oidc authentication: switch to v2 of coreos/go-oidc #58544
Conversation
k8s-ci-robot
added
release-note
ericchiang
force-pushed
the
oidc-v2
branch
2 times, most recently
from
3e0afec to
8eeefd2
Compare
| var groups []string | ||
| if err := c.unmarshalClaim(a.groupsClaim, &groups); err != nil { | ||
| var group string | ||
| if err := c.unmarshalClaim(a.groupsClaim, &group); err != nil { |
There was a problem hiding this comment.
A comment about why you are trying to decode it as string again as opposed to an array of strings would be helpful
There was a problem hiding this comment.
Added a link to #33290
There was a problem hiding this comment.
alternatively create a:
type stringOrArray []string
with a UnmarshalJSON func that does the right thing.
|
Failure on /test pull-kubernetes-unit |
| @@ -0,0 +1,27 @@ | |||
| #!/bin/bash -e | |||
There was a problem hiding this comment.
can we move this under testdata? makes it clearer it is only for test
| } | ||
|
|
||
| // whilelist of signing algorithms to ensure users don't mistakenly pass something | ||
| // goofy. |
There was a problem hiding this comment.
I swear I remember someone accidentally using tokens with HS256.
| if client := a.oidcClient.Load(); client != nil { | ||
| return client.(*oidc.Client), nil | ||
| } | ||
| client := &http.Client{Transport: tr, Timeout: 15 * time.Second} |
There was a problem hiding this comment.
this is the client used in the background to fetch discovery docs and public keys? what was the timeout before?
edit: found it. there was no timeout previously. 15 seconds sounds a little aggressive, especially for a background process.
There was a problem hiding this comment.
Bumped to 30 seconds
|
/test pull-kubernetes-e2e-kops-aws |
|
/test pull-kubernetes-e2e-kops-aws edit: flaking on #58578 |
|
/test pull-kubernetes-e2e-kops-aws |
1 similar comment
|
/test pull-kubernetes-e2e-kops-aws |
|
/test pull-kubernetes-e2e-kops-aws |
|
@kubernetes/sig-auth-pr-reviews tests are green |
really? |
| if !ok { | ||
| return fmt.Errorf("claim not present") | ||
| } | ||
| return json.Unmarshal([]byte(val), v) |
There was a problem hiding this comment.
does this echo the value in errors? we weren't returning claim values in error messages before, just type info
There was a problem hiding this comment.
It's doesn't appear to return the value: https://play.golang.org/p/Ed2vi-1gDEK
I can add a test to make sure that behavior doesn't change in future releases of Go.
| return nil, false, err | ||
| } | ||
| claims, err := jwt.Claims() | ||
| idToken, err := verifier.Verify(ctx, token) |
There was a problem hiding this comment.
can be a follow-up, but might be good to consider doing something similar to #58791 to avoid noise in logs when this is combined with other token auth methods
|
a couple questions, LGTM overall. would like a second review on the authorize path. @tallclair can you review or pick a delegate? |
ericchiang
force-pushed
the
oidc-v2
branch
2 times, most recently
from
ba0d4e2 to
4f13d09
Compare
|
I have no context on this - please assign to me if you need some approval. |
|
/lgtm would like a second from another @kubernetes/sig-auth-pr-reviews reviewer, then can get top-level approval for godep change |
k8s-ci-robot
added
the
lgtm
| }) | ||
| } | ||
|
|
||
| // whilelist of signing algorithms to ensure users don't mistakenly pass something |
k8s-github-robot
removed
the
lgtm
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/assign @thockin For final approval |
|
/approve for godep |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ericchiang, liggitt, mikedanese, smarterclayton The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
Switch to v2 of coreos/go-oidc, which uses square/go-jose to verify tokens and supports more signing algorithms.
Most of this PR removes dependencies used by the older version of github.com/coreos/go-oidc, and updates vendor files.
This PR has been tested against tokens issued by Okta, Google, and CoreOS's dex.
Closes #57806
cc @rithujohn191 @liggitt
cc @kubernetes/sig-auth-pr-reviews