mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-12-03 08:31:51 +01:00
Code Issues Projects Releases Wiki Activity

Updates the JWT/OIDC auth plugin to v0.9.2 (#11157)

Browse Source
This commit is contained in:
Austin Gebauer 2021-03-19 12:06:37 -07:00 committed by GitHub
parent 5ff9af3a17
commit 0658e3a73a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 28 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
go.mod
View File

@ -83,7 +83,7 @@ require (
github.com/hashicorp/vault-plugin-auth-centrify v0.8.0 github.com/hashicorp/vault-plugin-auth-centrify v0.8.0
github.com/hashicorp/vault-plugin-auth-cf v0.8.0 github.com/hashicorp/vault-plugin-auth-cf v0.8.0
github.com/hashicorp/vault-plugin-auth-gcp v0.9.0 github.com/hashicorp/vault-plugin-auth-gcp v0.9.0
github.com/hashicorp/vault-plugin-auth-jwt v0.9.1 github.com/hashicorp/vault-plugin-auth-jwt v0.9.2
github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0 github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0
github.com/hashicorp/vault-plugin-auth-kubernetes v0.9.0 github.com/hashicorp/vault-plugin-auth-kubernetes v0.9.0
github.com/hashicorp/vault-plugin-auth-oci v0.7.0 github.com/hashicorp/vault-plugin-auth-oci v0.7.0

4
go.sum
View File

@ -694,8 +694,8 @@ github.com/hashicorp/vault-plugin-auth-cf v0.8.0/go.mod h1:exPUMj8yNohKM7yRiHa7O
github.com/hashicorp/vault-plugin-auth-gcp v0.5.1/go.mod h1:eLj92eX8MPI4vY1jaazVLF2sVbSAJ3LRHLRhF/pUmlI= github.com/hashicorp/vault-plugin-auth-gcp v0.5.1/go.mod h1:eLj92eX8MPI4vY1jaazVLF2sVbSAJ3LRHLRhF/pUmlI=
github.com/hashicorp/vault-plugin-auth-gcp v0.9.0 h1:57uJ2Vqo+M+W7pD8xEONKJ1BBGS8V4xpm7VU56A9RWA= github.com/hashicorp/vault-plugin-auth-gcp v0.9.0 h1:57uJ2Vqo+M+W7pD8xEONKJ1BBGS8V4xpm7VU56A9RWA=
github.com/hashicorp/vault-plugin-auth-gcp v0.9.0/go.mod h1:sHDguHmyGScoalGLEjuxvDCrMPVlw2c3f+ieeiHcv6w= github.com/hashicorp/vault-plugin-auth-gcp v0.9.0/go.mod h1:sHDguHmyGScoalGLEjuxvDCrMPVlw2c3f+ieeiHcv6w=
github.com/hashicorp/vault-plugin-auth-jwt v0.9.1 h1:8CnT8z+o26/c8PUUhvp+BaiDSIgA5giazyYbZlfNJ5Q= github.com/hashicorp/vault-plugin-auth-jwt v0.9.2 h1:ghOYlco5t4q+rNecMWC5Cb8jguLiig168jYlBc5QtKk=
github.com/hashicorp/vault-plugin-auth-jwt v0.9.1/go.mod h1:Gn6ELc1X5nmZ/pxoXf0nA4lG2gwuGnY6SNyW40tR/ws= github.com/hashicorp/vault-plugin-auth-jwt v0.9.2/go.mod h1:Gn6ELc1X5nmZ/pxoXf0nA4lG2gwuGnY6SNyW40tR/ws=
github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0 h1:QxW0gRevydrNfRvo1qI6p0jQkhedLUgiWqpCN36RXoQ= github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0 h1:QxW0gRevydrNfRvo1qI6p0jQkhedLUgiWqpCN36RXoQ=
github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0/go.mod h1:h+7pLm4Z2EeKHOGPefX0bGzdUQCMBUlvM/BpSMNgTFw= github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0/go.mod h1:h+7pLm4Z2EeKHOGPefX0bGzdUQCMBUlvM/BpSMNgTFw=
github.com/hashicorp/vault-plugin-auth-kubernetes v0.9.0 h1:X/eXFuJqVW8YN73ohTaI5YyCwcjd6C3mpnMv/elkNrw= github.com/hashicorp/vault-plugin-auth-kubernetes v0.9.0 h1:X/eXFuJqVW8YN73ohTaI5YyCwcjd6C3mpnMv/elkNrw=

23
vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_oidc.go generated vendored
View File

@ -16,6 +16,7 @@ import (
"github.com/hashicorp/vault/sdk/helper/cidrutil" "github.com/hashicorp/vault/sdk/helper/cidrutil"
"github.com/hashicorp/vault/sdk/helper/strutil" "github.com/hashicorp/vault/sdk/helper/strutil"
"github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/sdk/logical"
"golang.org/x/oauth2"
) )
const ( const (
@ -216,9 +217,15 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request,
if oidcReq.idToken == "" { if oidcReq.idToken == "" {
return logical.ErrorResponse(errLoginFailed + " No code or id_token received."), nil return logical.ErrorResponse(errLoginFailed + " No code or id_token received."), nil
} }
// Verify the ID token received from the authentication response.
rawToken = oidc.IDToken(oidcReq.idToken) rawToken = oidc.IDToken(oidcReq.idToken)
if _, err := provider.VerifyIDToken(ctx, rawToken, oidcReq); err != nil {
return logical.ErrorResponse("%s %s", errTokenVerification, err.Error()), nil
}
} else { } else {
// ID token verification takes place in exchange // Exchange the authorization code for an ID token and access token.
// ID token verification takes place in provider.Exchange.
token, err = provider.Exchange(ctx, oidcReq, stateID, code) token, err = provider.Exchange(ctx, oidcReq, stateID, code)
if err != nil { if err != nil {
return logical.ErrorResponse(errLoginFailed+" Error exchanging oidc code: %q.", err.Error()), nil return logical.ErrorResponse(errLoginFailed+" Error exchanging oidc code: %q.", err.Error()), nil
@ -256,16 +263,26 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request,
return nil, errors.New("sub claim does not match bound subject") return nil, errors.New("sub claim does not match bound subject")
} }
// Set the token source for the access token if it's available. It will only
// be available for the authorization code flow (oidc_response_types=code).
// The access token will be used for fetching additional user and group info.
var tokenSource oauth2.TokenSource
if token != nil {
tokenSource = token.StaticTokenSource()
}
// If we have a token, attempt to fetch information from the /userinfo endpoint // If we have a token, attempt to fetch information from the /userinfo endpoint
// and merge it with the existing claims data. A failure to fetch additional information // and merge it with the existing claims data. A failure to fetch additional information
// from this endpoint will not invalidate the authorization flow. // from this endpoint will not invalidate the authorization flow.
if err := provider.UserInfo(ctx, token.StaticTokenSource(), subject, &allClaims); err != nil { if tokenSource != nil {
if err := provider.UserInfo(ctx, tokenSource, subject, &allClaims); err != nil {
logFunc := b.Logger().Warn logFunc := b.Logger().Warn
if strings.Contains(err.Error(), "user info endpoint is not supported") { if strings.Contains(err.Error(), "user info endpoint is not supported") {
logFunc = b.Logger().Info logFunc = b.Logger().Info
} }
logFunc("error reading /userinfo endpoint", "error", err) logFunc("error reading /userinfo endpoint", "error", err)
} }
}
if role.VerboseOIDCLogging { if role.VerboseOIDCLogging {
if c, err := json.Marshal(allClaims); err == nil { if c, err := json.Marshal(allClaims); err == nil {
@ -275,7 +292,7 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request,
} }
} }
alias, groupAliases, err := b.createIdentity(ctx, allClaims, role, token.StaticTokenSource()) alias, groupAliases, err := b.createIdentity(ctx, allClaims, role, tokenSource)
if err != nil { if err != nil {
return logical.ErrorResponse(err.Error()), nil return logical.ErrorResponse(err.Error()), nil
} }

2
vendor/modules.txt vendored
View File

@ -563,7 +563,7 @@ github.com/hashicorp/vault-plugin-auth-cf/util
# github.com/hashicorp/vault-plugin-auth-gcp v0.9.0 # github.com/hashicorp/vault-plugin-auth-gcp v0.9.0
github.com/hashicorp/vault-plugin-auth-gcp/plugin github.com/hashicorp/vault-plugin-auth-gcp/plugin
github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache
# github.com/hashicorp/vault-plugin-auth-jwt v0.9.1 # github.com/hashicorp/vault-plugin-auth-jwt v0.9.2
github.com/hashicorp/vault-plugin-auth-jwt github.com/hashicorp/vault-plugin-auth-jwt
# github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0 # github.com/hashicorp/vault-plugin-auth-kerberos v0.3.0
github.com/hashicorp/vault-plugin-auth-kerberos github.com/hashicorp/vault-plugin-auth-kerberos