OIDC: Sessions #15030
Draft
OIDC: Sessions #15030
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Adds utils for managing a cluster wide secret and salt. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
This function, in combination with `clusterSecretInternal`, can be used to get a cluster-wide shared secret on demand. Signed-off-by: Mark Laing <[email protected]>
We need to unset any previously configured value so that the joining daemon will fetch the shared secret on the next call to `(*Daemon).getClusterSecret`. Signed-off-by: Mark Laing <[email protected]>
To do this, we need to delete the database entry first, then reset the `(*Daemon).clusterSecretInternal` so that new ones are generated when required. We only delete the database entries once, from the member that received the request. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
This change allows the verifier to perform OIDC discovery when it is created (on config change). Users will get faster feedback if their OIDC configuration is incorrect. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
This PR changes the `relyingParty` field to a slice of relying parties associated with the time at which they became outdated. In /oidc/callback, we use any available relying party that can decrypt the state cookie (and therefore complete the flow). Relying parties are only kept around for 5 minutes. Signed-off-by: Mark Laing <[email protected]>
…covery. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
…ult. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
github-actions
bot
added
Documentation
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
…luster cert fingerprint. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Note: I'll need to split this commit. I didn't because the diff was horrible, but I'll get to it. Signed-off-by: Mark Laing <[email protected]>
…tes. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Expect an api.IdentityInfo and optional api.Certificate in request context. Signed-off-by: Mark Laing <[email protected]>
…certificate keys. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
The authenticate method now contains a handler to be called on successful authentication for identities that should be present in the database. It must be called when the authentication method is "cluster" to get the context of the true caller. Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
This is in a few stages:
1. Check if there are any cookies for this URL.
- If yes, do request.
- If no, add Authorization: Bearer header. Preemptively
add the token if present.
2. On failure, if we have an access token, try again with the
access token using a *cloned* request. Not using a cloned
request results in sending the invalid session cookie again.
This is because the cookies aren't deleted from the request,
they are only deleted from the cookie jar on the client.
3. If trying again fails or we don't have an access token, authenticate
and try a third time.
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Signed-off-by: Mark Laing <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is for discussion and would add direct support for Entra ID and ADFS (#14174 #14175). It:
session_terminatedfield in the identity metadata to true. I haven't implemented an API endpoint for this but it should be easy to do.oidc.session.lifetime, which determines the expiry of the JWTs issued by LXD.*api.IdentityInfoor error. This is set in the request context so that authorization can account for effective groups (LXD and IdP groups). The OIDC Verifier performs DB queries only when the user has authenticated.daemon.goto add an*api.IdentityInfoand*api.Certificateto the request context when appropriate. (Again, DB calls are made only when the caller has authenticated).clientandlxc/configto handle session cookies (and saves cookies on disk on exit).