Adds status support for V2 OIDC Authenticators

CHANGELOG.md

@@ -23,6 +23,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   the OIDC provider endpoint would include duplicate OIDC authenticators. This
   change resolves ONYX-25530.
   [cyberark/conjur#2678](https://github.com/cyberark/conjur/pull/2678)
+- Allows V2 OIDC authenticators to be checked through the authenticator status
+  endpoint.  This change resolves ONYX-25531.
+  [cyberark/conjur#2692](https://github.com/cyberark/conjur/pull/2692)
 
 ### Added
 - Provides support for PKCE in the OIDC Authenticator code redirect workflow.

app/domain/authentication/authn_oidc/authenticator.rb

@@ -23,10 +23,39 @@ def valid?(input)
       end
 
       def status(authenticator_status_input:)
-        Authentication::AuthnOidc::ValidateStatus.new.(
+        # The following is intended as a short-term fix for dealing
+        # with two versions of the OIDC authenticator. In the medium
+        # term, we need to port the V1 functionality to V2. Once that
+        # is done, the following check can be removed.
+
+        # Attempt to load the V2 version of the OIDC Authenticator
+        data_object = if Rails.configuration.feature_flags.enabled?(:pkce_support)
+          Authentication::AuthnOidc::PkceSupportFeature::DataObjects::Authenticator
+        else
+          Authentication::AuthnOidc::V2::DataObjects::Authenticator
+        end
+        authenticator = DB::Repository::AuthenticatorRepository.new(
+          data_object: data_object
+        ).find(
+          type: authenticator_status_input.authenticator_name,
           account: authenticator_status_input.account,
           service_id: authenticator_status_input.service_id
         )
+        # If successful, validate the new set of required variables
+        if authenticator.present?
+          Authentication::AuthnOidc::ValidateStatus.new(
+            required_variable_names: %w[provider-uri client-id client-secret claim-mapping]
+          ).(
+            account: authenticator_status_input.account,
+            service_id: authenticator_status_input.service_id
+          )
+        else
+          # Otherwise, perform the default check
+          Authentication::AuthnOidc::ValidateStatus.new.(
+            account: authenticator_status_input.account,
+            service_id: authenticator_status_input.service_id
+          )
+        end
       end
     end
   end

app/domain/authentication/authn_oidc/validate_status.rb

@@ -4,7 +4,8 @@ module AuthnOidc
     ValidateStatus = CommandClass.new(
       dependencies: {
         fetch_authenticator_secrets: Authentication::Util::FetchAuthenticatorSecrets.new,
-        discover_identity_provider: Authentication::OAuth::DiscoverIdentityProvider.new
+        discover_identity_provider: Authentication::OAuth::DiscoverIdentityProvider.new,
+        required_variable_names: %w[provider-uri id-token-user-property]
       },
       inputs: %i[account service_id]
     ) do
@@ -29,14 +30,10 @@ def oidc_authenticator_secrets
           service_id: @service_id,
           conjur_account: @account,
           authenticator_name: "authn-oidc",
-          required_variable_names: required_variable_names
+          required_variable_names: @required_variable_names
         )
       end
 
-      def required_variable_names
-        @required_variable_names ||= %w[provider-uri id-token-user-property]
-      end
-
       def validate_provider_is_responsive
         @discover_identity_provider.(
           provider_uri: provider_uri