gravitational · capnspacehook · Jul 30, 2024 · zmb3 · Aug 13, 2024
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -4365,6 +4365,8 @@ message MaxAge {
 message SSOClientRedirectSettings {
   // a list of hostnames allowed for https client redirect URLs
   repeated string allowed_https_hostnames = 1;
+  // a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+  repeated string insecure_allowed_cidr_ranges = 2;
 }
 
 // OIDCAuthRequest is a request to authenticate with OIDC

diff --git a/api/types/oidc.go b/api/types/oidc.go
@@ -17,6 +17,7 @@ limitations under the License.
 package types
 
 import (
+	"net/netip"
 	"net/url"
 	"slices"
 	"time"
@@ -35,6 +36,11 @@ type OIDCConnector interface {
 	// ResourceWithSecrets provides common methods for objects
 	ResourceWithSecrets
 	ResourceWithOrigin
+	// Validate will preform checks not found in CheckAndSetDefaults
+	// that should only be preformed when the OIDC connector resource
+	// itself is being created or updated, not when a OIDCConnector
+	// object is being created or updated.
+	Validate() error
 	// Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
 	GetIssuerURL() string
 	// ClientID is id for authentication client (in our case it's our Auth server)
@@ -459,6 +465,23 @@ func (o *OIDCConnectorV3) CheckAndSetDefaults() error {
 	return nil
 }
 
+// Validate will preform checks not found in CheckAndSetDefaults
+// that should only be preformed when the OIDC connector resource
+// itself is being created or updated, not when a OIDCConnector
+// object is being created or updated.
+func (o *OIDCConnectorV3) Validate() error {
+	if o.Spec.ClientRedirectSettings != nil {
+		for _, cidrStr := range o.Spec.ClientRedirectSettings.InsecureAllowedCidrRanges {
+			_, err := netip.ParsePrefix(cidrStr)
+			if err != nil {
+				return trace.BadParameter("bad CIDR range in insecure_allowed_cidr_ranges '%s': %v", cidrStr, err)
+			}
+		}
+	}
+
+	return nil
+}
+
 // GetAllowUnverifiedEmail returns true if unverified emails should be allowed in received users.
 func (o *OIDCConnectorV3) GetAllowUnverifiedEmail() bool {
 	return o.Spec.AllowUnverifiedEmail

diff --git a/api/types/types.pb.go b/api/types/types.pb.go
diff --git a/docs/pages/admin-guides/access-controls/sso.mdx b/docs/pages/admin-guides/access-controls/sso.mdx
@@ -197,6 +197,35 @@ authentication succeeds, Teleport will retrieve SSH and X.509 certificates and
 store them in the `~/.tsh/keys/<clustername>` directory. The tool will also will
 add SSH cert to an SSH agent if there's one running.
 
+### Changing Callback Address
+
+The callback address can be changed if calling back to a remote machine
+instead of the local machine is required:
+
+```code
+# --bind-addr sets the host and port tsh will listen on, and --callback changes 
+# what link is displayed to the user
+$ tsh login --proxy=proxy.example.com --auth=github --bind-addr=localhost:1234 --callback https://remote.machine:1234
+```
+
+For this to work the hostname or CIDR of the remote machine that will be used for
+the callback will need to be allowed  via`spec.client_redirect_settings`:
+
+```code
+spec:
+  client_redirect_settings:
+    # a list of hostnames allowed for HTTPS client redirect URLs
+    # can be a regex pattern
+    allowed_https_hostnames:
+      - remote.machine
+      - '*.app.github.dev'
+      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'
+    # a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+    insecure_allowed_cidr_ranges:
+      - '192.168.1.0/24'
+      - '2001:db8::/96'
+```
+
 ## Configuring SSO
 
 Teleport works with SSO providers by relying on the concept of an

diff --git a/docs/pages/reference/cli/tsh.mdx b/docs/pages/reference/cli/tsh.mdx
@@ -316,6 +316,7 @@ $ tsh login [<flags>] [<cluster>]
 | Name | Default Value(s) | Allowed Value(s) | Description |
 | - | - | - | - |
 | `--bind-addr` | none | host:port | Address in the form of host:port to bind to for login command webhook |
+| `--callback` | none | host:port | Override the base URL (host:port) of the link shown when opening a browser for cluster logins. Must be used with --bind-addr.
 | `-o, --out` | none | filepath | Identity output filepath |
 | `--format` | `file` | `file`, `openssh` or `kubernetes` | Identity format: file, openssh (for OpenSSH compatibility) or kubernetes (for kubeconfig) |
 | `--browser` | none | `none` | Set to 'none' to suppress opening system default browser for `tsh login` commands |

diff --git a/...uster/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml b/...uster/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml
@@ -55,6 +55,13 @@ spec:
                       type: string
                     nullable: true
                     type: array
+                  insecure_allowed_cidr_ranges:
+                    description: a list of CIDRs allowed for HTTP or HTTPS client
+                      redirect URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
                 type: object
               client_secret:
                 description: ClientSecret is the Github OAuth app client secret.

diff --git a/...cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml b/...cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml
@@ -80,6 +80,13 @@ spec:
                       type: string
                     nullable: true
                     type: array
+                  insecure_allowed_cidr_ranges:
+                    description: a list of CIDRs allowed for HTTP or HTTPS client
+                      redirect URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
                 type: object
               client_secret:
                 description: ClientSecret is used to authenticate the client.

diff --git a/...cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml b/...cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml
@@ -95,6 +95,13 @@ spec:
                       type: string
                     nullable: true
                     type: array
+                  insecure_allowed_cidr_ranges:
+                    description: a list of CIDRs allowed for HTTP or HTTPS client
+                      redirect URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
                 type: object
               display:
                 description: Display controls how this connector is displayed.

diff --git a/examples/resources/adfs-connector.yaml b/examples/resources/adfs-connector.yaml
@@ -62,3 +62,15 @@ spec:
     - name: "http://schemas.xmlsoap.org/claims/Group"
       value: "Users"
       roles: ["access"]
+
+  client_redirect_settings:
+    # a list of hostnames allowed for HTTPS client redirect URLs
+    # can be a regex pattern
+    allowed_https_hostnames:
+      - remote.machine
+      - '*.app.github.dev'
+      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'
+    # a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+    insecure_allowed_cidr_ranges:
+      - '192.168.1.0/24'
+      - '2001:db8::/96'
diff --git a/examples/resources/github.yaml b/examples/resources/github.yaml
@@ -20,3 +20,14 @@ spec:
     - editor
     organization: <github-org>
     team: <github-team>
+  client_redirect_settings:
+    # a list of hostnames allowed for HTTPS client redirect URLs
+    # can be a regex pattern
+    allowed_https_hostnames:
+      - remote.machine
+      - '*.app.github.dev'
+      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'
+    # a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+    insecure_allowed_cidr_ranges:
+      - '192.168.1.0/24'
+      - '2001:db8::/96'
diff --git a/examples/resources/gworkspace-connector-inline.yaml b/examples/resources/gworkspace-connector-inline.yaml
@@ -33,4 +33,15 @@ spec:
   scope:
   - openid
   - email
+  client_redirect_settings:
+    # a list of hostnames allowed for HTTPS client redirect URLs
+    # can be a regex pattern
+    allowed_https_hostnames:
+      - remote.machine
+      - '*.app.github.dev'
+      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'
+    # a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+    insecure_allowed_cidr_ranges:
+      - '192.168.1.0/24'
+      - '2001:db8::/96'
 version: v3
diff --git a/examples/resources/gworkspace-connector.yaml b/examples/resources/gworkspace-connector.yaml
@@ -21,4 +21,15 @@ spec:
   scope:
   - openid
   - email
+  client_redirect_settings:
+    # a list of hostnames allowed for HTTPS client redirect URLs
+    # can be a regex pattern
+    allowed_https_hostnames:
+      - remote.machine
+      - '*.app.github.dev'
+      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'
+    # a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+    insecure_allowed_cidr_ranges:
+      - '192.168.1.0/24'
+      - '2001:db8::/96'
 version: v3
diff --git a/examples/resources/oidc-connector.yaml b/examples/resources/oidc-connector.yaml
@@ -16,4 +16,15 @@ spec:
   issuer_url: https://idp.example.com/
   redirect_url: https://mytenant.teleport.sh:443/v1/webapi/oidc/callback
   max_age: 24h
+  client_redirect_settings:
+    # a list of hostnames allowed for HTTPS client redirect URLs
+    # can be a regex pattern
+    allowed_https_hostnames:
+      - remote.machine
+      - '*.app.github.dev'
+      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'
+    # a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+    insecure_allowed_cidr_ranges:
+      - '192.168.1.0/24'
+      - '2001:db8::/96'
 version: v3
diff --git a/examples/resources/onelogin-connector.yaml b/examples/resources/onelogin-connector.yaml
@@ -23,4 +23,15 @@ spec:
   issuer: ""
   service_provider_issuer: https://teleport.example.com:443/v1/webapi/saml/acs/onelogin
   sso: ""
+  client_redirect_settings:
+    # a list of hostnames allowed for HTTPS client redirect URLs
+    # can be a regex pattern
+    allowed_https_hostnames:
+      - remote.machine
+      - '*.app.github.dev'
+      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'
+    # a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+    insecure_allowed_cidr_ranges:
+      - '192.168.1.0/24'
+      - '2001:db8::/96'
 version: v2
diff --git a/examples/resources/saml-connector.yaml b/examples/resources/saml-connector.yaml
@@ -31,4 +31,15 @@ spec:
   # Optional SAML Single Logout endpoint. If set, logging out of Teleport
   # will also log the user out of the SAML provider session.
   single_logout_url: https://example.okta.com/app/your-app-id/slo/saml
+  client_redirect_settings:
+    # a list of hostnames allowed for HTTPS client redirect URLs
+    # can be a regex pattern
+    allowed_https_hostnames:
+      - remote.machine
+      - '*.app.github.dev'
+      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'
+    # a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+    insecure_allowed_cidr_ranges:
+      - '192.168.1.0/24'
+      - '2001:db8::/96'
 
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_githubconnectors.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_githubconnectors.yaml
@@ -55,6 +55,13 @@ spec:
                       type: string
                     nullable: true
                     type: array
+                  insecure_allowed_cidr_ranges:
+                    description: a list of CIDRs allowed for HTTP or HTTPS client
+                      redirect URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
                 type: object
               client_secret:
                 description: ClientSecret is the Github OAuth app client secret.

diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml
@@ -80,6 +80,13 @@ spec:
                       type: string
                     nullable: true
                     type: array
+                  insecure_allowed_cidr_ranges:
+                    description: a list of CIDRs allowed for HTTP or HTTPS client
+                      redirect URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
                 type: object
               client_secret:
                 description: ClientSecret is used to authenticate the client.

diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_samlconnectors.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_samlconnectors.yaml
@@ -95,6 +95,13 @@ spec:
                       type: string
                     nullable: true
                     type: array
+                  insecure_allowed_cidr_ranges:
+                    description: a list of CIDRs allowed for HTTP or HTTPS client
+                      redirect URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
                 type: object
               display:
                 description: Display controls how this connector is displayed.