Add POST routing for authenticator_authenticate

cyberark · Nov 8, 2022 · c6a0292 · c6a0292
1 parent 95ae0cd
commit c6a0292
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 4 deletions.
diff --git a/features/authn.feature b/features/authn.feature
@@ -13,7 +13,7 @@ Feature: Authenticate with Conjur
     """
     Then the JSON should have "payload"
 
-  Scenario: Authenticate with OIDC code requesting unparsed result
+  Scenario: Authenticate with OIDC code requesting unparsed result via GET method
     When I retrieve the provider details for OIDC authenticator "keycloak"
     And I retrieve auth info for the OIDC provider with username: "alice" and password: "alice"
     And I run the code:
@@ -23,3 +23,14 @@ Feature: Authenticate with Conjur
     """
     Then the response body contains: "payload"
     And the response includes headers
+
+  Scenario: Authenticate with OIDC code requesting unparsed result via POST method
+    When I retrieve the provider details for OIDC authenticator "keycloak"
+    And I retrieve auth info for the OIDC provider with username: "alice" and password: "alice"
+    And I run the code:
+    """
+    $conjur.authenticator_enable "authn-oidc", "keycloak"
+    Conjur::API.authenticator_authenticate_post("authn-oidc", "keycloak", options: @auth_body)
+    """
+    Then the response body contains: "payload"
+    And the response includes headers
diff --git a/lib/conjur/api/authn.rb b/lib/conjur/api/authn.rb
@@ -63,7 +63,7 @@ def login username, password, account: Conjur.configuration.account
       # @param [Hash] params Additional params to send to authenticator
       # @return [String] A JSON formatted authentication token.
       def authenticator_authenticate authenticator, service_id, account: Conjur.configuration.account, options: {}
-        JSON.parse authenticator_authenticate_get authenticator, service_id, account: account, options: options
+        JSON.parse authenticator_authenticate_post authenticator, service_id, account: account, options: options
       end
 
       # Authenticates using a third party authenticator like authn-oidc via GET request.
@@ -78,7 +78,23 @@ def authenticator_authenticate_get authenticator, service_id, account: Conjur.co
         if Conjur.log
           Conjur.log << "Authenticating to account #{account} using #{authenticator}/#{service_id}\n"
         end
-        url_for(:authenticator_authenticate, account, service_id, authenticator, options).get
+        url_for(:authenticator_authenticate_get, account, service_id, authenticator, options).get
+      end
+
+      # Authenticates using a third party authenticator like authn-oidc via POST request.
+      # It will return an response object containing access/refresh token data.
+      #
+      # @param [String] authenticator
+      # @param [String] service_id
+      # @param [String] account The organization account.
+      # @param [Hash] params Additional params to send to authenticator
+      # @return [RestClient::Response] Response object
+      def authenticator_authenticate_post authenticator, service_id, account: Conjur.configuration.account, options: {}
+        if Conjur.log
+          Conjur.log << "Authenticating to account #{account} using #{authenticator}/#{service_id}\n"
+        end
+        encoded_params = URI.encode_www_form(options)
+        url_for(:authenticator_authenticate_post, account, service_id, authenticator).post(encoded_params, content_type: 'application/www-url-form-encoded')
       end
 
       # Exchanges Conjur the API key (refresh token) for an access token.  The access token can

diff --git a/lib/conjur/api/router/v5.rb b/lib/conjur/api/router/v5.rb
@@ -43,13 +43,20 @@ def authn_authenticate account, username
           )[fully_escape account][fully_escape username]['authenticate']
         end
 
-        def authenticator_authenticate(account, service_id, authenticator, options)
+        def authenticator_authenticate_get(account, service_id, authenticator, options)
           RestClient::Resource.new(
             Conjur.configuration.core_url,
             Conjur.configuration.rest_client_options
           )[fully_escape authenticator][fully_escape service_id][fully_escape account]['authenticate'][options_querystring options]
         end
 
+        def authenticator_authenticate_post(account, service_id, authenticator)
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.rest_client_options
+          )[fully_escape authenticator][fully_escape service_id][fully_escape account]['authenticate']
+        end
+
         def authenticator account, authenticator, service_id, credentials
           RestClient::Resource.new(
             Conjur.configuration.core_url,