Merge pull request #156 from smallstep/okta-support

Address support on OIDC provisioners
smallstep · Sep 20, 2019 · 66f7b45 · 66f7b45
2 parents 6b2c852 + ba40ce0
commit 66f7b45
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 9 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/command/oauth/cmd.go b/command/oauth/cmd.go
@@ -132,7 +132,7 @@ func init() {
 			},
 			cli.StringFlag{
 				Name:  "listen",
-				Usage: "Callback listener URL",
+				Usage: "Callback listener <address> (e.g. \":10000\")",
 			},
 			cli.BoolFlag{
 				Name:   "implicit",
@@ -292,6 +292,11 @@ func (o *options) Validate() error {
 	if o.Provider != "google" && !strings.HasPrefix(o.Provider, "https://") {
 		return errors.New("use a valid provider: google")
 	}
+	if o.CallbackListener != "" {
+		if _, _, err := net.SplitHostPort(o.CallbackListener); err != nil {
+			return errors.Wrapf(err, "invalid value '%s' for flag '--listen'", o.CallbackListener)
+		}
+	}
 	return nil
 }
 
@@ -419,7 +424,14 @@ func (o *oauth) NewServer() (*httptest.Server, error) {
 	if o.CallbackListener == "" {
 		return httptest.NewServer(o), nil
 	}
-	l, err := net.Listen("tcp", o.CallbackListener)
+	host, port, err := net.SplitHostPort(o.CallbackListener)
+	if err != nil {
+		return nil, err
+	}
+	if host == "" {
+		host = "127.0.0.1"
+	}
+	l, err := net.Listen("tcp", net.JoinHostPort(host, port))
 	if err != nil {
 		return nil, errors.Wrapf(err, "error listening on %s", o.CallbackListener)
 	}

diff --git a/token/parse.go b/token/parse.go
@@ -47,7 +47,7 @@ type Payload struct {
 	IdentityProvider string            `json:"idp"`
 	ObjectID         string            `json:"oid"`
 	TenantID         string            `json:"tid"`
-	Version          string            `json:"ver"`
+	Version          interface{}       `json:"ver"`
 	XMSMirID         string            `json:"xms_mirid"`
 	Google           *GCPGooglePayload `json:"google"` // GCP token claims
 	Amazon           *AWSAmazonPayload `json:"amazon"` // AWS token claims

diff --git a/utils/cautils/offline.go b/utils/cautils/offline.go
@@ -266,10 +266,16 @@ func (c *OfflineCA) GenerateToken(ctx *cli.Context, typ int, subject string, san
 
 	switch p := p.(type) {
 	case *provisioner.OIDC: // Run step oauth
-		var out []byte
-		out, err = exec.Step("oauth", "--oidc", "--bare",
+		args := []string{"oauth", "--oidc", "--bare",
 			"--provider", p.ConfigurationEndpoint,
-			"--client-id", p.ClientID, "--client-secret", p.ClientSecret)
+			"--client-id", p.ClientID, "--client-secret", p.ClientSecret}
+		if ctx.Bool("console") {
+			args = append(args, "--console")
+		}
+		if p.ListenAddress != "" {
+			args = append(args, "--listen", p.ListenAddress)
+		}
+		out, err := exec.Step(args...)
 		if err != nil {
 			return "", err
 		}

diff --git a/utils/cautils/token_flow.go b/utils/cautils/token_flow.go
@@ -99,9 +99,12 @@ func NewTokenFlow(ctx *cli.Context, typ int, subject string, sans []string, caUR
 		args := []string{"oauth", "--oidc", "--bare",
 			"--provider", p.ConfigurationEndpoint,
 			"--client-id", p.ClientID, "--client-secret", p.ClientSecret}
-		if ctx.IsSet("console") {
+		if ctx.Bool("console") {
 			args = append(args, "--console")
 		}
+		if p.ListenAddress != "" {
+			args = append(args, "--listen", p.ListenAddress)
+		}
 		out, err := exec.Step(args...)
 		if err != nil {
 			return "", err