Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Thumbprint L2 Construct for use with IAM OIDC Provider #512

Closed
1 of 11 tasks
douglasnaphas opened this issue Jun 19, 2023 · 4 comments
Closed
1 of 11 tasks

Thumbprint L2 Construct for use with IAM OIDC Provider #512

douglasnaphas opened this issue Jun 19, 2023 · 4 comments
Labels

Comments

@douglasnaphas
Copy link

Description

There is an L2 Construct for an OIDC Provider.

It uses a Custom Resource to (1) fetch the server thumbprint from the identity provider (IdP) from the IdP's X.509 Certificate, while doing some validation on the Certificate, if no thumbprint is provided, and (2) create/update/delete the OIDC Provider resource using SDK calls.

Since there is now a Cfn resource for an OIDC Provider, this proposal is to break out the logic for fetching the thumbprint into a new Thumbprint L2 Construct, separate from the OIDC Provider.

The Thumbprint would consist of a Custom Resource with much of the same logic currently in the OIDC Provider L2 Construct.

The intent would be for applications to use the Thumbprint to validate the IdP's X.509 Certificate and fetch the thumbprint, and to use the OIDC Provider Cfn resource to instantiate the OIDC Provider. Alternatively, applications could use the Thumbprint Construct as just described, but use an updated feature-flagged version of the OIDC Provider L2 Construct that accepts a Thumbprint as a prop.

This relates to aws/aws-cdk#21197, a request for the OIDC Provider L2 Construct to use the OIDC Provider Cfn resource.

Roles

Role User
Proposed by @douglasnaphas
Author(s) @alias, @alias, @alias
API Bar Raiser @alias
Stakeholders @alias, @alias, @alias

See RFC Process for details

Workflow

  • Tracking issue created (label: status/proposed)
  • API bar raiser assigned (ping us at #aws-cdk-rfcs if needed)
  • Kick off meeting
  • RFC pull request submitted (label: status/review)
  • Community reach out (via Slack and/or Twitter)
  • API signed-off (label api-approved applied to pull request)
  • Final comments period (label: status/final-comments-period)
  • Approved and merged (label: status/approved)
  • Execution plan submitted (label: status/planning)
  • Plan approved and merged (label: status/implementing)
  • Implementation complete (label: status/done)

Author is responsible to progress the RFC according to this checklist, and
apply the relevant labels to this issue so that the RFC table in README gets
updated.

@hassaku63
Copy link

I have implemented the approach mentioned in this issue as the Thumbprint construct.

https://github.com/hassaku63/cdk-oidc-provider-thumbprint-construct

Does this implementation meet the ideas of the RFC?

I am somewhat skeptical about the idea of expressing "Thumbprint" as a standalone CDK Construct.
What issues arise if we make it so that the thumbprint is directly obtained in the new version of the OIDCProvider L2 Construct (rather than through Thumbprint construct)? For example would there be problems with jsii compatibility?

@douglasnaphas
Copy link
Author

@hassaku63 I’ll take a look at your implementation. Would love to get thoughts from any CDK maintainers on whether Thumbprint is a good idea.

@hassaku63
Copy link

hassaku63 commented Jul 18, 2023

@douglasnaphas Thank you for your comment. yeah me too. I'd like to hear others thoughts.

I have started working on the implementation to resolve this issue.

I am also considering other necessary changes such as Feature Flags. Once the design for the Thumbprint is decided, I plan to propose my implementation to the CDK repository, provided everything goes as expected.

@evgenyka evgenyka added l2-request request for new L2 construct bar-raiser/needed labels Aug 10, 2023
@awsmjs
Copy link
Contributor

awsmjs commented Dec 14, 2023

Closing this ticket. We believe the functionality is beneficial, but does not intersect with the core framework and should be vended and maintained separately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants