4df1acfefd
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. oidc authentication: switch to v2 of coreos/go-oidc Switch to v2 of [coreos/go-oidc](https://github.com/coreos/go-oidc), which uses square/go-jose to verify tokens and supports more signing algorithms. Most of this PR removes dependencies used by the older version of github.com/coreos/go-oidc, and updates vendor files. This PR has been tested against tokens issued by Okta, Google, and CoreOS's dex. Closes https://github.com/kubernetes/kubernetes/issues/57806 ```release-note kube-apiserver: the OpenID Connect authenticator can now verify ID Tokens signed with JOSE algorithms other than RS256 through the --oidc-signing-algs flag. kube-apiserver: the OpenID Connect authenticator no longer accepts tokens from the Google v3 token APIs, users must switch to the "https://www.googleapis.com/oauth2/v4/token" endpoint. ``` cc @rithujohn191 @liggitt cc @kubernetes/sig-auth-pr-reviews Kubernetes-commit: cdbc4fbe20c94694bc25910d54a7de52a98b6650 |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| .travis.yml | ||
| CONTRIBUTING.md | ||
| DCO | ||
| LICENSE | ||
| MAINTAINERS | ||
| NOTICE | ||
| README.md | ||
| code-of-conduct.md | ||
| jose.go | ||
| jwks.go | ||
| oidc.go | ||
| test | ||
| verify.go | ||
README.md
go-oidc
OpenID Connect support for Go
This package enables OpenID Connect support for the golang.org/x/oauth2 package.
provider, err := oidc.NewProvider(ctx, "https://accounts.google.com")
if err != nil {
// handle error
}
// Configure an OpenID Connect aware OAuth2 client.
oauth2Config := oauth2.Config{
ClientID: clientID,
ClientSecret: clientSecret,
RedirectURL: redirectURL,
// Discovery returns the OAuth2 endpoints.
Endpoint: provider.Endpoint(),
// "openid" is a required scope for OpenID Connect flows.
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
}
OAuth2 redirects are unchanged.
func handleRedirect(w http.ResponseWriter, r *http.Request) {
http.Redirect(w, r, oauth2Config.AuthCodeURL(state), http.StatusFound)
}
The on responses, the provider can be used to verify ID Tokens.
var verifier = provider.Verifier(&oidc.Config{ClientID: clientID})
func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
// Verify state and errors.
oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
if err != nil {
// handle error
}
// Extract the ID Token from OAuth2 token.
rawIDToken, ok := oauth2Token.Extra("id_token").(string)
if !ok {
// handle missing token
}
// Parse and verify ID Token payload.
idToken, err := verifier.Verify(ctx, rawIDToken)
if err != nil {
// handle error
}
// Extract custom claims
var claims struct {
Email string `json:"email"`
Verified bool `json:"email_verified"`
}
if err := idToken.Claims(&claims); err != nil {
// handle error
}
}