Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

forward basic auth to OpenID connect token authentication endpoint #2095

Merged
merged 1 commit into from
Jul 26, 2021
Merged

forward basic auth to OpenID connect token authentication endpoint #2095

merged 1 commit into from
Jul 26, 2021

Conversation

butonic
Copy link
Member

@butonic butonic commented May 28, 2021

fixes #2094

@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

0.0% 0.0% Coverage
0.0% 0.0% Duplication

C0rby
C0rby reviewed May 31, 2021
View reviewed changes
proxy/pkg/middleware/basic_auth.go
// The token auth endpoint uses basic auth for clients, see https://openid.net/specs/openid-connect-basic-1_0.html#TokenRequest
// > The Client MUST authenticate to the Token Endpoint using the HTTP Basic method, as described in 2.3.1 of OAuth 2.0.
func (m basicAuth) isOIDCTokenAuth(req *http.Request) bool {
return req.URL.Path == "/konnect/v1/token"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now hard-coded for konnectd. What about other IDPs?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other IdPs won't be hidden behind our proxy.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. Then it should be ok, I guess.

C0rby
C0rby approved these changes May 31, 2021
View reviewed changes
Copy link
Contributor

@C0rby C0rby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding the failing tests. Maybe rebasing will help?

proxy/pkg/middleware/basic_auth.go
// The token auth endpoint uses basic auth for clients, see https://openid.net/specs/openid-connect-basic-1_0.html#TokenRequest
// > The Client MUST authenticate to the Token Endpoint using the HTTP Basic method, as described in 2.3.1 of OAuth 2.0.
func (m basicAuth) isOIDCTokenAuth(req *http.Request) bool {
return req.URL.Path == "/konnect/v1/token"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. Then it should be ok, I guess.

@butonic
Copy link
Member Author

butonic commented Jul 7, 2021

needs rebase

@butonic butonic force-pushed the oidc-token-basic-auth branch from c962d58 to c3951d6 Compare July 26, 2021 11:12
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

0.0% 0.0% Coverage
0.0% 0.0% Duplication

@butonic butonic merged commit 968c9b7 into master Jul 26, 2021
@delete-merged-branch delete-merged-branch bot deleted the oidc-token-basic-auth branch July 26, 2021 13:21
ownclouders pushed a commit that referenced this pull request Jul 26, 2021
@butonic
commit 968c9b7
1809274 
Merge: d6a3da5 c3951d6
Author: Jörn Friedrich Dreyer <[email protected]>
Date:   Mon Jul 26 15:20:57 2021 +0200

    Merge pull request #2095 from owncloud/oidc-token-basic-auth

    forward basic auth to OpenID connect token authentication endpoint
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@C0rby C0rby C0rby approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

allowing basic auth breaks oidc login for the client
2 participants
@butonic @C0rby