RFC 8693 OAuth 2.0 Token Exchange #2806
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
seankhliao
force-pushed
the
dex-token-exchange
branch
2 times, most recently
from
e2f36e3
to
051c683
Compare
seankhliao
force-pushed
the
dex-token-exchange
branch
2 times, most recently
from
5aebff1
to
b25d49b
Compare
|
I think this is good enough for a first round of reviews. |
seankhliao
force-pushed
the
dex-token-exchange
branch
from
b25d49b
to
ea3fffb
Compare
|
Truly would like this merged into main so dex can be our complete Authentication proxy solution. |
sagikazarmark
added
the
release-note/new-feature
|
I can't promise it's gonna happen before KubeCon, but we will get to this. |
|
Just as a data point if it helps, I tested this PR with the Openshift connector after adding a very hacky implementation of the TokenIdentity method to the connector and it worked fine. |
|
Are there any docs/examples of this flow for Github Actions kicking around? I would be very interested in trying it out, even off of a branch build |
|
@seankhliao, sorry for the long delay. I have no excuses (besides KubeCon 😄 ). The code looks good to me. BTW could you please rebase the PR to resolve conflicts? |
seankhliao
force-pushed
the
dex-token-exchange
branch
from
ea3fffb
to
760e290
Compare
|
@nabokihms rebased, no need for excuses :) @blairdrummond https://github.com/seankhliao/testrepo0191 |
|
@aidansteele, just incase you're interested, I recently read aws-iam-oidc-idps-need-more-controls, and it seems like this might help resolve the things you have implemented via jwtex. I think the only thing missing is nested json claim mapping which is still a TODO. |
|
I have the OpenShift connector updated to implement token exchange for this PR, should I wait for this to be merged before submitting a PR since it depends on this PR? |
|
@gnunn1 yes, for now it is better to hold your PR util we merge the current one. |
|
Is there any info on how we can test with oidc type connector like auth0. I want to test if the access token through client-credentials grant be exchanged for DEX approved token through token-exchange. |
It worked. |
|
OK. We have been running this build with this PR for about 3 weeks in our test environment. I am curious if there is any concern that this will be rejected. If it eventually would be accepted, we can promote the version with the PR and then swap once its in. But if there is a concern that having dexidp support this functionality (even if it was re coded in a different way) but there is a philosophical reason against this that would change our plans. Any thoughts? |
|
@nabokihms Is there any assistance needed to get this merged into main. We have been using the branch build in our environment for a while now and tested all the functional options on tokens we are using. That is @dhasmac-bh has and it all works great.
|
|
@baz-bakerhughes, for now, no assistance is needed. DEP was accepted, so it is only a matter of testing. Because of the PTO season, we a throttling with this PR a bit, but no worries. We will merge it eventually. |
seankhliao
force-pushed
the
dex-token-exchange
branch
2 times, most recently
from
9227b4d
to
a80245d
Compare
|
I've reworked the TokenIdentiy part a bit so it should properly work with both id and access tokens. |
Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com> Signed-off-by: Sean Liao <sean+git@liao.dev>
seankhliao
force-pushed
the
dex-token-exchange
branch
from
a80245d
to
8c18722
Compare
|
@seankhliao I tested a dex - dex communication (configuring the second dex instance as an oidc provider for the first) 😄. |
|
Ok, I think dex - dex works too with my updated code |
There was a problem hiding this comment.
@seankhliao awesome! Thank you for your work. It was a long journey!
P.S. It would be awesome if you could add a doc about the Token Exchange feature to the Dex documentation.
|
Thank you @seankhliao for making this happen! |
|
I've created dexidp/website#140 for website documentation |
|
Thanks for the merge, any ETA when this will be available as a release. I can update my helm chart accordingly. |
|
There is no release date for the upcoming releases, but it will probably be August something. |
Signed-off-by: Sean Liao <sean+git@liao.dev> Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
Signed-off-by: Sean Liao <sean+git@liao.dev> Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
|
Thanks for this feature, we are using it already to enable ArgoCD to authenticate with managed clusters across multiple clouds. |
|
@sl1pm4t great, thank you for sharing 🙌 |
Overview
Implement RFC 8693 which specifies exchanging third party tokens for native ones.
What this PR does / why we need it
There are times when we wish to grant machines access to a protected endpoint without using long-lived, static API keys or user/password combinations.
Many modern execution environments can expose short-lived OIDC tokens for the duration of the execution, examples include:
As these are machine users, handling a redirect is not very feasible.
In these cases, clients will have independently authenticated to the upstream IDP (sometimes implicitly by virtue of the IDP integrating with the execution environment) and obtained an ID token.
This PR allows using this prior authentication to be used in obtaining a dex issued token for use with downstream clients.
As a concrete example:
We're running ArgoCD with dex as the identity provider, connected to Okta for humans.
We want to access the ArgoCD API from our CI environments without keeping around a static key which may be compromised.
Related issues:
Special notes for your reviewer
The RFC:
actor_tokenandactor_token_typeare "MUST ... if the actor token is present, also perform the appropriate validation procedures for its indicated token type", but it's unclear what to authenticate them in this context (an existing user?)resourcefield which I don't see any use foraudiencefield which I'm using for connector ID, based on how GCP Workload Identity Pools use themIt was also unclear if the correct arguments are passed to
newIDToken/newAccessTokenDoes this PR introduce a user-facing change?