-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Thumbprint L2 Construct for use with IAM OIDC Provider #512
Comments
I have implemented the approach mentioned in this issue as the Thumbprint construct. https://github.com/hassaku63/cdk-oidc-provider-thumbprint-construct Does this implementation meet the ideas of the RFC? I am somewhat skeptical about the idea of expressing "Thumbprint" as a standalone CDK Construct. |
@hassaku63 I’ll take a look at your implementation. Would love to get thoughts from any CDK maintainers on whether Thumbprint is a good idea. |
@douglasnaphas Thank you for your comment. yeah me too. I'd like to hear others thoughts. I have started working on the implementation to resolve this issue. I am also considering other necessary changes such as Feature Flags. Once the design for the Thumbprint is decided, I plan to propose my implementation to the CDK repository, provided everything goes as expected. |
Closing this ticket. We believe the functionality is beneficial, but does not intersect with the core framework and should be vended and maintained separately. |
Description
There is an L2 Construct for an OIDC Provider.
It uses a Custom Resource to (1) fetch the server thumbprint from the identity provider (IdP) from the IdP's X.509 Certificate, while doing some validation on the Certificate, if no thumbprint is provided, and (2) create/update/delete the OIDC Provider resource using SDK calls.
Since there is now a Cfn resource for an OIDC Provider, this proposal is to break out the logic for fetching the thumbprint into a new Thumbprint L2 Construct, separate from the OIDC Provider.
The Thumbprint would consist of a Custom Resource with much of the same logic currently in the OIDC Provider L2 Construct.
The intent would be for applications to use the Thumbprint to validate the IdP's X.509 Certificate and fetch the thumbprint, and to use the OIDC Provider Cfn resource to instantiate the OIDC Provider. Alternatively, applications could use the Thumbprint Construct as just described, but use an updated feature-flagged version of the OIDC Provider L2 Construct that accepts a Thumbprint as a prop.
This relates to aws/aws-cdk#21197, a request for the OIDC Provider L2 Construct to use the OIDC Provider Cfn resource.
Roles
Workflow
status/proposed
)status/review
)api-approved
applied to pull request)status/final-comments-period
)status/approved
)status/planning
)status/implementing
)status/done
)The text was updated successfully, but these errors were encountered: