Consolidated configuration of uris into strings

- Renamed `oidc.logout.redirect_to_uri` config option to `redirect_uri` - Renamed `authorization`, `token`, and `callback` config options to `authorization_uri`, `token_uri`, and `callback_uri` - Deleted the unused `jwks_uri` config option - The `authorization_uri`, `token_uri`, and `callback_uri` config options became simple strings instead of `Endpoint` objects [Issue #60] Signed-off-by: Ryan Richard <[email protected]>
istio-ecosystem · Mar 5, 2020 · 74693c5 · 74693c5
1 parent 83d14a1
commit 74693c5
Show file tree

Hide file tree

Showing 21 changed files with 297 additions and 365 deletions.
diff --git a/bookinfo-example/config/authservice-configmap-template-for-authn-and-authz.yaml b/bookinfo-example/config/authservice-configmap-template-for-authn-and-authz.yaml
@@ -24,25 +24,10 @@ data:
           {
             "oidc":
               {
-                "authorization": {
-                  "scheme": "https",
-                  "hostname": "demo.example.change.me",
-                  "path": "/oauth/authorize/change/me",
-                  "port": "443"
-                },
-                "token": {
-                  "scheme": "https",
-                  "hostname": "demo.example.change.me",
-                  "path": "/oauth/token/change/me",
-                  "port": "443"
-                },
+                "authorization_uri": "https://demo.example.change.me/oauth/authorize/change/me",
+                "token_uri": "https://demo.example.change.me/oauth/token/change/me",
+                "callback_uri": "https://INGRESS_HOST_CHANGE_ME/productpage/oauth/callback",
                 "jwks": "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"sha2-2017-01-20-key\",\"alg\":\"RS256\",\"value\":\"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyH6kYCP29faDAUPKtei3\nV/Zh8eCHyHRDHrD0iosvgHuaakK1AFHjD19ojuPiTQm8r8nEeQtHb6mDi1LvZ03e\nEWxpvWwFfFVtCyBqWr5wn6IkY+ZFXfERLn2NCn6sMVxcFV12sUtuqD+jrW8MnTG7\nhofQqxmVVKKsZiXCvUSzfiKxDgoiRuD3MJSoZ0nQTHVmYxlFHuhTEETuTqSPmOXd\n/xJBVRi5WYCjt1aKRRZEz04zVEBVhVkr2H84qcVJHcfXFu4JM6dg0nmTjgd5cZUN\ncwA1KhK2/Qru9N0xlk9FGD2cvrVCCPWFPvZ1W7U7PBWOSBBH6GergA+dk2vQr7Ho\nlQIDAQAB\n-----END PUBLIC KEY-----\",\"n\":\"AMh-pGAj9vX2gwFDyrXot1f2YfHgh8h0Qx6w9IqLL4B7mmpCtQBR4w9faI7j4k0JvK_JxHkLR2-pg4tS72dN3hFsab1sBXxVbQsgalq-cJ-iJGPmRV3xES59jQp-rDFcXBVddrFLbqg_o61vDJ0xu4aH0KsZlVSirGYlwr1Es34isQ4KIkbg9zCUqGdJ0Ex1ZmMZRR7oUxBE7k6kj5jl3f8SQVUYuVmAo7dWikUWRM9OM1RAVYVZK9h_OKnFSR3H1xbuCTOnYNJ5k44HeXGVDXMANSoStv0K7vTdMZZPRRg9nL61Qgj1hT72dVu1OzwVjkgQR-hnq4APnZNr0K-x6JU\"}]}",
-                "callback": {
-                  "scheme": "https",
-                  "hostname": "INGRESS_HOST_CHANGE_ME",
-                  "path": "/productpage/oauth/callback",
-                  "port": "443"
-                },
                 "client_id": "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx_CHANGE_ME",
                 "client_secret": "xxxxx-xxxx-xxx-xxx-xxx_CHANGE_ME",
                 "scopes": ["productpage.read", "reviews.read"],
@@ -57,7 +42,7 @@ data:
                 },
                 "logout": {
                   "path": "/authservice_logout",
-                  "redirect_to_uri": "https://<demo.example.change.me>/some/logout/path"
+                  "redirect_uri": "https://<demo.example.change.me>/some/logout/path"
                 }
               }
             }

diff --git a/bookinfo-example/config/authservice-configmap-template-for-authn.yaml b/bookinfo-example/config/authservice-configmap-template-for-authn.yaml
@@ -24,25 +24,10 @@ data:
           {
             "oidc":
               {
-                "authorization": {
-                  "scheme": "https",
-                  "hostname": "demo.example.change.me",
-                  "path": "/oauth/authorize/change/me",
-                  "port": "443"
-                },
-                "token": {
-                  "scheme": "https",
-                  "hostname": "demo.example.change.me",
-                  "path": "/oauth/token/change/me",
-                  "port": "443"
-                },
+                "authorization_uri": "https://demo.example.change.me/oauth/authorize/change/me",
+                "token_uri": "https://demo.example.change.me/oauth/token/change/me",
+                "callback_uri": "https://INGRESS_HOST_CHANGE_ME/productpage/oauth/callback",
                 "jwks": "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"sha2-2017-01-20-key\",\"alg\":\"RS256\",\"value\":\"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyH6kYCP29faDAUPKtei3\nV/Zh8eCHyHRDHrD0iosvgHuaakK1AFHjD19ojuPiTQm8r8nEeQtHb6mDi1LvZ03e\nEWxpvWwFfFVtCyBqWr5wn6IkY+ZFXfERLn2NCn6sMVxcFV12sUtuqD+jrW8MnTG7\nhofQqxmVVKKsZiXCvUSzfiKxDgoiRuD3MJSoZ0nQTHVmYxlFHuhTEETuTqSPmOXd\n/xJBVRi5WYCjt1aKRRZEz04zVEBVhVkr2H84qcVJHcfXFu4JM6dg0nmTjgd5cZUN\ncwA1KhK2/Qru9N0xlk9FGD2cvrVCCPWFPvZ1W7U7PBWOSBBH6GergA+dk2vQr7Ho\nlQIDAQAB\n-----END PUBLIC KEY-----\",\"n\":\"AMh-pGAj9vX2gwFDyrXot1f2YfHgh8h0Qx6w9IqLL4B7mmpCtQBR4w9faI7j4k0JvK_JxHkLR2-pg4tS72dN3hFsab1sBXxVbQsgalq-cJ-iJGPmRV3xES59jQp-rDFcXBVddrFLbqg_o61vDJ0xu4aH0KsZlVSirGYlwr1Es34isQ4KIkbg9zCUqGdJ0Ex1ZmMZRR7oUxBE7k6kj5jl3f8SQVUYuVmAo7dWikUWRM9OM1RAVYVZK9h_OKnFSR3H1xbuCTOnYNJ5k44HeXGVDXMANSoStv0K7vTdMZZPRRg9nL61Qgj1hT72dVu1OzwVjkgQR-hnq4APnZNr0K-x6JU\"}]}",
-                "callback": {
-                  "scheme": "https",
-                  "hostname": "INGRESS_HOST_CHANGE_ME",
-                  "path": "/productpage/oauth/callback",
-                  "port": "443"
-                },
                 "client_id": "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx_CHANGE_ME",
                 "client_secret": "xxxxx-xxxx-xxx-xxx-xxx_CHANGE_ME",
                 "scopes": [],
@@ -53,7 +38,7 @@ data:
                 },
                 "logout": {
                   "path": "/authservice_logout",
-                  "redirect_to_uri": "https://<demo.example.change.me>/some/logout/path"
+                  "redirect_uri": "https://<demo.example.change.me>/some/logout/path"
                 }
               }
             }

diff --git a/config/common/BUILD b/config/common/BUILD
diff --git a/config/common/config.proto b/config/common/config.proto
diff --git a/config/oidc/BUILD b/config/oidc/BUILD
@@ -2,7 +2,7 @@ load("@com_envoyproxy_protoc_gen_validate//bazel:pgv_proto_library.bzl", "pgv_cc
 
 pgv_cc_proto_library(
     name = "config_cc",
-    cc_deps = ["//config/common:config_cc"],
+    cc_deps = [],
     linkstatic = True,
     visibility = ["//visibility:public"],
     deps = [
@@ -15,7 +15,6 @@ proto_library(
     srcs = ["config.proto"],
     visibility = ["//visibility:public"],
     deps = [
-        "//config/common:config_proto",
         "@com_envoyproxy_protoc_gen_validate//validate:validate_proto",
     ],
 )
diff --git a/config/oidc/config.proto b/config/oidc/config.proto
@@ -2,7 +2,6 @@ syntax = "proto3";
 
 package authservice.config.oidc;
 
-import "config/common/config.proto";
 import "validate/validate.proto";
 
 // Defines how a token obtained through an OIDC flow is forwarded to services.
@@ -31,7 +30,7 @@ message LogoutConfig {
 
     // A http request path that the authservice matches against to initiate logout.
     // Whenever a request is made to that path, the authservice will remove the authservice-specific
-    // cookies and respond with a redirect to the configured `redirect_to_uri`. Removing the cookies
+    // cookies and respond with a redirect to the configured `redirect_uri`. Removing the cookies
     // causes the user to be unauthenticated in future requests.
     // If the service application has its own logout controller, then it may be desirable to have its
     // logout controller redirect to this path. If the service application does not need its own logout
@@ -45,7 +44,7 @@ message LogoutConfig {
     // [logout endpoint of the OIDC Provider](https://openid.net/specs/openid-connect-session-1_0.html#RPLogout).
     // As with all redirects, the user's browser will perform a GET to this URI.
     // Required.
-    string redirect_to_uri = 2 [(validate.rules).string.min_len = 1];
+    string redirect_uri = 2 [(validate.rules).string.min_len = 1];
 }
 
 // The configuration of an OpenID Connect filter that can be used to retrieve identity and access tokens
@@ -55,32 +54,11 @@ message OIDCConfig {
 
     // The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
     // Required.
-    common.Endpoint authorization = 1 [(validate.rules).message.required = true];
+    string authorization_uri = 1 [(validate.rules).string.min_len = 1];
 
     // The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
     // Required.
-    common.Endpoint token = 2 [(validate.rules).message.required = true];
-
-    // The OIDC Provider's JWKS configuration used during `id_token` verification.
-    // Use either `jwks_uri` or `jwks` (see below).
-    // Required.
-    oneof jwks_config {
-        option (validate.required) = true;
-
-        // *This is currently ignored.* In a future version it will be the URL of the OIDC provider’s
-        // public key set to validate signature of the JWT.
-        // See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        // This should match the `jwksUri` value of
-        // [Istio Authentication Policy](https://istio.io/docs/tasks/security/authn-policy/).
-        common.Endpoint jwks_uri = 3;
-
-        // The JSON JWKS response from the OIDC provider’s `jwks_uri` URI which can be found in
-        // the OIDC provider's
-        // [configuration response](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
-        // Note that this JSON value must be escaped when embedded in a json configmap
-        // (see [example](https://github.com/istio-ecosystem/authservice/blob/master/bookinfo-example/config/authservice-configmap-template.yaml)).
-        string jwks = 4;
-    }
+    string token_uri = 2 [(validate.rules).string.min_len = 1];
 
     // This value will be used as the `redirect_uri` param of the authorization code grant
     // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
@@ -89,43 +67,52 @@ message OIDCConfig {
     // the service so that the authservice can intercept the request and handle it
     // (see [example](https://github.com/istio-ecosystem/authservice/blob/master/bookinfo-example/config/bookinfo-gateway.yaml)).
     // Required.
-    common.Endpoint callback = 5 [(validate.rules).message.required = true];
+    string callback_uri = 3 [(validate.rules).string.min_len = 1];
+
+    // The JSON JWKS response from the OIDC provider’s `jwks_uri` URI which can be found in
+    // the OIDC provider's
+    // [configuration response](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+    // Note that this JSON value must be escaped when embedded in a json configmap
+    // (see [example](https://github.com/istio-ecosystem/authservice/blob/master/bookinfo-example/config/authservice-configmap-template.yaml)).
+    // Used during token verification.
+    // Required.
+    string jwks = 4 [(validate.rules).string.min_len = 1];
 
     // The OIDC client ID assigned to the filter to be used in the
     // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
     // Required.
-    string client_id = 6 [(validate.rules).string.min_len = 1];
+    string client_id = 5 [(validate.rules).string.min_len = 1];
 
     // The OIDC client secret assigned to the filter to be used in the
     // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
     // Required.
-    string client_secret = 7 [(validate.rules).string.min_len = 1];
+    string client_secret = 6 [(validate.rules).string.min_len = 1];
 
     // Additional scopes passed to the OIDC Provider in the
     // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
     // The `openid` scope is always sent to the OIDC Provider, and does not need to be specified here.
     // Required, but an empty array is allowed.
-    repeated string scopes = 8;
+    repeated string scopes = 7;
 
     // A unique identifier of the authservice's browser cookies. Can be any string.
     // Only needed when multiple services in the same domain are each protected by
     // their own authservice, in which case each service's authservice should have
     // a unique value to avoid cookie name conflicts.
     // Optional.
-    string cookie_name_prefix = 9;
+    string cookie_name_prefix = 8;
 
     // The configuration for adding ID Tokens as headers to requests forwarded to a service.
     // Required.
-    TokenConfig id_token = 10 [(validate.rules).message.required = true];
+    TokenConfig id_token = 9 [(validate.rules).message.required = true];
 
     // The configuration for adding Access Tokens as headers to requests forwarded to a service.
     // Optional.
-    TokenConfig access_token = 11;
+    TokenConfig access_token = 10;
 
     // When specified, the authservice will destroy the authservice session when a request is
     // made to the configured path.
     // Optional.
-    LogoutConfig logout = 12;
+    LogoutConfig logout = 11;
 
     // The Authservice associates obtained OIDC tokens with a session ID in a session store.
     // It also stores some temporary information during the login process into the session store,
@@ -137,7 +124,7 @@ message OIDCConfig {
     // When both `absolute_session_timeout` and `idle_session_timeout` are zero, then sessions will never
     // expire. These settings do not affect how quickly the OIDC tokens contained inside the user's session expire.
     // Optional.
-    uint32 absolute_session_timeout = 13;
+    uint32 absolute_session_timeout = 12;
 
     // The Authservice associates obtained OIDC tokens with a session ID in a session store.
     // It also stores some temporary information during the login process into the session store,
@@ -149,10 +136,10 @@ message OIDCConfig {
     // When both `absolute_session_timeout` and `idle_session_timeout` are zero, then sessions will never
     // expire. These settings do not affect how quickly the OIDC tokens contained inside the user's session expire.
     // Optional.
-    uint32 idle_session_timeout = 14;
+    uint32 idle_session_timeout = 13;
 
     // When specified, the Authservice will trust the specified Certificate Authority when performing HTTPS calls to
     // the Token Endpoint of the OIDC Identity Provider.
     // Optional.
-    string trusted_certificate_authority = 15;
+    string trusted_certificate_authority = 14;
 }