Skip to content

Allow extra args to be provided to the OIDC auth endpoint #3034

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Jan 11, 2023
Merged

Allow extra args to be provided to the OIDC auth endpoint #3034

merged 9 commits into from
Jan 11, 2023

Conversation

alanwilkie-finocomp
Copy link
Contributor

Proposed changes

Some OIDC Identity Providers provide extended capabilities by adding extra query string arguments to the authentication request. This change allows the OIDC policy to specify the extra arguments.

Specifically, Keycloak allows a default identity provider to be specified by adding a "kc_idp_hint" parameter to the authentication request (see https://www.keycloak.org/docs/latest/server_admin/#_client_suggested_idp).

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@github-actions github-actions bot added the documentation Pull requests/issues for documentation label Sep 13, 2022
@alanwilkie-finocomp
Copy link
Contributor Author

I meant this PR to have the "enhancement" label, but I'm not sure how that gets done. Is it possible to add the label after creation?

@brianehlert
Copy link
Collaborator

Could you please open and link an issue and outline the problem there?

@alanwilkie-finocomp alanwilkie-finocomp mentioned this pull request Sep 14, 2022
Closed
@codecov-commenter
Copy link

codecov-commenter commented Sep 14, 2022
edited
Loading

Codecov Report

Merging #3034 (9f7ee32) into main (09364eb) will decrease coverage by 0.01%.
The diff coverage is 100.00%.

❗ Current head 9f7ee32 differs from pull request most recent head 2594dfb. Consider uploading reports for the commit 2594dfb to get more accurate results

@@            Coverage Diff             @@
##             main    #3034      +/-   ##
==========================================
- Coverage   51.58%   51.57%   -0.02%     
==========================================
  Files          60       60              
  Lines       16675    16690      +15     
==========================================
+ Hits         8602     8608       +6     
- Misses       7783     7790       +7     
- Partials      290      292       +2
Impacted Files Coverage Δ
internal/configs/version2/http.go 0.00% <ø> (ø)
internal/configs/virtualserver.go 95.22% <100.00%> (+<0.01%) ⬆️
pkg/apis/configuration/validation/policy.go 90.90% <100.00%> (+0.25%) ⬆️
...ternal/k8s/appprotect/app_protect_configuration.go 86.16% <0.00%> (-0.58%) ⬇️
cmd/nginx-ingress/flags.go 29.85% <0.00%> (-0.44%) ⬇️
internal/k8s/configuration.go 95.39% <0.00%> (-0.37%) ⬇️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@ciarams87 ciarams87 added the enhancement Pull requests for new features/feature enhancements label Sep 19, 2022
@lucacome lucacome requested review from a team, haywoodsh, ciarams87 and shaun-nx September 23, 2022 01:03
@github-actions github-actions bot removed the enhancement Pull requests for new features/feature enhancements label Nov 3, 2022
@jasonwilliams14
Copy link
Contributor

@alanwilkie-finocomp Our project depends an another repo for OIDC. I would recommend you open this on that specific project, which would allow us to bring over the features that are would be implemented.
Here is the repo:

https://github.com/nginxinc/nginx-openid-connect

Thank you.

@brianehlert
Copy link
Collaborator

brianehlert commented Nov 4, 2022
edited
Loading

To clarify.
The specific changes to internal/configs/oidc/openid_connect.js need to be contributed to https://github.com/nginxinc/nginx-openid-connect

We don't maintain a fork of the nginx openid connect project, but rather sync with it.

The other changes are specific to this project.

@brianehlert brianehlert linked an issue Nov 4, 2022 that may be closed by this pull request
Allow extra arguments to be passed in the query string of the OIDC auth request #3038
Closed
@alanwilkie-finocomp
Copy link
Contributor Author

Thanks @jasonwilliams14 and @brianehlert, I'll have a look at nginx-openid-connect and see if I can get the JS changes into that codebase.

@alanwilkie-finocomp
Copy link
Contributor Author

The JS change has now been merged into nginx-openid-connect (nginxinc/nginx-openid-connect#67).

@jasonwilliams14
Copy link
Contributor

The JS change has now been merged into nginx-openid-connect (nginxinc/nginx-openid-connect#67).

Thank you. We will review on our side now that the changes have been merged into the OIDC project.

@lucacome lucacome added the enhancement Pull requests for new features/feature enhancements label Dec 15, 2022
@lucacome lucacome self-assigned this Dec 15, 2022
@github-actions github-actions bot added helm_chart Pull requests that update the Helm Chart and removed enhancement Pull requests for new features/feature enhancements labels Dec 15, 2022
@lucacome lucacome added this to the 3.0.0-k8s-ingress-controller milestone Dec 15, 2022
lucacome
lucacome suggested changes Dec 19, 2022
View reviewed changes
Copy link

@lucacome lucacome left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @alanwilkie-finocomp

Just one small change

multiple arguments may be provided by concatenating them with &, for example arg1=value1&arg2=value2

I think we want to use something like a list separated by , arg1=value1,arg2=value2 instead of & in the YAML file. That would be more consistent with other parameters and YAML in general.
Then you can just replace , wit & when you pass the string to the javascript.

Let me know what you think about it and if you have any questions.

@alanwilkie-finocomp
Copy link
Contributor Author

Hi @lucacome

Would it be better to make the arguments a YAML list? Like:

authExtraArgs:
  - arg1=value1
  - arg2=value2

or:

authExtraArgs: [ arg1=value1, arg2=value2 ]

@lucacome
Copy link

Yeah, that's probably even better @alanwilkie-finocomp !

@alanwilkie-finocomp
Copy link
Contributor Author

I've updated the PR with the new policy item as a list of strings that are concatenated with & to form the final value.

lucacome
lucacome reviewed Jan 5, 2023
View reviewed changes
@lucacome lucacome modified the milestones: v3.0.0, v3.1.0 Jan 11, 2023
@lucacome lucacome merged commit 86b5b0e into nginx:main Jan 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jjngx jjngx jjngx approved these changes

@haywoodsh haywoodsh Awaiting requested review from haywoodsh haywoodsh was automatically assigned from nginxinc/kic

@ciarams87 ciarams87 Awaiting requested review from ciarams87 ciarams87 was automatically assigned from nginxinc/kic

@shaun-nx shaun-nx Awaiting requested review from shaun-nx shaun-nx was automatically assigned from nginxinc/kic

+1 more reviewer

@lucacome lucacome lucacome approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@lucacome lucacome

Labels
documentation Pull requests/issues for documentation helm_chart Pull requests that update the Helm Chart
Projects
None yet
Milestone
v3.1.0
Development

Successfully merging this pull request may close these issues.

Allow extra arguments to be passed in the query string of the OIDC auth request
7 participants
@alanwilkie-finocomp @brianehlert @codecov-commenter @jasonwilliams14 @lucacome @jjngx @ciarams87