dashboard icon indicating copy to clipboard operation
dashboard copied to clipboard

Published 20 hours ago verified publisher icon gardener

OIDC token refresh and PKCE flow

Open holgerkoser opened this issue 2 years ago • 1 comments

!!!This PR is included in #1277 and should not be merged!!!

What this PR does / why we need it:

Refresh Token

OpenID Connect defines the offline_access scope value to request a refresh_token in addition to the id_token which allows to use OIDC provider with short id_token lifetimes. With this PR we support the usage of scope offline_access. Typically the refresh_token is an opaque token and not a JWT with exp claim. But the refresh_token has a limited lifetime. If the refresh_token is used to refresh an id_token a new refresh_token is returned and the old refresh_token can not be used once again. Therefore the client must check if an id_token will expire soon and refresh the id_token if necessary. Since the process can be repeated again and again we recommend to configure and absolute sessionLifetime that stops the automatic refresh process and forces a logout if the the lifetime of a session exceeds this limit.

To enable this feature the operator has to configure the scope in the chart values:

oidc:
  scope: "openid email groups profile offline_access"
  sessionLifetime: 86400 # 1 day
Authorization Code Flow + PKCE

Currently all downloaded user kubeconfigs contain a client_secret. With this PR we support the PKCE flow for the OIDC client used by the dashboard itself as well for the public client used for the downloaded kubeconfig. In order to remove the client_secret from the downloaded kubeconfig the operator needs to force the usage the PKCE flow for the public client. The PKCE flow will be enabled by default if no clientSecret is given in the values.

oidc:
  ...
  public:
    clientId: 'my-public-client-id'
    # clientSecret: 'my-public-client-secret'

It is also possible to force PKCE flow for the client used by the dashboard but the client_secret is still required.

oidc:
  clientId: 'my-internal-client-id'
  clientSecret: 'my-internal-client-secret'
  usePKCE: true

Which issue(s) this PR fixes: Fixes #976

Special notes for your reviewer:

Release note:

Added support for OIDC refresh tokens. This allows an operator to configure short `id_token` lifetimes. 

Added support for PKCE flow to the internal and the public OIDC client. This allows an operator to configure the the public client without a `client_secret`.

holgerkoser avatar Jun 29 '22 21:06 holgerkoser

@holgerkoser You need rebase this pull request with latest master branch. Please check.

gardener-robot avatar Jul 27 '22 20:07 gardener-robot