scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 17:52:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

identity/oidc: fixes validation of the request and request_uri parameters (#16600)

Browse Source 
* identity/oidc: add request_parameter_supported to discovery document

* adds changelog
This commit is contained in:
Austin Gebauer
2022-08-05 11:55:15 -07:00
committed by GitHub
parent c71df04f3d
commit b21d79f649
6 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/16600.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
identity/oidc: Fixes validation of the `request` and `request_uri` parameters.
```

4
ui/app/controllers/vault/cluster/oidc-provider.js
View File

@@ -13,6 +13,8 @@ export default class VaultClusterOidcProviderController extends Controller {
'max_age',
'code_challenge',
'code_challenge_method',
'request',
'request_uri',
];
scope = null;
response_type = null;
@@ -25,4 +27,6 @@ export default class VaultClusterOidcProviderController extends Controller {
max_age = null;
code_challenge = null;
code_challenge_method = null;
request = null;
request_uri = null;
}

2
vault/identity_store_oidc_provider.go
View File

@@ -154,6 +154,7 @@ type providerDiscovery struct {
AuthorizationEndpoint string `json:"authorization_endpoint"`
TokenEndpoint string `json:"token_endpoint"`
UserinfoEndpoint string `json:"userinfo_endpoint"`
RequestParameter bool `json:"request_parameter_supported"`
RequestURIParameter bool `json:"request_uri_parameter_supported"`
IDTokenAlgs []string `json:"id_token_signing_alg_values_supported"`
ResponseTypes []string `json:"response_types_supported"`
@@ -1473,6 +1474,7 @@ func (i *IdentityStore) pathOIDCProviderDiscovery(ctx context.Context, req *logi
UserinfoEndpoint: p.effectiveIssuer + "/userinfo",
IDTokenAlgs: supportedAlgs,
Scopes: scopes,
RequestParameter: false,
RequestURIParameter: false,
ResponseTypes: []string{"code"},
Subjects: []string{"public"},

2
vault/identity_store_oidc_provider_test.go
View File

@@ -3614,6 +3614,7 @@ func TestOIDC_Path_OpenIDProviderConfig(t *testing.T) {
UserinfoEndpoint: basePath + "/userinfo",
GrantTypes: []string{"authorization_code"},
AuthMethods: []string{"none", "client_secret_basic"},
RequestParameter: false,
RequestURIParameter: false,
}
discoveryResp := &providerDiscovery{}
@@ -3668,6 +3669,7 @@ func TestOIDC_Path_OpenIDProviderConfig(t *testing.T) {
UserinfoEndpoint: basePath + "/userinfo",
GrantTypes: []string{"authorization_code"},
AuthMethods: []string{"none", "client_secret_basic"},
RequestParameter: false,
RequestURIParameter: false,
}
discoveryResp = &providerDiscovery{}

1
website/content/api-docs/secret/identity/oidc-provider.mdx
View File

@@ -577,6 +577,7 @@ $ curl \
"authorization_endpoint": "http://127.0.0.1:8200/ui/vault/identity/oidc/provider/test-provider/authorize",
"token_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/token",
"userinfo_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/userinfo",
"request_parameter_supported": false,
"request_uri_parameter_supported": false,
"id_token_signing_alg_values_supported": [
"RS256",

1
website/content/docs/secrets/identity/oidc-provider.mdx
View File

@@ -100,6 +100,7 @@ Any Vault auth method may be used within the OIDC flow. For simplicity, enable t
"authorization_endpoint": "http://127.0.0.1:8200/ui/vault/identity/oidc/provider/default/authorize",
"token_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/default/token",
"userinfo_endpoint": "http://127.0.0.1:8200/v1/identity/oidc/provider/default/userinfo",
"request_parameter_supported": false,
"request_uri_parameter_supported": false,
"id_token_signing_alg_values_supported": [
"RS256",