Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add spec.claims.additionalClaimMappings to OIDCIdentityProvider #1294

Merged
merged 9 commits into from
Jan 18, 2023
Merged

Add spec.claims.additionalClaimMappings to OIDCIdentityProvider #1294

merged 9 commits into from
Jan 18, 2023

Conversation

cfryanr
Copy link
Member

@cfryanr cfryanr commented Sep 20, 2022
edited
Loading

This PR contains a new Supervisor feature requested in #1279. The new feature allows arbitrary upstream ID token claims to be mapped into a new top-level claim called additionalClaims in the ID tokens issued by the Supervisor. By pushing down the mapped claims under the new non-standard additionalClaims top-level claim, there is no possibility of those mapped claims accidentally overwriting (or otherwise being misinterpreted as) standard claims.

ThisPR does not show what a similar feature would look like for LDAPIdentityProviders and ActiveDirectoryIdentityProviders. Custom claim mapping is not needed for those types of IDPs at this time, although the feature could potentially be extended to include those types someday.

Here is an example spec of an OIDCIdentityProvider using this new feature:

apiVersion: idp.supervisor.pinniped.dev/v1alpha1
kind: OIDCIdentityProvider
metadata:
  name: my-oidc-provider
  namespace: pinniped-supervisor
spec:
  issuer: https://dex.tools.svc.cluster.local/dex
  tls:
    certificateAuthorityData: [...]
  authorizationConfig:
    additionalScopes: [ offline_access, email ]
    allowPasswordGrant: true
  claims:
    username: email
    groups: groups
    # This is the new part....
    additionalClaimMappings:
      upstream_sub: sub
      upstream_email: email
      upstream_email_verified: email_verified
      upstream_name: name
      upstream_exp: exp
      upstream_does_not_exist: foobaz
    # ...end of new part.
  client:
    secretName: my-oidc-provider-client-secret

Here is an example of the claims in a Supervisor ID token created using the code on this branch. Note that both the original values and the original data types of those values are preserved from the upstream ID token.

{
  "additionalClaims": {
    "upstream_email": "pinny@example.com",
    "upstream_email_verified": true,
    "upstream_exp": 1663711649,
    "upstream_sub": "CiQwNjFkMjNkMS1mZTFlLTQ3NzctOWFlOS01OWNkMTJhYmVhYWESBWxvY2Fs"
  },
  "aud": [
    "pinniped-cli"
  ],
  "auth_time": 1663710449,
  "exp": 1663710569,
  "groups": [],
  "iat": 1663710449,
  "iss": "https://pinniped-supervisor-clusterip.supervisor.svc.cluster.local/some/path",
  "jti": "ad3d9e81-0dca-4808-8592-9a02c7a98208",
  "nonce": "d022550b4e2c0f4e2b35c9f97b6097fb",
  "rat": 1663710449,
  "sub": "https://dex.tools.svc.cluster.local/dex?sub=CiQwNjFkMjNkMS1mZTFlLTQ3NzctOWFlOS01OWNkMTJhYmVhYWESBWxvY2Fs",
  "username": "pinny@example.com"
}

And an example of some Supervisor Pod log warnings when the upstream ID token did not contain some of the requested claims:

{"level":"info","timestamp":"2022-09-20T21:47:29.008477Z","caller":"go.pinniped.dev/internal/oidc/downstreamsession/downstream_session.go:186$downstreamsession.MapAdditionalClaimsFromUpstreamIDToken","message":"additionalClaims mapping claim in upstream ID token missing","warning":true,"upstreamName":"my-oidc-provider","claimName":"name"}
{"level":"info","timestamp":"2022-09-20T21:47:29.008484Z","caller":"go.pinniped.dev/internal/oidc/downstreamsession/downstream_session.go:186$downstreamsession.MapAdditionalClaimsFromUpstreamIDToken","message":"additionalClaims mapping claim in upstream ID token missing","warning":true,"upstreamName":"my-oidc-provider","claimName":"foobaz"}

NOTE: We also need to consider if all clients should have access to these claims, or if there should be a new scope which controls access to these claims for dynamic clients, similar to the recently added username and groups scopes.

@cfryanr cfryanr marked this pull request as draft September 20, 2022 22:09
@cfryanr cfryanr changed the title WIP: Proof of concept implementation of OIDCIdentityProvider.spec.claims.additionalClaimMappings WIP: Proof of concept implementation of spec.claims.additionalClaimMappings on OIDCIdentityProvider Sep 20, 2022
@joshuatcasey joshuatcasey force-pushed the additional_claim_mapping branch 3 times, most recently from 2692527 to 02ed2d9 Compare January 4, 2023 19:29
@joshuatcasey joshuatcasey changed the title WIP: Proof of concept implementation of spec.claims.additionalClaimMappings on OIDCIdentityProvider Add spec.claims.additionalClaimMappings to OIDCIdentityProvider Jan 4, 2023
@joshuatcasey joshuatcasey marked this pull request as ready for review January 4, 2023 19:29
@cfryanr
Copy link
Member Author

cfryanr commented Jan 5, 2023
edited by joshuatcasey
Loading

Before merging, this PR could also add test coverage for:

  • The token endpoint issues ID tokens with additional claims when exchanging authcode in token_handler_test.go
  • The token endpoint issues ID tokens with additional claims when requesting an ID token with a new audience during token exchange in token_handler_test.go
  • An integration test that shows that additional claims work with real OIDC providers (Dex and Okta) in e2e_test.go and/or in supervisor_login_test.go, whichever we decide is more appropriate (or both)

@codecov
Copy link

codecov bot commented Jan 11, 2023
edited
Loading

Codecov Report

Merging #1294 (2f9b8b1) into main (f4c9202) will decrease coverage by 1.27%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #1294      +/-   ##
==========================================
- Coverage   76.77%   75.51%   -1.27%     
==========================================
  Files         166      167       +1     
  Lines       14581    14855     +274     
==========================================
+ Hits        11195    11218      +23     
- Misses       3096     3347     +251     
  Partials      290      290
Impacted Files Coverage Δ
internal/oidc/callback/callback_handler.go 100.00% <0.00%> (ø)
...nal/oidc/provider/dynamic_upstream_idp_provider.go 0.00% <0.00%> (ø)
...ernal/oidc/downstreamsession/downstream_session.go 5.24% <0.00%> (ø)
internal/oidc/auth/auth_handler.go 99.23% <0.00%> (+<0.01%) ⬆️
...onfig/oidcupstreamwatcher/oidc_upstream_watcher.go 95.06% <0.00%> (+0.01%) ⬆️
internal/upstreamoidc/upstreamoidc.go 90.14% <0.00%> (+0.80%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@joshuatcasey joshuatcasey force-pushed the additional_claim_mapping branch 4 times, most recently from d6e8530 to c399bee Compare January 13, 2023 22:45
cfryanr and others added 4 commits January 13, 2023 14:59
@cfryanr @joshuatcasey
Allow additional claims to map into an ID token issued by the supervisor
8ff6ef3 
- Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings
- Advertise additionalClaims in the OIDC discovery endpoint under claims_supported

Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
@joshuatcasey @cfryanr @benjaminapetersen
Update token_handler_test to check additionalClaims for bools, number…
9acc456 
…s, and slices

Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
@joshuatcasey @cfryanr @benjaminapetersen
Add integration test to verify that additionalClaims are present in a…
a94bbe7 
…n ID Token

Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
@cfryanr @joshuatcasey
Change some test variable names related to additional claims
2633d72 
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
joshuatcasey and others added 3 commits January 17, 2023 11:58
@joshuatcasey @cfryanr @benjaminapetersen
additionalClaims claim should not be present when no sub claims are e…
f494c61 
…xpected

Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
@joshuatcasey @cfryanr
Expect complex subclaims of additionalClaims to have type interface{}
6156fdf 
Co-authored-by: Ryan Richard <richardry@vmware.com>
@cfryanr
Assert more cluster-scoped ID token claims in supervisor_login_test.go
74c3156
cfryanr and others added 2 commits January 17, 2023 15:36
@cfryanr @joshuatcasey
Two more integration tests for additionalClaimMappings
3d20fa7 
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
@cfryanr
update copyright to 2023 in files changed by this PR
2f9b8b1
@joshuatcasey joshuatcasey merged commit 95d35a1 into main Jan 18, 2023
@joshuatcasey joshuatcasey deleted the additional_claim_mapping branch January 18, 2023 02:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshuatcasey joshuatcasey joshuatcasey approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cfryanr @joshuatcasey @vmwclabot