10BC0 Fix/OIDC - relaxed OIDC scope validation by jjngx · Pull Request #3863 · nginx/kubernetes-ingress · GitHub
[go: up one dir, main page]
Skip to content

Fix/OIDC - relaxed OIDC scope validation #3863

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
May 10, 2023
Merged

Fix/OIDC - relaxed OIDC scope validation #3863

merged 12 commits into from
May 10, 2023

Conversation

jjngx
Copy link
Contributor
@jjngx jjngx commented May 4, 2023
edited
Loading

Proposed changes

This PR introduces following changes:

  • relaxed OIDC scope validation - only scope openid is required, users can use their own custom scopes
  • added validation rules for users' defined scope tokens to comply with RFC6749 (except char "+" \x2b used internally to separate tokens in scopes)
  • added tests and improved test coverage
  • cleaned up tests for policies validators, separated valid and invalid inputs for validators (no business rules change!)

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • [] I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@jjngx jjngx requested a review from a team as a code owner May 4, 2023 13:33
@github-actions github-actions bot added the bug An issue reporting a potential bug label May 4, 2023
@jjngx jjngx changed the title Fix/OIDC - Added offline_access to a list of valid scopes WIP - Fix/OIDC - Added offline_access to a list of valid scopes May 4, 2023
@codecov
Copy link
codecov bot commented May 4, 2023
edited
Loading

Codecov Report

Merging #3863 (0a7c9bc) into main (adba092) will decrease coverage by 0.02%.
The diff coverage is 100.00%.

❗ Current head 0a7c9bc differs from pull request most recent head 22e2007. Consider uploading reports for the commit 22e2007 to get more accurate results

@@            Coverage Diff             @@
##             main    #3863      +/-   ##
==========================================
- Coverage   51.95%   51.94%   -0.02%     
==========================================
  Files          59       59              
  Lines       16759    16746      -13     
==========================================
- Hits         8707     8698       -9     
+ Misses       7756     7748       -8     
- Partials      296      300       +4
Impacted Files Coverage Δ
pkg/apis/configuration/validation/common.go 100.00% <100.00%> (ø)
pkg/apis/configuration/validation/policy.go 92.91% <100.00%> (+1.28%) ⬆️

... and 2 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@lucacome
Copy link
lucacome commented May 5, 2023

Looks like there are unrelated changes, but I think they go away after #3818 is merged?

@jjngx
Make access token scopes comply with RFC6749 sec 3.3
c77031e 
This PR updates validation rules for OIDC scope tokens. It makes them conform to the RFC6749 section 3.3. The section lists ranges of allowed characters.
@jjngx jjngx changed the title WIP - Fix/OIDC - Added offline_access to a list of valid scopes Fix/OIDC - relaxed OIDC scope validation May 8, 2023
@jjngx
Update docs
dbab3d2 
Updated docs no longer list allowed scopes. Only one mandatory scope is , possibly followed by a number of other, user-defined, custom scopes
@github-actions github-actions bot added the documentation Pull requests/issues for documentation label May 8, 2023
shaun-nx
shaun-nx approved these changes May 8, 2023
View reviewed changes
Copy link
Contributor
@shaun-nx shaun-nx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@jjngx jjngx merged commit ab67547 into main May 10, 2023
@jjngx jjngx deleted the fix/oidc branch May 10, 2023 14:35
@brianehlert brianehlert mentioned this pull request Jun 22, 2023
Closed
@lucacome lucacome removed the bug An issue reporting a potential bug label Jun 23, 2023
@lucacome lucacome added the enhancement Pull requests for new features/feature enhancements label Jun 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haywoodsh haywoodsh haywoodsh approved these changes

@ciarams87 ciarams87 Awaiting requested review from ciarams87

@vepatel vepatel Awaiting requested review from vepatel

@jasonwilliams14 jasonwilliams14 Awaiting requested review from jasonwilliams14

+1 more reviewer

@shaun-nx shaun-nx shaun-nx approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
documentation Pull requests/issues for documentation enhancement Pull requests for new features/feature enhancements
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jjngx @lucacome @haywoodsh @shaun-nx
0