Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC: Add additional scopes #14888

Closed
wants to merge 15 commits into from
Closed

OIDC: Add additional scopes #14888

wants to merge 15 commits into from

Conversation

markylaing
Copy link
Contributor

@markylaing markylaing commented Jan 30, 2025
edited
Loading

Adds an oidc.additional_scopes configuration key which defaults to profile,offline_access.
Removes the oidc.groups.claim value from requested scopes.

Things I'm not sure on:

  • Using a comma to delimit the scope values. Identity providers appear to be quite freeform. It might be better to accept this as a space delimited as in Auth: Make OIDC scopes configurable #14832 (as the author originally suggested) to avoid issues with splitting on the comma.
  • Backwards and forwards compatibility. New clients talking to old servers will not request the configured scopes. Old clients talking to new servers will continue to request the groups claim, but will continue to request the profile and offline_access scopes.

Requires #14871
Closes #14141

@markylaing markylaing added the Bug Confirmed to be a bug label Jan 30, 2025
@markylaing markylaing self-assigned this Jan 30, 2025
@github-actions github-actions bot added Documentation Documentation needs updating API Changes to the REST API labels Jan 30, 2025
@markylaing markylaing requested a review from tomponline January 30, 2025 10:51
@markylaing markylaing mentioned this pull request Jan 30, 2025
Closed
@tomponline
Copy link
Member

Can be rebased now to remove linter commit

minaelee
minaelee requested changes Jan 30, 2025
View reviewed changes
doc/api-extensions.md Outdated Show resolved Hide resolved
doc/api-extensions.md Outdated Show resolved Hide resolved
BarcoMasile
BarcoMasile reviewed Jan 31, 2025
View reviewed changes
lxd/auth/oidc/oidc.go Show resolved Hide resolved
lxd/cluster/config/config.go Outdated Show resolved Hide resolved
lxd/auth/oidc/oidc.go Outdated Show resolved Hide resolved
@tomponline tomponline mentioned this pull request Jan 31, 2025
Closed
@markylaing markylaing force-pushed the oidc-additional-scopes branch from d7a900a to 143993a Compare February 5, 2025 10:30
@markylaing
Copy link
Contributor Author

@tomponline this is ready for review

minaelee
minaelee reviewed Feb 5, 2025
View reviewed changes
lxd/cluster/config/config.go Outdated

// lxdmeta:generate(entities=server; group=oidc; key=oidc.additional_scopes)
// Specify additional scopes to be requested when performing OIDC flows.
// Additional scopes might be required if managing access control in the Identity Provider (see {ref}`identity-provider-groups`).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Additional scopes might be required if managing access control in the Identity Provider (see {ref}`identity-provider-groups`).
// Additional scopes might be required if managing access control in the Identity Provider (see: {ref}`identity-provider-groups`).

lxd/cluster/config/config.go Outdated
// Additional scopes might be required if managing access control in the Identity Provider (see {ref}`identity-provider-groups`).
// The default value for this configuration option contains two scopes which are optional, but will degrade LXD OIDC functionality if removed.
// These are:
// - `profile`: This is requested by LXD to present display names for the identification of end users. If it is removed, only email addresses will be displayed.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// - `profile`: This is requested by LXD to present display names for the identification of end users. If it is removed, only email addresses will be displayed.
// - `profile`: This is requested by LXD to present display names for the identification of end users. If it is removed, only email addresses are displayed.

@markylaing
api: Add oidc_additional_scopes API extension.
807d2a9 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/cluster/config: Add oidc.additional_scopes config key.
44a8508 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/cluster/config: Update groups claim description.
5717e8d 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
doc: Run make update-metadata.
0d4c36f 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/auth/oidc: Set Opts as a field on the Verifier.
93ba1f4 
There will be more additional optional configuration with the addition
of `oidc.additional_scopes` so it makes sense to keep them together.

This also simplifies the `NewVerifier` function.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/auth/oidc: Add AdditionalScopes to Opts.
3c3539a 
Additionally, defined `requiredScopes` as the scopes that are always
requested.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/auth/oidc: Return nil if getting IdP groups fails.
05d5699 
Previously just logging a warning here but we should return as well
to avoid a nil pointer exception.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/auth/oidc: Set additional scopes when getting the relying party.
1f8fdf6 
Additionally, stop setting the groups claim as a scope.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/auth/oidc: Send additional scopes as a header to the client.
f4952ff 
The additional scopes are marshalled as JSON.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/cluster/config: Return additional scopes from `(*Config).OIDCServ…
c7c10dd 
…er`.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Update calls to (*Config).OIDCServer and oidc.NewVerifier.
5e6b382 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Consider OIDC config to have changed if oidc.additional_scopes
08a7ade 
… is updated.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
client: Update client to use additional scopes.
be621e3 
This changes the following:
- Stops using the value of `X-LXD-OIDC-groups-claim` as a scope.
- Stops requesting `offline_access` and `profile` by default.
- Gets additional scopes by unmarshalling the value of
  `X-LXD-OIDC-additional-scopes`.

If an old client connects to a new LXD server, they will continue to
request `offline_access` and `profile` scopes by default, but will not
request any additional scopes. Nor will they receive the groups claim
header.

If a new client connects to an old server, they will only request the
`openid` and `email` scopes. This is sufficient for logging in in most
cases.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Add patch moving oidc.groups.claim to oidc.additional_scopes.
450c25a 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Fix lint error (staticcheck).
4a082dd 
Signed-off-by: Mark Laing <[email protected]>
@markylaing markylaing force-pushed the oidc-additional-scopes branch from 143993a to 4a082dd Compare February 6, 2025 17:48
@markylaing
Copy link
Contributor Author

Discussed with Tom that this needs extra work. If both profile and offline_access scopes are removed, LXD will continue to use them as the default values.

@markylaing markylaing marked this pull request as draft February 6, 2025 17:49
@tomponline
Copy link
Member

@markylaing shall we close this for now?

@markylaing
Copy link
Contributor Author

@markylaing shall we close this for now?

I don't think so. Making this configurable is useful for @ech0-de (for Gitlab OIDC) and as far as I know the only contentious thing is how to unset both profile and offline_access scopes.

How about we introduce two keys?

  • oidc.scopes.additional: No default. Can be used to set additional scopes if required for retrieving group info, or if the OIDC provider requires any additional scopes (I've seen Entra ID use a user.read scope for example). Validation logic will not allow setting an additional scope that is present in oidc.scopes.omit.
  • oidc.scopes.omit: No default. Can be used to omit the profile and/or offline_access scopes. Validation logic will prevent setting openid, email, or any scopes present in oidc.scopes.additional.

That said, I guess another point of contention I have with our OIDC implementation is the use of headers to send e.g. the issuer URL to the LXD client. I think these values should be returned via /1.0 and this PR adds yet another header.

@markylaing
Copy link
Contributor Author

@markylaing shall we close this for now?

I don't think so. Making this configurable is useful for @ech0-de (for Gitlab OIDC) and as far as I know the only contentious thing is how to unset both profile and offline_access scopes.

How about we introduce two keys?

  • oidc.scopes.additional: No default. Can be used to set additional scopes if required for retrieving group info, or if the OIDC provider requires any additional scopes (I've seen Entra ID use a user.read scope for example). Validation logic will not allow setting an additional scope that is present in oidc.scopes.omit.
  • oidc.scopes.omit: No default. Can be used to omit the profile and/or offline_access scopes. Validation logic will prevent setting openid, email, or any scopes present in oidc.scopes.additional.

That said, I guess another point of contention I have with our OIDC implementation is the use of headers to send e.g. the issuer URL to the LXD client. I think these values should be returned via /1.0 and this PR adds yet another header.

I don't like this idea either. We can just have oidc.scopes and validation that requires openid and email be included.

@markylaing markylaing mentioned this pull request Feb 7, 2025
Open
@markylaing
Copy link
Contributor Author

Closing in favour of #14935.

@markylaing markylaing closed this Feb 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@minaelee minaelee minaelee requested changes

@tomponline tomponline Awaiting requested review from tomponline

@BarcoMasile BarcoMasile Awaiting requested review from BarcoMasile

Assignees

@markylaing markylaing

Labels
API Changes to the REST API Bug Confirmed to be a bug Documentation Documentation needs updating
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OIDC - oidc.groups.claim is added as additional scope which breaks Microsoft Entra integration
4 participants
@markylaing @tomponline @minaelee @BarcoMasile