oidc authentication: switch to v2 of coreos/go-oidc

parent 9586cd06
...@@ -210,6 +210,7 @@ func TestAddFlags(t *testing.T) { ...@@ -210,6 +210,7 @@ func TestAddFlags(t *testing.T) {
BootstrapToken: &kubeoptions.BootstrapTokenAuthenticationOptions{}, BootstrapToken: &kubeoptions.BootstrapTokenAuthenticationOptions{},
OIDC: &kubeoptions.OIDCAuthenticationOptions{ OIDC: &kubeoptions.OIDCAuthenticationOptions{
UsernameClaim: "sub", UsernameClaim: "sub",
SigningAlgs: []string{"RS256"},
}, },
PasswordFile: &kubeoptions.PasswordFileAuthenticationOptions{}, PasswordFile: &kubeoptions.PasswordFileAuthenticationOptions{},
RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{}, RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{},
......
...@@ -58,6 +58,7 @@ type AuthenticatorConfig struct { ...@@ -58,6 +58,7 @@ type AuthenticatorConfig struct {
OIDCUsernamePrefix string OIDCUsernamePrefix string
OIDCGroupsClaim string OIDCGroupsClaim string
OIDCGroupsPrefix string OIDCGroupsPrefix string
OIDCSigningAlgs []string
ServiceAccountKeyFiles []string ServiceAccountKeyFiles []string
ServiceAccountLookup bool ServiceAccountLookup bool
WebhookTokenAuthnConfigFile string WebhookTokenAuthnConfigFile string
...@@ -143,7 +144,7 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe ...@@ -143,7 +144,7 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
// simply returns an error, the OpenID Connect plugin may query the provider to // simply returns an error, the OpenID Connect plugin may query the provider to
// update the keys, causing performance hits. // update the keys, causing performance hits.
if len(config.OIDCIssuerURL) > 0 && len(config.OIDCClientID) > 0 { if len(config.OIDCIssuerURL) > 0 && len(config.OIDCClientID) > 0 {
oidcAuth, err := newAuthenticatorFromOIDCIssuerURL(config.OIDCIssuerURL, config.OIDCClientID, config.OIDCCAFile, config.OIDCUsernameClaim, config.OIDCUsernamePrefix, config.OIDCGroupsClaim, config.OIDCGroupsPrefix) oidcAuth, err := newAuthenticatorFromOIDCIssuerURL(config.OIDCIssuerURL, config.OIDCClientID, config.OIDCCAFile, config.OIDCUsernameClaim, config.OIDCUsernamePrefix, config.OIDCGroupsClaim, config.OIDCGroupsPrefix, config.OIDCSigningAlgs)
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
...@@ -235,7 +236,7 @@ func newAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Token, e ...@@ -235,7 +236,7 @@ func newAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Token, e
} }
// newAuthenticatorFromOIDCIssuerURL returns an authenticator.Token or an error. // newAuthenticatorFromOIDCIssuerURL returns an authenticator.Token or an error.
func newAuthenticatorFromOIDCIssuerURL(issuerURL, clientID, caFile, usernameClaim, usernamePrefix, groupsClaim, groupsPrefix string) (authenticator.Token, error) { func newAuthenticatorFromOIDCIssuerURL(issuerURL, clientID, caFile, usernameClaim, usernamePrefix, groupsClaim, groupsPrefix string, signingAlgs []string) (authenticator.Token, error) {
const noUsernamePrefix = "-" const noUsernamePrefix = "-"
if usernamePrefix == "" && usernameClaim != "email" { if usernamePrefix == "" && usernameClaim != "email" {
...@@ -251,14 +252,15 @@ func newAuthenticatorFromOIDCIssuerURL(issuerURL, clientID, caFile, usernameClai ...@@ -251,14 +252,15 @@ func newAuthenticatorFromOIDCIssuerURL(issuerURL, clientID, caFile, usernameClai
usernamePrefix = "" usernamePrefix = ""
} }
tokenAuthenticator, err := oidc.New(oidc.OIDCOptions{ tokenAuthenticator, err := oidc.New(oidc.Options{
IssuerURL: issuerURL, IssuerURL: issuerURL,
ClientID: clientID, ClientID: clientID,
CAFile: caFile, CAFile: caFile,
UsernameClaim: usernameClaim, UsernameClaim: usernameClaim,
UsernamePrefix: usernamePrefix, UsernamePrefix: usernamePrefix,
GroupsClaim: groupsClaim, GroupsClaim: groupsClaim,
GroupsPrefix: groupsPrefix, GroupsPrefix: groupsPrefix,
SupportedSigningAlgs: signingAlgs,
}) })
if err != nil { if err != nil {
return nil, err return nil, err
......
...@@ -61,6 +61,7 @@ type OIDCAuthenticationOptions struct { ...@@ -61,6 +61,7 @@ type OIDCAuthenticationOptions struct {
UsernamePrefix string UsernamePrefix string
GroupsClaim string GroupsClaim string
GroupsPrefix string GroupsPrefix string
SigningAlgs []string
} }
type PasswordFileAuthenticationOptions struct { type PasswordFileAuthenticationOptions struct {
...@@ -208,6 +209,10 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { ...@@ -208,6 +209,10 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
"If provided, all groups will be prefixed with this value to prevent conflicts with "+ "If provided, all groups will be prefixed with this value to prevent conflicts with "+
"other authentication strategies.") "other authentication strategies.")
fs.StringSliceVar(&s.OIDC.SigningAlgs, "oidc-signing-algs", []string{"RS256"}, ""+
"Comma-separated list of allowed JOSE asymmetric signing algorithms. JWTs with a "+
"'alg' header value not in this list will be rejected. "+
"Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1.")
} }
if s.PasswordFile != nil { if s.PasswordFile != nil {
...@@ -272,6 +277,7 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.Au ...@@ -272,6 +277,7 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.Au
ret.OIDCIssuerURL = s.OIDC.IssuerURL ret.OIDCIssuerURL = s.OIDC.IssuerURL
ret.OIDCUsernameClaim = s.OIDC.UsernameClaim ret.OIDCUsernameClaim = s.OIDC.UsernameClaim
ret.OIDCUsernamePrefix = s.OIDC.UsernamePrefix ret.OIDCUsernamePrefix = s.OIDC.UsernamePrefix
ret.OIDCSigningAlgs = s.OIDC.SigningAlgs
} }
if s.PasswordFile != nil { if s.PasswordFile != nil {
......
#!/bin/bash -e
# Copyright 2018 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
rm *.pem
for N in `seq 1 3`; do
ssh-keygen -t rsa -b 2048 -f rsa_$N.pem -N ''
done
for N in `seq 1 3`; do
ssh-keygen -t ecdsa -b 521 -f ecdsa_$N.pem -N ''
done
rm *.pub
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment