Azure DevOps token source and validator by strideynet · Pull Request #54667 · gravitational/teleport

strideynet · 2025-05-09T13:41:06Z

Depends on #54658

Introduces core implementation for the token source and for the token validator, as well as workload id join attrs.

No backport labels or changelog as all stacked PRs will be backported together.

rosstimothy · 2025-05-09T13:43:48Z

+	"strings"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"


All my bonusly points if you use zitadel/oidc/v3 instead !!

Done - I've omitted caching JWKS across joins for now since I figure it'll make more sense to put that in once more than 1 join method uses the new zitadel package.

rosstimothy · 2025-05-13T12:02:25Z

 	github.com/ghodss/yaml v1.0.0
 	github.com/go-git/go-git/v5 v5.16.0
 	github.com/go-jose/go-jose/v3 v3.0.4
+	github.com/go-jose/go-jose/v4 v4.0.5


Should we be thinking about moving all uses of go-jose/v3 to go-jose/v4?

I used go-jose v4 in the tests here since that is what was being used indirectly by the Zitadel OIDC package.

As for if we ought to migrate more fully - it looks like v4 mostly included breaking changes to make it harder to footgun common JWT vulnerabilities (https://github.com/go-jose/go-jose/releases/tag/v4.0.0) - most of these should be pretty easy to adopt. I don't think there's any rush though since they seem to be still releasing new patches for v3.

Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>

* Initial impl of token source * Add initial token validator implementation * add join attrs for azure devops * Switch to Zitadel OIDC * Embed zoidc.TokenClaims into main IDTokenClaims struct * Add notes on caching * Expand concept of token validator * Start hacking on test suite * JoinAttrs method * Fix TestIDTokenValidator_Validate suite * Update OIDC doc to match real one * Add TestIDTokenSource * go mod tidy * rearrange go.mod * fix query params * RepositoryReference -> RepositoryRef * Switch to azuredevops * Adjust struct init * Update lib/azuredevops/token_validator.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>

* Azure DevOps token source and validator (#54667) * Initial impl of token source * Add initial token validator implementation * add join attrs for azure devops * Switch to Zitadel OIDC * Embed zoidc.TokenClaims into main IDTokenClaims struct * Add notes on caching * Expand concept of token validator * Start hacking on test suite * JoinAttrs method * Fix TestIDTokenValidator_Validate suite * Update OIDC doc to match real one * Add TestIDTokenSource * go mod tidy * rearrange go.mod * fix query params * RepositoryReference -> RepositoryRef * Switch to azuredevops * Adjust struct init * Update lib/azuredevops/token_validator.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * go mod tidy --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>

rosstimothy reviewed May 9, 2025

View reviewed changes

strideynet added the do-not-merge label May 12, 2025

strideynet marked this pull request as ready for review May 12, 2025 13:03

strideynet requested review from boxofrad and timothyb89 May 12, 2025 13:03

github-actions bot added the size/lg label May 12, 2025

github-actions bot requested review from rudream and ryanclark May 12, 2025 13:04

strideynet added the no-changelog Indicates that a PR does not require a changelog entry label May 12, 2025

strideynet mentioned this pull request May 12, 2025

Azure DevOps join implementation #54729

Merged

timothyb89 approved these changes May 13, 2025

View reviewed changes

timothyb89 reviewed May 13, 2025

View reviewed changes

Comment thread lib/azuredevops/azuredevops.go Outdated

boxofrad approved these changes May 13, 2025

View reviewed changes

Comment thread lib/azuredevops/token_validator.go Outdated

strideynet force-pushed the strideynet/azure-devops-protos-validation branch from a8e1d45 to 7972945 Compare May 13, 2025 12:03

rosstimothy reviewed May 13, 2025

View reviewed changes

Base automatically changed from strideynet/azure-devops-protos-validation to master May 13, 2025 12:45

strideynet added 14 commits May 13, 2025 13:49

Initial impl of token source

2a7082c

Add initial token validator implementation

53aa49b

add join attrs for azure devops

153af66

Switch to Zitadel OIDC

06df84e

Embed zoidc.TokenClaims into main IDTokenClaims struct

61f07d4

Add notes on caching

2928832

Expand concept of token validator

92378ab

Start hacking on test suite

f4cae2d

JoinAttrs method

7e49082

Fix TestIDTokenValidator_Validate suite

bce72e8

Update OIDC doc to match real one

de729a0

Add TestIDTokenSource

226e2a6

go mod tidy

abf8a7e

rearrange go.mod

038813a

strideynet and others added 5 commits May 13, 2025 13:49

fix query params

66bc978

RepositoryReference -> RepositoryRef

bc7846d

Switch to azuredevops

5c8c74b

Adjust struct init

d3d314f

Update lib/azuredevops/token_validator.go

75be296

Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>

strideynet force-pushed the strideynet/azure-devops-source-and-validator branch from f45bfb1 to 75be296 Compare May 13, 2025 12:50

strideynet removed the do-not-merge label May 13, 2025

strideynet enabled auto-merge May 13, 2025 13:03

strideynet added this pull request to the merge queue May 13, 2025

Merged via the queue into master with commit 943b3c1 May 13, 2025
45 checks passed

strideynet deleted the strideynet/azure-devops-source-and-validator branch May 13, 2025 13:31

strideynet mentioned this pull request May 14, 2025

[v17] Foundations for Azure DevOps joining #54794

Closed

strideynet mentioned this pull request May 15, 2025

[v17] Azure DevOps token source and validator (#54667) #54836

Merged

Joerger mentioned this pull request May 20, 2025

Remove remaining uses of github.com/coreos/go-oidc/v3 with github.com/zitadel/oidc/v3 #54939

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Azure DevOps token source and validator#54667

Azure DevOps token source and validator#54667
strideynet merged 19 commits intomasterfrom
strideynet/azure-devops-source-and-validator

strideynet commented May 9, 2025 •

edited

Loading

Uh oh!

rosstimothy May 9, 2025

Uh oh!

strideynet May 13, 2025

Uh oh!

Uh oh!

Uh oh!

rosstimothy May 13, 2025

Uh oh!

strideynet May 13, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

strideynet commented May 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

rosstimothy May 9, 2025

Choose a reason for hiding this comment

Uh oh!

strideynet May 13, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

rosstimothy May 13, 2025

Choose a reason for hiding this comment

Uh oh!

strideynet May 13, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

strideynet commented May 9, 2025 •

edited

Loading