Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DRAFT: Add Token Exchange Grant Type (RFC8693) #1052

Draft
wants to merge 25 commits into
base: master
Choose a base branch
from
Draft
Changes from 1 commit
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
7267da4
feat: first stab at tests
blairdrummond Jan 2, 2024
86fa875
fix: fix github id_token
blairdrummond Jan 2, 2024
b7d784b
fix: fix dex cmd
blairdrummond Jan 2, 2024
3c8222f
ci: add more logging
blairdrummond Jan 2, 2024
fa9c84f
feat: add tailscale step for debugging
blairdrummond Jan 2, 2024
612b8f6
feat: add tailscale step for debugging
blairdrummond Jan 2, 2024
b75b7c7
fix: capture env vars
blairdrummond Jan 2, 2024
e97dc15
fix: remove setup
blairdrummond Jan 2, 2024
a31b89f
fix: add ID_TOKEN var
blairdrummond Jan 2, 2024
7ddd7ed
fix: sleep for 30m
blairdrummond Jan 2, 2024
709d9b6
fix: set BROWSER in workflow
blairdrummond Jan 2, 2024
7b9e1d7
fix: add debug logging
blairdrummond Jan 3, 2024
6ad5caf
refactor: split up the tests
blairdrummond Jan 3, 2024
1d789fc
fix: add clusterrolebinding stuff for token-exchange
blairdrummond Jan 3, 2024
37019d2
fix: try adding email claim
blairdrummond Jan 4, 2024
db0baa5
fix: try adding email claim
blairdrummond Jan 4, 2024
8d746d0
fix: fix scopes stuff
blairdrummond Jan 4, 2024
a806f26
fix: scope and binary stuff
blairdrummond Jan 4, 2024
ca6ac1d
fix: small things
blairdrummond Jan 4, 2024
fa07c0c
fix: let me in
blairdrummond Jan 4, 2024
85e9851
fix: remove debug
blairdrummond Jan 4, 2024
ff5788c
feat: added extra param options for token-exchange
jknight-liatrio Jan 4, 2024
0081092
fix: fix for authRequestExtraParams renaming
jknight-liatrio Jan 4, 2024
65975d2
fix: range over wrong var
blairdrummond Jan 4, 2024
6eeeb60
Merge pull request #1 from blairdrummond/feat-rfc8693
blairdrummond Feb 18, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix: scope and binary stuff
blairdrummond committed Jan 4, 2024
commit a806f261a8d41b666277f61e83561ad22ef99be8
2 changes: 1 addition & 1 deletion pkg/usecases/authentication/tokenexchange/tokenexchange.go
Original file line number Diff line number Diff line change
@@ -223,7 +223,7 @@ func (u *TokenExchange) Do(ctx context.Context, params *Option, oidcProvider oid
data.Add("resource", resource)
}

data.Add("scopes", strings.Join(oidcProvider.ExtraScopes, " "))
data.Add("scope", strings.Join(oidcProvider.ExtraScopes, " "))

if params.requestedTokenType != "" {
data.Add("requested_token_type", params.requestedTokenType)
9 changes: 4 additions & 5 deletions system_test/token_exchange/login/Makefile
Original file line number Diff line number Diff line change
@@ -28,21 +28,20 @@ test: build
--exec-arg=--oidc-issuer-url=https://dex-server:10443/dex \
--exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
--exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET \
--exec-arg=--oidc-extra-scope=email \
--exec-arg=--oidc-extra-scope="email,groups,openid,profile,federated:id" \
--exec-arg=--certificate-authority=$(CERT_DIR)/ca.crt

EMAIL=$(kubectl \
oidc-login \
EMAIL=$( $(BIN_DIR)/kubectl-oidc_login \
get-token \
--grant-type=token-exchange \
--token-exchange-subject-token=ID_TOKEN \
--token-exchange-subject-token-type=id-token \
--oidc-issuer-url=https://dex-server:10443/dex \
--oidc-client-id=YOUR_CLIENT_ID \
--oidc-client-secret=YOUR_CLIENT_SECRET \
--oidc-extra-scope=email \
--oidc-extra-scope="email,groups,openid,profile,federated:id" \
--certificate-authority=$(CERT_DIR)/ca.crt \
| jq -r '.status.token' | jq -R 'split(".") | .[1] | @base64d | fromjson | .email'); \
| jq -r '.status.token' | jq -r -R 'split(".") | .[1] | @base64d | fromjson | .email'); \
kubectl create clusterrolebinding cluster-readonly-gh --clusterrole=cluster-readonly \
--user="$$EMAIL"