-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
connector: add uaa connector #542
Conversation
Thanks! Will spin up a UAA Server after lunch to test this. |
I will get you a test recipe if you don't beat me to it. |
Below is an example test procedure. Running UAA
Running Dex
{
"type": "uaa",
"id": "local-uaa",
"clientId": "login",
"clientSecret": "loginsecret",
"serverURL": "http://localhost:8080/uaa"
}
Testing
CaveatsAt this point, you'll see the following error:
When debugging this with my ops people, they said the token was successfully provided and so I'm thinking the example application might be busted. If that is not the case of course, I will help if the issue is in the UAA connector. |
It looks like the error is because, |
@whitlockjc why is the connector code interacting with the client manager? |
It's not. :) The error I ran into with the example-app during testing (mentioned in the Caveats section above) is produced in the client manager code. Here is the exact piece of code: https://github.com/coreos/dex/blob/a7b860b9c2dba69b7154feacbd0adbe0c52e2591/client/manager/manager.go#L181 Basically, diff --git a/client/manager/manager.go b/client/manager/manager.go
index 75ad7f3..6d25023 100644
--- a/client/manager/manager.go
+++ b/client/manager/manager.go
@@ -180,8 +180,7 @@ func (m *ClientManager) Authenticate(creds oidc.ClientCredentials) (bool, error)
dec, err := base64.URLEncoding.DecodeString(creds.Secret)
if err != nil {
- log.Errorf("error Decoding client creds: %v", err)
- return false, nil
+ dec = []byte(creds.Secret)
}
ok := CompareHashAndPassword(clientSecret, dec) == nil
|
Ah yeah I see. #337 tracks that problem. This is because dex's db code always assumed that secrets would be base64 encoded, and when we switched to SQLite for our in-memory storage we ran up against this assumption. It's a pain in the ass, but I don't thing there's a good solution that'll be backward compatible with existing databases. |
Why not use the approach I showed? You make the assumption it is base64 encoded and if it fails to decode, you treat it as if it's not? Then it's backward compatible. I'm unfamiliar with the bigger issue so this might not be ideal but it seems pretty safe based on what little I know. Good news is I can completely test the UAA connector, successfully might I add. I'm super excited. |
Because of data already in the database. You can't do the same logic when you're pulling values out of the database. How would you know if those should be base64 encoded or not? |
Well, you can't. So you attempt to base64 decode and if that fails, you just treat the value as an unencoded string. I'm not sure of any other alternative. The diff above shows how you could do this, and it does work but I'm not sure of the ramifications of doing this in dex officially. |
ServerURL string `json:"serverURL"` | ||
} | ||
|
||
// standard error form returned by github |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
github?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My bad, I thought I fixed that. I already told you I used github as the basis for this work. ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed both occurrences.
This commit adds support for dex to authenticate users from a CloudFoundry User Account and Authentication (UAA) Server. Fixes: #538
Couple notes. Run the dex-work with the following flags
Also the base64 errors are because the example-app is using a bad client secret. It doesn't have anything to do with the connector. Use the one registered in the static fixtures instead ("ZXhhbXBsZS1hcHAtc2VjcmV0").
|
if err := json.NewDecoder(resp.Body).Decode(&user); err != nil { | ||
return oidc.Identity{}, fmt.Errorf("getting user info: %v", err) | ||
} | ||
name := user.Name |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For some reason this is always the empty string. Any idea why this is?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's just the way the test data for UAA is created. When I test against a live server, name
is populated as expected. You can hit the /uaa/userinfo
API directly to see if name
is set or not but I don't think it is based on the UAA docs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wrong. Below is the response from /uaa/userinfo
for marissa
:
{
"user_id":"d9b8dfd8-c420-4243-8b86-d957ef25f97c",
"user_name":"marissa",
"given_name":"Marissa",
"family_name":"Bloggs",
"email":"marissa@test.org",
"phone_number":null,
"name":"Marissa Bloggs"
}
I'll see what is up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can verify that the Name
is being parsed properly and given to oidc.Identity
. Still digging.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the example-app UI is suggesting that connector/connector_uaa.go#L118
is ""
but it's not. When we create the oidc.Identity
, the name is properly set to Marissa Bloggs
. It seems that when the example-application creates the claims object which gets rendered, it isn't finding this. I'll keep digging but the UAA Connector itself is working properly at the line you referenced.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One thing to note is that the example-app isn't printing out the details of the oidc.Identity
created by the connector but is instead printing out the details of the OAuth2 token provided by the provider.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I asked the team working on UAA and they said name
is not a standard field: https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#rfc.section.4.1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's an openid connect thing https://openid.net/specs/openid-connect-basic-1_0.html#StandardClaims
Not a blocker, just wondering.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right but that is for the /uaa/userinfo
response and the name
is set there. The oidc.Identity
object that we craft as a result of calling the UserInfo endpoint does have Name
set properly. If you debug the line you pointed to, you'll see this is the case.
What I'm saying is that the JWT token you're inspecting in the example-app is an OAuth2 token and name
is not a standard field for that response.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was fixed by #537
Gotcha. So the base64 issue was because of busted docs. |
@whitlockjc yes. I'll update those docs. |
lgtm. going to merge unless there are any objections. |
WOOHOO!!! |
This commit adds support for dex to authenticate users from a
CloudFoundry User Account and Authentication (UAA) Server.
Fixes: #538