-13T22:35:33.2622304Z === �[31mFAIL�[0m: vault TestOIDC_PeriodicFunc/test-key-nil-next-signing-key (4.62s)
...
2024-08-13T22:35:33.3387975Z identity_store_oidc_test.go:1165: For key: test-key-nil-next-signing-key at cycle: 2 expected namedKey's KeyRing to be at least of length 3 but was: 2
2024-08-13T22:35:33.3389873Z identity_store_oidc_test.go:1176: For key: test-key-nil-next-signing-key at cycle: 2 expected public keys to be at least of length 3 but was: 2 |
This PR adds a configuration option
oauth2_metadata
which is a list of token types that can be returned in metadata. The list can be any ofaccess_token
,id_token
, andrefresh_token
, and when selected they are returned in metadata namesoauth2_access_token
,oauth2_id_token
, andoauth2_refresh_token
, respectively.This option makes it possible for a user to authenticate with bao once and also use the tokens directly from the oauth2 issuer for another purpose. For example, with some help from a client application to store the refresh token back into a vault secrets plugin like the Puppet labs oauthapp plugin, from then on access tokens can be read from the secrets plugin and renewed when they expire.
The new option simply puts the selected tokens into the returned metadata in a similarly to the way that the
claims_mapping
option returns things in metadata.This PR was proposed for vault several years ago in hashicorp/vault-plugin-auth-jwt#119 but has been sitting unmerged since then. It is an essential component of the https://github.com/fermitools/htvault-config package and has been in production use for a couple of years.