Entra ID integration boilerplate #40998
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Synthesize Key IDs for our JWT keys. For backwards compatibility, also include the same keys with an empty `kid` in JWKS. - Sign AWS OIDC tokens with a `kid=""` header claim, rather than omitting the `kid` claim altogether. See comment for details.
justinas
force-pushed
the
justinas/entra-id-boilerplate2
branch
from
fec6c58 to
8e8232a
Compare
justinas
changed the title
justinas
requested review from
tigrato
and removed request for
strideynet and
rudream
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
justinas
added
the
no-changelog
justinas
changed the title
jakule
approved these changes
Apr 29, 2024
api/types/integration.go
Outdated
| @@ -290,7 +354,8 @@ func (ig *IntegrationV1) MarshalJSON() ([]byte, error) { | |||
| d := struct { | |||
| ResourceHeader `json:""` | |||
| Spec struct { | |||
| AWSOIDC AWSOIDCIntegrationSpecV1 `json:"aws_oidc"` | |||
| AWSOIDC AWSOIDCIntegrationSpecV1 `json:"aws_oidc"` | |||
There was a problem hiding this comment.
You should probably add omitempty since now only one will be set
| expectedErrorIs: func(err error) bool { | ||
| return trace.IsBadParameter(err) | ||
| }, | ||
| expectedErrorIs: trace.IsBadParameter, |
|
|
||
| token, err := privateKey.SignEntraOIDC(jwt.SignParams{ | ||
| Audience: azureDefaultJWTAudience, | ||
| Subject: "teleport-azure", // TODO(justinas): consider moving this to a constant or a field in the integration settings |
There was a problem hiding this comment.
Should this be addressed before merging?
There was a problem hiding this comment.
Shouldn't be a problem later: as long as we have no user-facing way to onboard this, there's nothing to break 🙂 Left it TODO as I'm not sure how to handle this, but considering 1 ID provider = 1 subject for purposes of Entra app auth, constant should be okay I guess.
lib/jwt/jwk_test.go
Outdated
| @@ -34,3 +38,32 @@ func TestMarshalJWK(t *testing.T) { | |||
| // Required for integrating with AWS OpenID Connect Identity Provider. | |||
| require.Equal(t, "sig", jwk.Use) | |||
| } | |||
|
|
|||
| func TestKeyID(t *testing.T) { | |||
| t.Run("deterministic", func(t *testing.T) { | |||
There was a problem hiding this comment.
Those can be two separate tests
lib/jwt/jwk_test.go
Outdated
| @@ -34,3 +38,32 @@ func TestMarshalJWK(t *testing.T) { | |||
| // Required for integrating with AWS OpenID Connect Identity Provider. | |||
| require.Equal(t, "sig", jwk.Use) | |||
| } | |||
|
|
|||
| func TestKeyID(t *testing.T) { | |||
There was a problem hiding this comment.
Suggested change
| func TestKeyID(t *testing.T) { | |
| func TestKeyID(t *testing.T) { | |
| t.Parallel() |
strideynet
approved these changes
Apr 30, 2024
| @@ -34,3 +38,34 @@ func TestMarshalJWK(t *testing.T) { | |||
| // Required for integrating with AWS OpenID Connect Identity Provider. | |||
| require.Equal(t, "sig", jwk.Use) | |||
| } | |||
|
|
|||
| func TestKeyIDHasConsistentOutputForAnInput(t *testing.T) { | |||
There was a problem hiding this comment.
It'd be nice to see a test which takes a known public key and asserts that it produces a fixed KeyID - that'd let us ensure that we don't accidentally introduce a regression that causes the key ID in an already issued JWT to mismatch the key ID in the jwks.
There was a problem hiding this comment.
Good idea, added in c44c7c2.
public-teleport-github-review-bot
bot
removed the request for review
from tigrato
tigrato
approved these changes
May 2, 2024
api/types/integration.go
Outdated
| @@ -128,14 +155,19 @@ func (s *IntegrationSpecV1) CheckAndSetDefaults() error { | |||
| if err != nil { | |||
| return trace.Wrap(err) | |||
| } | |||
| case *IntegrationSpecV1_AzureOIDC: | |||
| err := integrationSubKind.CheckAndSetDefaults() | |||
There was a problem hiding this comment.
Suggested change
| err := integrationSubKind.CheckAndSetDefaults() | |
| err := integrationSubKind.Validate() |
api/types/integration.go
Outdated
Comment on lines
195
to
196
| // CheckAndSetDefaults validates the configuration for Azure OIDC integration subkind. | ||
| func (s *IntegrationSpecV1_AzureOIDC) CheckAndSetDefaults() error { |
There was a problem hiding this comment.
Suggested change
| // CheckAndSetDefaults validates the configuration for Azure OIDC integration subkind. | |
| func (s *IntegrationSpecV1_AzureOIDC) CheckAndSetDefaults() error { | |
| // Validate validates the configuration for Azure OIDC integration subkind. | |
| func (s *IntegrationSpecV1_AzureOIDC) Validate() error { |
api/types/plugin.go
Outdated
| @@ -609,6 +621,17 @@ func (c *PluginOAuth2AccessTokenCredentials) CheckAndSetDefaults() error { | |||
| return nil | |||
| } | |||
|
|
|||
| func (c *PluginEntraIDSettings) CheckAndSetDefaults() error { | |||
There was a problem hiding this comment.
Suggested change
| func (c *PluginEntraIDSettings) CheckAndSetDefaults() error { | |
| func (c *PluginEntraIDSettings) Validate() error { |
justinas
added a commit
that referenced
this pull request
Jun 6, 2024
* Add e imports for MS Graph SDK * Add ability to sign Entra ID OIDC JWTs, rework KID handling - Synthesize Key IDs for our JWT keys. For backwards compatibility, also include the same keys with an empty `kid` in JWKS. - Sign AWS OIDC tokens with a `kid=""` header claim, rather than omitting the `kid` claim altogether. See comment for details. * Add validation for Entra ID plugin * Fix typo in assertion function name * Update the OIDC JWKS test to expect the same key twice * Add Entra ID plugin type constant * go mod tidy * Fix expected JWKS size in integration test * Add basic tests for KeyID * Move Azure auth settings from Plugin to Integration * Address review comments * Add a unit test to ensure KeyID compatibility * Add license header to token_generator.go * Rename validation function per new conventions
github-merge-queue bot
pushed a commit
that referenced
this pull request
Jun 7, 2024
* Entra ID reconciler: directory reconciler prerequisites (#40778) * Add Entra ID resource origin * Ignore ID and Revision from `header` in cmp * Add e_imports for MS Graph SDK * Entra ID integration: add proto definitions (#40997) * Entra ID integration boilerplate (#40998) * Add e imports for MS Graph SDK * Add ability to sign Entra ID OIDC JWTs, rework KID handling - Synthesize Key IDs for our JWT keys. For backwards compatibility, also include the same keys with an empty `kid` in JWKS. - Sign AWS OIDC tokens with a `kid=""` header claim, rather than omitting the `kid` claim altogether. See comment for details. * Add validation for Entra ID plugin * Fix typo in assertion function name * Update the OIDC JWKS test to expect the same key twice * Add Entra ID plugin type constant * go mod tidy * Fix expected JWKS size in integration test * Add basic tests for KeyID * Move Azure auth settings from Plugin to Integration * Address review comments * Add a unit test to ensure KeyID compatibility * Add license header to token_generator.go * Rename validation function per new conventions * Access Graph: sync AWS identity providers (#41368) * Add AWSSAMLProviderV1 to access graph proto * Access Graph: sync AWS SAML Providers * Parse SAML entity descriptor before sending to TAG * Add protos for AWS OIDC providers * Fetch AWS OIDC providers * Fetch signing certificates for AWS SAML providers * Deflake identity provider fetch test The concrete implementation of IAM mock uses a map, resulting in non-deterministic iteration order. Sort the results before comparing to alleviate. * Update lib/srv/discovery/fetchers/aws-sync/iam_test.go Co-authored-by: Jakub Nyckowski <[email protected]> --------- Co-authored-by: Jakub Nyckowski <[email protected]> * Access Graph: Entra ID application sync prerequisites (#41650) * Add access graph settings to Entra ID plugin * Move Entra ID labels to OSS * Add Entra resources and RPC to Access Graph proto * Add azure-oidc integration to web. Current code assumes that Integration is always either AwsOidc, or an external audit storage integration * Change app sso cache to a repeated field * Entra ID integration: add onboarding script (#41811) * Add Entra ID integration onboarding script * Adapt after proto update * Validate names in azure script handler, add test * Add license headers * Update Entra plugin test with SSO connector field * Fix lint * Remove leftover panics * Adjust success message * Downgrade log message level * Expect exactly 1 SP for MS Graph, improve errors * Properly extract hostname for enterprise app name * Comment on assuming the first subscription * Address review nits * Factor out sso info fetch into a function * fixup refactor * Add retry logic to app role assignment * Make godoc conventional * Entra ID integration: integration script updates and web onboarding prerequisites (#42172) * Remove integration name validation from web script Not used by the script. It is validated by the "plugins/validate" endpoint. * Add required frontend constants for Entra ID * Support Azure/Entra integrations in the list * Add IsPolicyEnabled to web config * Allow custom URL for ButtonLockedFeature * Add CTA_ENTRA_ID event type * Expose TAGInfoCache for use in e * Add LackingIgs option * Add Entra ID icon * Add Entra ID plugin to storybook * Bump e for dev build * Return underlying error in getPrivateAPIToken * Find default Azure subscription instead of the first one * Require user to re-login when provisioning Azure OIDC * Update prehog protos with Entra ID values From https://github.com/gravitational/cloud/pull/9111 * Suppress verbose warnings / information from az * Add an additional message after successful auth Lets user know that `az login` has completed and `teleport` is continuing its work. * Move EntraId constant to the bottom * Revert unintended changes to usageevents CTA is 1-to-1 with prehog, but IntegrationEnrollKind is not. * Remove integrationName validation asserts from test This parameter is no longer accepted by the endpoint * Revert "Bump e for dev build" This reverts commit fc747a0. * `go mod tidy` secondary modules --------- Co-authored-by: Jakub Nyckowski <[email protected]>
Merged
github-merge-queue bot
pushed a commit
that referenced
this pull request
Aug 21, 2024
* Set the key id in JWT Some JWT libraries panic with multiple keys present in the JWKS. A second JWKS key entry was added in #40998 Fixes #44245 * Update lib/jwt/jwt.go Co-authored-by: Zac Bergquist <[email protected]> * fix compile error --------- Co-authored-by: Zac Bergquist <[email protected]>
strideynet
pushed a commit
that referenced
this pull request
Oct 9, 2024
* Set the key id in JWT Some JWT libraries panic with multiple keys present in the JWKS. A second JWKS key entry was added in #40998 Fixes #44245 * Update lib/jwt/jwt.go Co-authored-by: Zac Bergquist <[email protected]> * fix compile error --------- Co-authored-by: Zac Bergquist <[email protected]>
strideynet
pushed a commit
that referenced
this pull request
Oct 9, 2024
* Set the key id in JWT Some JWT libraries panic with multiple keys present in the JWKS. A second JWKS key entry was added in #40998 Fixes #44245 * Update lib/jwt/jwt.go Co-authored-by: Zac Bergquist <[email protected]> * fix compile error --------- Co-authored-by: Zac Bergquist <[email protected]>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Oct 10, 2024
* Set the key id in JWT Some JWT libraries panic with multiple keys present in the JWKS. A second JWKS key entry was added in #40998 Fixes #44245 * Update lib/jwt/jwt.go * fix compile error --------- Co-authored-by: Jeff Anderson <[email protected]> Co-authored-by: Zac Bergquist <[email protected]>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Oct 10, 2024
* Set the key id in JWT Some JWT libraries panic with multiple keys present in the JWKS. A second JWKS key entry was added in #40998 Fixes #44245 * Update lib/jwt/jwt.go * fix compile error --------- Co-authored-by: Jeff Anderson <[email protected]> Co-authored-by: Zac Bergquist <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Split off from #40556 . Depends on #40997
Introduces validation for types introduced in #40997 , as well as modifications to OIDC/JWT logic required to sign tokens for Entra APIs. See #40556 for more details.