New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add pinniped_supported_identity_provider_types
to the IDP discovery endpoint
#1928
Conversation
2756a1f
to
82440ad
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1928 +/- ##
==========================================
+ Coverage 29.40% 29.62% +0.22%
==========================================
Files 348 350 +2
Lines 58499 58730 +231
==========================================
+ Hits 17200 17400 +200
- Misses 40785 40813 +28
- Partials 514 517 +3 ☔ View full report in Codecov by Sentry. |
lgtm. Should we do the CLI changes in the same PR, or a new PR? |
I'm not really sure exactly how we should translate this into CLI changes at the moment. Right now the best place to use it seems to be in |
82440ad
to
4a5b9fb
Compare
I'm actually not super clear how the CLI could best make use of this information for help text purposes. The Perhaps another way we could make use of the supported IDP types is by checking the |
We changed the scope of this PR to now also include the CLI code
97fc3cb
to
a8a76ef
Compare
936c9b1
to
ddcf079
Compare
Cases that we should make sure are covered:
What else should we consider? |
ddcf079
to
65984ac
Compare
// This check confirms that the issuer is hosting the IDP discovery document, which would always be the case for | ||
// Pinniped Supervisor. Since there are checks above to confirm that the issuer uses HTTPS, IDP discovery will | ||
// always use HTTPS. | ||
if !strings.HasPrefix(pinnipedSupervisorClaims.SupervisorDiscovery.PinnipedIDPsEndpoint, h.issuer) { | ||
return fmt.Errorf("the Pinniped IDP discovery document must always be hosted by the issuer: %q", h.issuer) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rather than check that the endpoint is on the same server, wouldn't it be sufficient to just check that it is an https URL? If the user is trusting this issuer, then the user should also be trusting any URLs that the issuer is pointing them to for IDP discovery.
It's still important that the URL is https though, because plain http would break that chain of trust (which starts with the original issuer https URL and CA bundle), so the client should not follow plain http URLs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the idea is that this client should make sure that Pinniped's IDP discovery is hosted on the same FederationDomain
. Since this will always be true for a Pinniped Supervisor, it seems the natural thing to check here.
…_supported_identity_provider_types Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
…he flowtype from the Supervisor's IDP discovery Co-authored-by: Joshua T Casey <caseyj@vmware.com>
d2290e0
to
f320980
Compare
Co-authored-by: Ryan Richard <richardry@vmware.com>
Add
pinniped_supported_identity_provider_types
to the IDP discovery endpoint