Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oid_introspection: add SetOIDCClaims #3311

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

oid_introspection: add SetOIDCClaims #3311

wants to merge 2 commits into from

Conversation

haveo
Copy link
Contributor

@haveo haveo commented Nov 15, 2024

This method allows third-party filters to set the oidcClaimsCacheKey which enables the use of the oidcClaimsQuery filter.

Closes #3139

oid_introspection: add MakeTokenContainer
c893a51 
This method allows third-party filters to set the oidcClaimsCacheKey
which enables the use of the oidcClaimsQuery filter.

Signed-off-by: Adrien Surée <adrien.suree@zalando.de>
AlexanderYastrebov
AlexanderYastrebov reviewed Nov 15, 2024
View reviewed changes
filters/auth/oidc_introspection.go Outdated
@@ -42,6 +42,12 @@ func NewOIDCQueryClaimsFilter() filters.Spec {
}
}

func MakeTokenContainer(h map[string]interface{}) tokenContainer {
Copy link
Member

@AlexanderYastrebov AlexanderYastrebov Nov 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its an exported method that returns non-exported type - not good.

The original issue was:

However, when working with a third-party filter, it is not possible to create a tokenContainer value because this type is private to the filters/auth package. Therefore it is not possible to set the OIDC claims cache key to a value that would be accepted by oidcClaimsQuery, since the filter expects a value of type tokenContainer to be stored there.
This prevents the reuse of oidcClaimsQuery when the authentication is done in a third-party filter.

and proposed solution:

A function should be exported that sets the OIDC claims cache key (given a map[string]interface{} claims value).

But this change does not implement the proposal - user of MakeTokenContainer still needs to rely on a known value of statebag key.

I think the proper change should provide an utility to store token container into statebag, it should be documented and existing code should be changed to use it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, I remembered incorrectly what I was supposed to implement. I'll change it to what was proposed in the issue.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"existing code should be changed to use it" do you mean the auth filters in skipper that store the token container in the statebag should use this new method? They wouldn't be able to do that with the proposed interface since they store more than just claims. But on the other hand it doesn't seem like any field other than claims is used when reading from the statebag.

@haveo haveo changed the title oid_introspection: add MakeTokenContainer oid_introspection: add SetOIDCClaims Nov 18, 2024
Replace MakeContainer by SetOIDCClaims
4f4de08 
Signed-off-by: Adrien Surée <adrien.suree@zalando.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexanderYastrebov AlexanderYastrebov AlexanderYastrebov left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow third-party filters to set the state for oidcClaimsQuery
2 participants
@haveo @AlexanderYastrebov