Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC post endpoint #214

Closed
wants to merge 1 commit into from
Closed

OIDC post endpoint #214

wants to merge 1 commit into from

Conversation

gl-johnson
Copy link
Contributor

Desired Outcome

Extend the Conjur Ruby API to submit POST requests to the OIDC authentication endpoint.

This new function needs to be able to return a raw RestClient::Response object as it will be used for OIDC refresh token exchanged by Conjur UI.

Implemented Changes

  • Added POST routing and new function
  • Make POST request the default behavior
  • Added cucumber scenario

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be
merged.

Changelog

  • The CHANGELOG has been updated, or
  • This PR does not include user-facing changes and doesn't require a
    CHANGELOG update

Test coverage

  • This PR includes new unit and integration tests to go with the code
    changes, or
  • The changes in this PR do not require tests

Documentation

  • Docs (e.g. READMEs) were updated in this PR
  • A follow-up issue to update official docs has been filed here: insert issue ID
  • This PR does not require updating any documentation

Behavior

  • This PR changes product behavior and has been reviewed by a PO, or
  • These changes are part of a larger initiative that will be reviewed later, or
  • No behavior was changed with this PR

Security

  • Security architect has reviewed the changes in this PR,
  • These changes are part of a larger initiative with a separate security review, or
  • There are no security aspects to these changes

@gl-johnson gl-johnson force-pushed the oidc-post-endpoint branch 6 times, most recently from 7a8e91c to c6a0292 Compare November 8, 2022 18:05
gl-johnson
gl-johnson commented Nov 8, 2022
View reviewed changes
lib/conjur/api/authn.rb
@@ -63,10 +63,38 @@ def login username, password, account: Conjur.configuration.account
# @param [Hash] params Additional params to send to authenticator
# @return [String] A JSON formatted authentication token.
def authenticator_authenticate authenticator, service_id, account: Conjur.configuration.account, options: {}
JSON.parse authenticator_authenticate_post authenticator, service_id, account: account, options: options
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the default behavior of authenticator_authenticate be to use the POST method?

If yes - should the GET routing be removed entirely?

Copy link
Contributor

@john-odonnell john-odonnell Nov 9, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, probably. Optimally, we would use the endpoint that is credential-agnostic for code and refresh token exchanges.

Through our progress so far on the refresh token feature branch, we've maintained the GET behavior for backwards-compatibility. Maybe we should consider maintaining it here, too, until we officially remove it.

@gl-johnson gl-johnson marked this pull request as ready for review November 8, 2022 18:31
@gl-johnson gl-johnson requested a review from a team as a code owner November 8, 2022 18:31
gl-johnson
gl-johnson commented Nov 8, 2022
View reviewed changes
features/authn.feature
Then the response body contains: "payload"
And the response includes headers

Scenario: Authenticate with OIDC code requesting unparsed result via POST method
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two scenarios relying on the updated Conjur OIDC API currently fail in CI since the functionality has yet to be merged. The tests pass when run locally against a Conjur build containing those updates.

john-odonnell
john-odonnell reviewed Nov 14, 2022
View reviewed changes
Copy link
Contributor

@john-odonnell john-odonnell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but blocked by the status of the refresh token feature branch.

@john-odonnell
Copy link
Contributor

Closing. OIDC refresh token support was dropped in favor of a configurable Conjur token TTL implemented in cyberark/conjur#2683.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@john-odonnell john-odonnell john-odonnell left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gl-johnson @john-odonnell