diff --git a/go.mod b/go.mod index e8fdfc3273..07ebd37b86 100644 --- a/go.mod +++ b/go.mod @@ -83,7 +83,7 @@ require ( github.com/hashicorp/vault-plugin-auth-centrify v0.8.0 github.com/hashicorp/vault-plugin-auth-cf v0.8.0 github.com/hashicorp/vault-plugin-auth-gcp v0.9.0 - github.com/hashicorp/vault-plugin-auth-jwt v0.9.1 + github.com/hashicorp/vault-plugin-auth-jwt v0.9.2 github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0 github.com/hashicorp/vault-plugin-auth-kubernetes v0.9.0 github.com/hashicorp/vault-plugin-auth-oci v0.7.0 diff --git a/go.sum b/go.sum index 11528364f0..237e81c18a 100644 --- a/go.sum +++ b/go.sum @@ -694,8 +694,8 @@ github.com/hashicorp/vault-plugin-auth-cf v0.8.0/go.mod h1:exPUMj8yNohKM7yRiHa7O github.com/hashicorp/vault-plugin-auth-gcp v0.5.1/go.mod h1:eLj92eX8MPI4vY1jaazVLF2sVbSAJ3LRHLRhF/pUmlI= github.com/hashicorp/vault-plugin-auth-gcp v0.9.0 h1:57uJ2Vqo+M+W7pD8xEONKJ1BBGS8V4xpm7VU56A9RWA= github.com/hashicorp/vault-plugin-auth-gcp v0.9.0/go.mod h1:sHDguHmyGScoalGLEjuxvDCrMPVlw2c3f+ieeiHcv6w= -github.com/hashicorp/vault-plugin-auth-jwt v0.9.1 h1:8CnT8z+o26/c8PUUhvp+BaiDSIgA5giazyYbZlfNJ5Q= -github.com/hashicorp/vault-plugin-auth-jwt v0.9.1/go.mod h1:Gn6ELc1X5nmZ/pxoXf0nA4lG2gwuGnY6SNyW40tR/ws= +github.com/hashicorp/vault-plugin-auth-jwt v0.9.2 h1:ghOYlco5t4q+rNecMWC5Cb8jguLiig168jYlBc5QtKk= +github.com/hashicorp/vault-plugin-auth-jwt v0.9.2/go.mod h1:Gn6ELc1X5nmZ/pxoXf0nA4lG2gwuGnY6SNyW40tR/ws= github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0 h1:QxW0gRevydrNfRvo1qI6p0jQkhedLUgiWqpCN36RXoQ= github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0/go.mod h1:h+7pLm4Z2EeKHOGPefX0bGzdUQCMBUlvM/BpSMNgTFw= github.com/hashicorp/vault-plugin-auth-kubernetes v0.9.0 h1:X/eXFuJqVW8YN73ohTaI5YyCwcjd6C3mpnMv/elkNrw= diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_oidc.go b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_oidc.go index 83b00ec74f..e1d617c2f6 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_oidc.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_oidc.go @@ -16,6 +16,7 @@ import ( "github.com/hashicorp/vault/sdk/helper/cidrutil" "github.com/hashicorp/vault/sdk/helper/strutil" "github.com/hashicorp/vault/sdk/logical" + "golang.org/x/oauth2" ) const ( @@ -216,9 +217,15 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request, if oidcReq.idToken == "" { return logical.ErrorResponse(errLoginFailed + " No code or id_token received."), nil } + + // Verify the ID token received from the authentication response. rawToken = oidc.IDToken(oidcReq.idToken) + if _, err := provider.VerifyIDToken(ctx, rawToken, oidcReq); err != nil { + return logical.ErrorResponse("%s %s", errTokenVerification, err.Error()), nil + } } else { - // ID token verification takes place in exchange + // Exchange the authorization code for an ID token and access token. + // ID token verification takes place in provider.Exchange. token, err = provider.Exchange(ctx, oidcReq, stateID, code) if err != nil { return logical.ErrorResponse(errLoginFailed+" Error exchanging oidc code: %q.", err.Error()), nil @@ -256,15 +263,25 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request, return nil, errors.New("sub claim does not match bound subject") } + // Set the token source for the access token if it's available. It will only + // be available for the authorization code flow (oidc_response_types=code). + // The access token will be used for fetching additional user and group info. + var tokenSource oauth2.TokenSource + if token != nil { + tokenSource = token.StaticTokenSource() + } + // If we have a token, attempt to fetch information from the /userinfo endpoint // and merge it with the existing claims data. A failure to fetch additional information // from this endpoint will not invalidate the authorization flow. - if err := provider.UserInfo(ctx, token.StaticTokenSource(), subject, &allClaims); err != nil { - logFunc := b.Logger().Warn - if strings.Contains(err.Error(), "user info endpoint is not supported") { - logFunc = b.Logger().Info + if tokenSource != nil { + if err := provider.UserInfo(ctx, tokenSource, subject, &allClaims); err != nil { + logFunc := b.Logger().Warn + if strings.Contains(err.Error(), "user info endpoint is not supported") { + logFunc = b.Logger().Info + } + logFunc("error reading /userinfo endpoint", "error", err) } - logFunc("error reading /userinfo endpoint", "error", err) } if role.VerboseOIDCLogging { @@ -275,7 +292,7 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request, } } - alias, groupAliases, err := b.createIdentity(ctx, allClaims, role, token.StaticTokenSource()) + alias, groupAliases, err := b.createIdentity(ctx, allClaims, role, tokenSource) if err != nil { return logical.ErrorResponse(err.Error()), nil } diff --git a/vendor/modules.txt b/vendor/modules.txt index 0a3b9b313e..f5f049767b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -563,7 +563,7 @@ github.com/hashicorp/vault-plugin-auth-cf/util # github.com/hashicorp/vault-plugin-auth-gcp v0.9.0 github.com/hashicorp/vault-plugin-auth-gcp/plugin github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache -# github.com/hashicorp/vault-plugin-auth-jwt v0.9.1 +# github.com/hashicorp/vault-plugin-auth-jwt v0.9.2 github.com/hashicorp/vault-plugin-auth-jwt # github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0 github.com/hashicorp/vault-plugin-auth-kerberos