From 6d014eba00d746e6dad5fe1b83b6dbd4be5b6b8f Mon Sep 17 00:00:00 2001 From: Erik Kristensen Date: Tue, 31 May 2022 17:15:10 -0600 Subject: [PATCH 1/2] feat: support oidc federated authentication --- auth/auth.go | 26 ++++++++++++++++++++++++++ auth/config.go | 5 +++++ 2 files changed, 31 insertions(+) diff --git a/auth/auth.go b/auth/auth.go index 62dcd3bc..959174f8 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -61,6 +61,16 @@ func (c *Config) NewAuthorizer(ctx context.Context, api environments.Api) (Autho } } + if c.EnableClientFederatedAuth { + a, err := NewClientFederatedAuthorizer(ctx, c.Environment, api, c.Version, c.TenantID, c.AuxiliaryTenantIDs, c.ClientID, c.FederatedAssertion) + if err != nil { + return nil, fmt.Errorf("could not configure ClientCertificate Authorizer: %s", err) + } + if a != nil { + return a, nil + } + } + if c.EnableGitHubOIDCAuth { a, err := NewGitHubOIDCAuthorizer(context.Background(), c.Environment, api, c.TenantID, c.AuxiliaryTenantIDs, c.ClientID, c.IDTokenRequestURL, c.IDTokenRequestToken) if err != nil { @@ -163,6 +173,22 @@ func NewClientSecretAuthorizer(ctx context.Context, environment environments.Env return conf.TokenSource(ctx, ClientCredentialsSecretType), nil } +// NewClientSecretAuthorizer returns an authorizer which uses client secret authentication. +func NewClientFederatedAuthorizer(ctx context.Context, environment environments.Environment, api environments.Api, tokenVersion TokenVersion, tenantId string, auxTenantIds []string, clientId, federatedAssertion string) (Authorizer, error) { + conf := ClientCredentialsConfig{ + Environment: environment, + TenantID: tenantId, + AuxiliaryTenantIDs: auxTenantIds, + ClientID: clientId, + FederatedAssertion: federatedAssertion, + Resource: api.Resource(), + Scopes: []string{api.DefaultScope()}, + TokenVersion: tokenVersion, + } + + return conf.TokenSource(ctx, ClientCredentialsAssertionType), nil +} + // NewGitHubOIDCAuthorizer returns an authorizer which acquires a client assertion from a GitHub endpoint, then uses client assertion authentication to obtain an access token. func NewGitHubOIDCAuthorizer(ctx context.Context, environment environments.Environment, api environments.Api, tenantId string, auxTenantIds []string, clientId, idTokenRequestUrl, idTokenRequestToken string) (Authorizer, error) { conf := GitHubOIDCConfig{ diff --git a/auth/config.go b/auth/config.go index 426a66a3..cd86c28e 100644 --- a/auth/config.go +++ b/auth/config.go @@ -54,6 +54,11 @@ type Config struct { // Specifies the password to authenticate with using client secret authentication ClientSecret string + EnableClientFederatedAuth bool + + // Specifies the federated assertion to authenticate using client credentials + FederatedAssertion string + // Enables GitHub OIDC authentication EnableGitHubOIDCAuth bool From 4379b9e63cfe936ec0e27e800167de7aa07af89f Mon Sep 17 00:00:00 2001 From: Erik Kristensen Date: Tue, 31 May 2022 17:19:00 -0600 Subject: [PATCH 2/2] fix: add comment for enabling oidc federated auth --- auth/config.go | 1 + 1 file changed, 1 insertion(+) diff --git a/auth/config.go b/auth/config.go index cd86c28e..5d7dcd76 100644 --- a/auth/config.go +++ b/auth/config.go @@ -54,6 +54,7 @@ type Config struct { // Specifies the password to authenticate with using client secret authentication ClientSecret string + // Enables OIDC Federated authentication EnableClientFederatedAuth bool // Specifies the federated assertion to authenticate using client credentials