AWSOIDC: Compute Proxy's Endpoint for issuing a token

api/client/client.go

@@ -4181,10 +4181,8 @@ func (c *Client) DeleteAllIntegrations(ctx context.Context) error {
 }
 
 // GenerateAWSOIDCToken generates a token to be used when executing an AWS OIDC Integration action.
-func (c *Client) GenerateAWSOIDCToken(ctx context.Context, req types.GenerateAWSOIDCTokenRequest) (string, error) {
-	resp, err := c.integrationsClient().GenerateAWSOIDCToken(ctx, &integrationpb.GenerateAWSOIDCTokenRequest{
-		Issuer: req.Issuer,
-	})
+func (c *Client) GenerateAWSOIDCToken(ctx context.Context) (string, error) {
+	resp, err := c.integrationsClient().GenerateAWSOIDCToken(ctx, &integrationpb.GenerateAWSOIDCTokenRequest{})
 	if err != nil {
 		return "", trace.Wrap(err)
 	}

api/proto/teleport/integration/v1/integration_service.proto

@@ -95,7 +95,9 @@ message DeleteAllIntegrationsRequest {}
 message GenerateAWSOIDCTokenRequest {
   // Issuer is the entity that is signing the JWT.
   // This value must contain the AWS OIDC Integration configured provider (Teleport Proxy's Public URL)
-  string issuer = 1;
+  //
+  // Deprecated: Ignored because value is calculated server side.
+  string issuer = 1 [deprecated = true];
 }
 
 // GenerateAWSOIDCTokenResponse contains a signed AWS OIDC Integration token.

api/types/integration_awsoidc.go

@@ -15,8 +15,6 @@ limitations under the License.
 
 package types
 
-import "github.com/gravitational/trace"
-
 const (
 	// IntegrationAWSOIDCAudience is the client id used to generate the JWT.
 	// This value must match the Audience defined in the IAM Identity Provider of the Integration.
@@ -30,19 +28,3 @@ const (
 	// token as the Teleport Auth service.
 	IntegrationAWSOIDCSubjectAuth = "system:auth"
 )
-
-// GenerateAWSOIDCTokenRequest are the parameters used to request an AWS OIDC Integration token.
-type GenerateAWSOIDCTokenRequest struct {
-	// Issuer is the entity that is signing the JWT.
-	// This value must contain the AWS OIDC Integration configured provider (Proxy's Public URL).
-	Issuer string `json:"issuer"`
-}
-
-// CheckAndSetDefaults checks if the required fields are present.
-func (req *GenerateAWSOIDCTokenRequest) CheckAndSetDefaults() error {
-	if req.Issuer == "" {
-		return trace.BadParameter("issuer is required")
-	}
-
-	return nil
-}

lib/auth/api.go

@@ -754,7 +754,7 @@ type DiscoveryAccessPoint interface {
 	SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventRequest) error
 
 	// GenerateAWSOIDCToken generates a token to be used to execute an AWS OIDC Integration action.
-	GenerateAWSOIDCToken(ctx context.Context, req types.GenerateAWSOIDCTokenRequest) (string, error)
+	GenerateAWSOIDCToken(ctx context.Context) (string, error)
 }
 
 // ReadOktaAccessPoint is a read only API interface to be
@@ -1312,8 +1312,8 @@ func (w *DiscoveryWrapper) SubmitUsageEvent(ctx context.Context, req *proto.Subm
 }
 
 // GenerateAWSOIDCToken generates a token to be used to execute an AWS OIDC Integration action.
-func (w *DiscoveryWrapper) GenerateAWSOIDCToken(ctx context.Context, req types.GenerateAWSOIDCTokenRequest) (string, error) {
-	return w.NoCache.GenerateAWSOIDCToken(ctx, req)
+func (w *DiscoveryWrapper) GenerateAWSOIDCToken(ctx context.Context) (string, error) {
+	return w.NoCache.GenerateAWSOIDCToken(ctx)
 }
 
 // Close closes all associated resources

lib/auth/auth.go

@@ -545,8 +545,8 @@ func (r *Services) GetWebToken(ctx context.Context, req types.GetWebTokenRequest
 }
 
 // GenerateAWSOIDCToken generates a token to be used to execute an AWS OIDC Integration action.
-func (r *Services) GenerateAWSOIDCToken(ctx context.Context, req types.GenerateAWSOIDCTokenRequest) (string, error) {
-	return r.IntegrationsTokenGenerator.GenerateAWSOIDCToken(ctx, req)
+func (r *Services) GenerateAWSOIDCToken(ctx context.Context) (string, error) {
+	return r.IntegrationsTokenGenerator.GenerateAWSOIDCToken(ctx)
 }
 
 // OktaClient returns the okta client.

lib/auth/auth_with_roles.go

@@ -279,7 +279,7 @@ func (a *ServerWithRoles) integrationsService() (*integrationv1.Service, error)
 		Authorizer: authz.AuthorizerFunc(func(context.Context) (*authz.Context, error) {
 			return &a.context, nil
 		}),
-		Cache:   a.authServer.Cache,
+		Cache:   a.authServer,
 		Backend: a.authServer.Services,
 	})
 	if err != nil {
@@ -388,19 +388,13 @@ func (a *ServerWithRoles) DeleteIntegration(ctx context.Context, name string) er
 }
 
 // GenerateAWSOIDCToken generates a token to be used when executing an AWS OIDC Integration action.
-func (a *ServerWithRoles) GenerateAWSOIDCToken(ctx context.Context, req types.GenerateAWSOIDCTokenRequest) (string, error) {
+func (a *ServerWithRoles) GenerateAWSOIDCToken(ctx context.Context) (string, error) {
 	igSvc, err := a.integrationsService()
 	if err != nil {
 		return "", trace.Wrap(err)
 	}
 
-	if err := req.CheckAndSetDefaults(); err != nil {
-		return "", trace.Wrap(err)
-	}
-
-	resp, err := igSvc.GenerateAWSOIDCToken(ctx, &integrationpb.GenerateAWSOIDCTokenRequest{
-		Issuer: req.Issuer,
-	})
+	resp, err := igSvc.GenerateAWSOIDCToken(ctx, &integrationpb.GenerateAWSOIDCTokenRequest{})
 	if err != nil {
 		return "", trace.Wrap(err)
 	}

lib/auth/clt.go

@@ -878,7 +878,7 @@ type ClientI interface {
 	GetWebToken(ctx context.Context, req types.GetWebTokenRequest) (types.WebToken, error)
 
 	// GenerateAWSOIDCToken generates a token to be used to execute an AWS OIDC Integration action.
-	GenerateAWSOIDCToken(ctx context.Context, req types.GenerateAWSOIDCTokenRequest) (string, error)
+	GenerateAWSOIDCToken(ctx context.Context) (string, error)
 
 	// ResetAuthPreference resets cluster auth preference to defaults.
 	ResetAuthPreference(ctx context.Context) error

lib/auth/grpcserver.go

@@ -5735,11 +5735,11 @@ func NewGRPCServer(cfg GRPCServerConfig) (*GRPCServer, error) {
 	oktapb.RegisterOktaServiceServer(server, oktaServiceServer)
 
 	integrationServiceServer, err := integrationService.NewService(&integrationService.ServiceConfig{
-		Authorizer: cfg.Authorizer,
-		Backend:    cfg.AuthServer.Services,
-		Cache:      cfg.AuthServer.Cache,
-		Clock:      cfg.AuthServer.clock,
-		CAGetter:   cfg.AuthServer,
+		Authorizer:      cfg.Authorizer,
+		Backend:         cfg.AuthServer.Services,
+		Cache:           cfg.AuthServer.Cache,
+		KeyStoreManager: cfg.AuthServer.GetKeyStore(),
+		Clock:           cfg.AuthServer.clock,
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)