OpenID Configuration Discovery Endpoint #18535
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tgross
reviewed
Sep 19, 2023
command/agent/keyring_endpoint.go
Outdated
Comment on lines
97
to
102
| //FIXME(schmichael) should we bother implementing an RPC just to get region | ||
| //forwarding? I think *not* since consumers of this endpoint are code that is | ||
| //intended to be talking to a specific region directly. | ||
| if args.Region != conf.Region { | ||
| return nil, CodedError(400, "Region mismatch") | ||
| } |
There was a problem hiding this comment.
This is a HTTP endpoint, so clients expose it too, right? Don't we need RPC forwarding for that to work?
There was a problem hiding this comment.
No because there's no RPC involved at all: any agent regardless of whether it's client or server can serve this request...
...but for operational simplicity I should probably make it an RPC and server-only. That way you only have to configure the issuer on your servers, and we can avoid having a situation where every agent in a cluster must have the exact same config value or risk breaking something.
This comment was marked as outdated.
This comment was marked as outdated.
schmichael
force-pushed
the
f-oidc-config
branch
from
9b2bfbe to
d5c02dc
Compare
schmichael
added a commit
that referenced
this pull request
Oct 21, 2023
Added the [OIDC Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) `/.well-known/openid-configuration` endpoint to Nomad, but it is only enabled if the `server.oidc_issuer` parameter is set. Documented the parameter, but without a tutorial trying to actually _use_ this will be very hard. I intentionally did *not* use https://github.com/hashicorp/cap for the OIDC configuration struct because it's built to be a *compliant* OIDC provider. Nomad is *not* trying to be compliant initially because compliance to the spec does not guarantee it will actually satisfy the requirements of third parties. I want to avoid the problem where in an attempt to be standards compliant we ship configuration parameters that lock us in to a certain behavior that we end up regretting. I want to add parameters and behaviors as there's a demonstrable need. Users always have the escape hatch of providing their own OIDC configuration endpoint. Nomad just needs to know the Issuer so that the JWTs match the OIDC configuration. There's no reason the actual OIDC configuration JSON couldn't live in S3 and get served directly from there. Unlike JWKS the OIDC configuration should be static, or at least change very rarely. This PR is just the endpoint extracted from #18535. The `RS256` algorithm still needs to be added in hopes of supporting third parties such as [AWS IAM OIDC Provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html). Co-authored-by: Luiz Aoqui <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
WIP branch to test against AWS
Issuer (and JWKS base address) is configurable with
oidc_issuer = "..."in your agent config.Endpoint is at http://localhost:4646/.well-known/openid-configuration