Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[feat] PIP-257: Add AuthenticationProviderOpenID #19849

Merged
merged 28 commits into from
Apr 10, 2023
Merged

[feat] PIP-257: Add AuthenticationProviderOpenID #19849

Changes from 1 commit
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
60df13a
[feat] PIP-257: Add AuthenticationProviderOpenID
michaeljmarshall Mar 17, 2023
c7474fa
Improve imports in pom.xml
michaeljmarshall Mar 17, 2023
af7e3ae
Refactor packaging: move under oidc
michaeljmarshall Mar 17, 2023
518aa08
Reorder imports
michaeljmarshall Mar 17, 2023
e93b903
Upgrade auth0 dependencies; improve claims validation
michaeljmarshall Mar 17, 2023
dcb6008
Remove some versions in child pom.xml
michaeljmarshall Mar 17, 2023
6f76bbd
Use async http client to get JWKS
michaeljmarshall Mar 20, 2023
c4bdd59
Require JWT has OIDC's required claims
michaeljmarshall Mar 20, 2023
83a512a
Remove audit logging; it belongs in framework
michaeljmarshall Mar 20, 2023
08d971a
Cleanup failure metrics
michaeljmarshall Mar 20, 2023
dd96e17
Cleanup pom.xml
michaeljmarshall Mar 20, 2023
1b46eb4
Cleanup Javadocs
michaeljmarshall Mar 20, 2023
6ea2331
Add Auth0 to license.bin.txt
michaeljmarshall Mar 20, 2023
64c8c15
Close the httpClient
michaeljmarshall Mar 28, 2023
fdf6f36
Normalize URL when getting openid-configuration
michaeljmarshall Mar 29, 2023
3d96294
Cover invalid audience claim in integration tests
michaeljmarshall Mar 29, 2023
941a9f5
Improve failure scenario coverage in integration tests
michaeljmarshall Mar 29, 2023
bc4e421
Add support for k8s Api Server
michaeljmarshall Mar 29, 2023
dadbf4c
Support a custom trust store for issuers http client
michaeljmarshall Mar 29, 2023
7340b0e
Improve config name for openIDRequireIssuersUseHttps
michaeljmarshall Mar 29, 2023
932dcd7
Add k8s discover mode to support EKS, AKS, GKE
michaeljmarshall Mar 29, 2023
5eccb86
Make discovery mode more abstract to enable future additions
michaeljmarshall Mar 29, 2023
ecb5566
Remove test dependency on hard coded port
michaeljmarshall Apr 7, 2023
fa93b4c
Refactor to support refreshAfterWrite
michaeljmarshall Apr 7, 2023
a94315b
Remove unused import
michaeljmarshall Apr 7, 2023
f4b18a0
Exclude io.prometheus:simpdleclient_httpserver from k8s client
michaeljmarshall Apr 8, 2023
511b27a
Remove trailing / from issuer per OIDC Discovery Section 4.1
michaeljmarshall Apr 10, 2023
860ceff
Require token has role claim
michaeljmarshall Apr 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Remove trailing / from issuer per OIDC Discovery Section 4.1
  • Loading branch information
@michaeljmarshall
michaeljmarshall committed Apr 10, 2023
commit 511b27a242953d6511784604a01d9f01cb5cded1
23 changes: 11 additions & 12 deletions ...c/main/java/org/apache/pulsar/broker/authentication/oidc/OpenIDProviderMetadataCache.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@
import io.kubernetes.client.openapi.ApiClient;
import io.kubernetes.client.openapi.ApiException;
import io.kubernetes.client.openapi.apis.WellKnownApi;
import java.net.URI;
import java.util.List;
import java.util.Map;
import java.util.Optional;
Expand All @@ -55,6 +54,8 @@ class OpenIDProviderMetadataCache {
private final AsyncHttpClient httpClient;
private final WellKnownApi wellKnownApi;
private final AsyncLoadingCache<Optional<String>, OpenIDProviderMetadata> cache;
private static final String WELL_KNOWN_OPENID_CONFIG = ".well-known/openid-configuration";
private static final String SLASH_WELL_KNOWN_OPENID_CONFIG = "/" + WELL_KNOWN_OPENID_CONFIG;

OpenIDProviderMetadataCache(ServiceConfiguration config, AsyncHttpClient httpClient, ApiClient apiClient) {
int maxSize = getConfigValueAsInt(config, CACHE_SIZE, CACHE_SIZE_DEFAULT);
Expand Down Expand Up @@ -99,20 +100,18 @@ CompletableFuture<OpenIDProviderMetadata> getOpenIDProviderMetadataForIssuer(@No
* AuthenticationException if the URL is malformed or there is an exception while opening the connection
*/
private CompletableFuture<OpenIDProviderMetadata> loadOpenIDProviderMetadataForIssuer(String issuer) {
URI uri;
try {
// TODO URI's normalization follows RFC2396, whereas the spec
// https://openid.net/specs/openid-connect-discovery-1_0.html#NormalizationSteps
// calls for normalization according to RFC3986, which is supposed to obsolete RFC2396
uri = URI.create(issuer + "/.well-known/openid-configuration").normalize();
} catch (Exception e) {
incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PROVIDER_METADATA);
return CompletableFuture.failedFuture(new AuthenticationException(
"Error retrieving OpenID Provider Metadata at " + issuer + ": " + e.getMessage()));
String url;
// TODO URI's normalization likely follows RFC2396 (library doesn't say so explicitly), whereas the spec
// https://openid.net/specs/openid-connect-discovery-1_0.html#NormalizationSteps
// calls for normalization according to RFC3986, which is supposed to obsolete RFC2396. Is this a problem?
if (issuer.endsWith("/")) {
url = issuer + WELL_KNOWN_OPENID_CONFIG;
} else {
url = issuer + SLASH_WELL_KNOWN_OPENID_CONFIG;
}

return httpClient
.prepareGet(uri.toString())
.prepareGet(url)
.execute()
.toCompletableFuture()
.thenCompose(result -> {
Expand Down