Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

couper-examples test configuration edge failing #807

Open
johakoch opened this issue Feb 19, 2024 · 3 comments
Open

couper-examples test configuration edge failing #807

johakoch opened this issue Feb 19, 2024 · 3 comments
Assignees
@malud
Labels
bug Something isn't working

Comments

@johakoch
Copy link
Collaborator

See https://github.com/coupergateway/couper-examples/actions/workflows/test.yaml

This results from oidcConfig.GetIssuer() (creating a sync request for the OIDC configuration) now (after #796) being in the path for couper verify:

  • Verify.Execute()
  • runtime.NewServerConfiguration()
  • configureAccessControls()
  • oauth2.NewOidcClient()
  • oidcConfig.GetIssuer()

Another minor issue:

  issuer, err := oidcConfig.GetIssuer()
  if err != nil {
    return nil, errors.Oauth2.With(err)
                ^^^^^^^^^^^^^^^^^^^^^^^

If we keep the JWT parser being created in NewOidcClient(), err should not be wrapped here, as errors.Oauth2 is for runtime errors.
@johakoch johakoch added the bug Something isn't working label Feb 19, 2024
@johakoch
Copy link
Collaborator Author

johakoch commented Mar 6, 2024
edited
Loading

@malud Would it be safe to ignore backend errors with couper verify?

@johakoch johakoch linked a pull request Mar 7, 2024 that will close this issue
don't wrap GetIssuer() error #811
Merged
@johakoch johakoch removed a link to a pull request Apr 13, 2024
don't wrap GetIssuer() error #811
Merged
@johakoch
Copy link
Collaborator Author

We could skip the "oidc" example directory for the usual verification and do a

docker-compose up --abort-on-container-exit

instead.

That would require creating different docker-compose.yaml files for the two image-tags to be checked.

@johakoch
Copy link
Collaborator Author

A way to solve this in couper itself: lazy-initialize the JWT parser for OIDC:

func NewOidcClient(evalCtx *hcl.EvalContext, oidcConfig *oidc.Config) (*OidcClient, error) {
	backends := oidcConfig.Backends()
	acClient, err := NewAuthCodeClient(evalCtx, oidcConfig, oidcConfig, backends["token_backend"])
	if err != nil {
		return nil, err
	}

	o := &OidcClient{
		AuthCodeClient: acClient,
		backends:       backends,
		config:         oidcConfig,
		// don't create JWT parser here
	}

// ...

func (o *OidcClient) getJwtParser() (*jwt.Parser, error) {
	if o.jwtParser == nil {
		issuer, err := o.config.GetIssuer()
		if err != nil {
			return nil, err
		}
		options := []jwt.ParserOption{
// ...
		}
		o.jwtParser = jwt.NewParser(options...)
	}
	return o.jwtParser, nil
}

// ...

func (o *OidcClient) validateTokenResponseData(ctx context.Context, tokenResponseData map[string]interface{}, hashedVerifierValue, verifierValue, accessToken string) error {
	idTokenString, ok := tokenResponseData["id_token"].(string)
	if !ok {
		return errors.Oauth2.Message("missing id_token in token response")
	}

	jwtParser, err := o.getJwtParser()
	if err != nil {
		return err
	}

	idTokenClaims := jwt.MapClaims{}
	_, err = jwtParser.ParseWithClaims(idTokenString, idTokenClaims, o.keyfunc)
// ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@malud malud

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@malud @johakoch