Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: OIDC provider client API #12272

Merged
merged 55 commits into from Aug 23, 2021
Merged

feature: OIDC provider client API #12272

merged 55 commits into from Aug 23, 2021

Conversation

fairclothjm
Copy link
Contributor

Depends on PR #12266

Description

The client API allows Vault users to register clients, which represent an application that desires to authenticate and obtain identity information for its end-users.

Acceptance Criteria:

  • A Vault user can perform operations using the client API as specified in the RFC.

Manual tests

$ vault write identity/oidc/client/my-client redirect_uris=http://localhost:3456/callback,http://localhost:3456/callback2 assignments=assignment1,assignment2 key=key1 id_token_ttl=1m access_token_ttl=1m
Success! Data written to: identity/oidc/client/my-client

$ vault list identity/oidc/client
Keys
----
my-client

$ vault read identity/oidc/client/my-client
Key                 Value
---                 -----
access_token_ttl    1m
assignments         [assignment1 assignment2]
id_token_ttl        1m
key                 key1
redirect_uris       [http://localhost:3456/callback http://localhost:3456/callback2]

$ vault delete identity/oidc/client/my-client
Success! Data deleted (if it existed) at: identity/oidc/client/my-client

$ vault list identity/oidc/client
No value found at identity/oidc/client

$ vault read identity/oidc/client/my-client
No value found at identity/oidc/client/my-client

Depends on PR #12266

@vercel vercel bot temporarily deployed to Preview – vault August 5, 2021 20:38 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 5, 2021 20:38 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 18, 2021 19:08 Inactive
@fairclothjm fairclothjm marked this pull request as ready for review August 18, 2021 19:08
@fairclothjm fairclothjm requested a review from a team August 18, 2021 19:08
@vercel vercel bot temporarily deployed to Preview – vault August 18, 2021 19:25 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 18, 2021 19:25 Inactive
@vercel vercel bot temporarily deployed to Preview – vault August 18, 2021 20:01 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 18, 2021 20:01 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 18, 2021 20:25 Inactive
@vercel vercel bot temporarily deployed to Preview – vault August 18, 2021 20:25 Inactive
austingebauer
austingebauer reviewed Aug 19, 2021
View reviewed changes
Copy link
Member

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good! Just a few more comments.

vault/identity_store_oidc_provider.go Outdated Show resolved Hide resolved
vault/identity_store_oidc_provider.go Outdated Show resolved Hide resolved
vault/identity_store_oidc_provider.go Outdated Show resolved Hide resolved
vault/identity_store_oidc_provider.go Outdated Show resolved Hide resolved
vault/identity_store_oidc_provider_test.go
@@ -8,6 +8,414 @@ import (
"github.com/hashicorp/vault/sdk/logical"
)

// TestOIDC_Path_OIDC_ProviderClient_NoKeyParameter tests that a client cannot
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice test cases 👍

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@vercel vercel bot temporarily deployed to Preview – vault August 19, 2021 21:44 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 19, 2021 21:44 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 19, 2021 21:46 Inactive
@vercel vercel bot temporarily deployed to Preview – vault August 19, 2021 21:46 Inactive
@fairclothjm fairclothjm requested a review from a team August 19, 2021 21:54
austingebauer
austingebauer approved these changes Aug 20, 2021
View reviewed changes
Copy link
Member

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fairclothjm fairclothjm mentioned this pull request Aug 20, 2021
Merged
@calvn calvn self-requested a review August 20, 2021 18:41
@fairclothjm fairclothjm mentioned this pull request Aug 20, 2021
Merged
calvn
calvn approved these changes Aug 20, 2021
View reviewed changes
Copy link
Member

@calvn calvn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a note around the key requirement that we'll want to re-visit later, but otherwise it's 👍 !

vault/identity_store_oidc_provider.go
}

if client.Key == "" {
return logical.ErrorResponse("the key parameter is required"), nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are going to create a default key and assign this on the client if not specified, then this may end up being optional.

@fairclothjm fairclothjm merged commit fbcc2ab into main Aug 23, 2021
@fairclothjm fairclothjm deleted the oidc-provider-client-api branch August 23, 2021 13:42
jartek pushed a commit to jartek/vault that referenced this pull request Sep 11, 2021
@fairclothjm @jartek
feature: OIDC provider client API (hashicorp#12272)
c0792a5 
* initial commit

* add read and delete operations

* fix bug in delete and add list unit test

* func doc typo fix

* add existence check for assignment

* remove locking on the assignment resource

It is not needed at this time.

* convert Callbacks to Operations

- convert Callbacks to Operations
- add test case for update operations

* add CRUD operations and test cases

* add client api and tests

* remove use of oidcCache

* remove use of oidcCache

* add template validation and update tests

* remove usage of oidcCache

* refactor struct and var names

* harmonize test name conventions

* refactor struct and var names

* add changelog and refactor

- add changelog
- be more explicit in the case where we do not recieve a path field

* refactor

be more explicit in the case where a field is not provided

* remove extra period from changelog

* update scope path to be OIDC provider specific

* refactor naming conventions

* update assignment path

* update scope path

* enforce key existence on client creation

* removed unused name field

* removed unused name field

* removed unused name field

* prevent assignment deletion when ref'ed by a client

* enfoce assignment existence on client create/update

* update scope template description

* error when attempting to created scope with openid reserved name

* fix UT failures after requiring assignment existence

* disallow key deletion when ref'ed by existing client

* generate client_id and client_secret on CreateOp

* do not allow key modification on client update

* return client_id and client_secret on read ops

* small refactor

* fix bug in delete assignment op

* remove client secret get call
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calvn calvn calvn approved these changes

@austingebauer austingebauer austingebauer approved these changes

Assignees
No one assigned
Labels
pr/no-changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@fairclothjm @calvn @austingebauer