Merge pull request #689 from smallstep/azure-oidc

Azure OIDC
This commit is contained in:
Mariano Cano 2021-08-30 17:10:05 -07:00 committed by GitHub
commit bcc6ed9a8c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 3 deletions

View file

@ -11,6 +11,7 @@ import (
"net"
"reflect"
"testing"
"time"
"github.com/pkg/errors"
"github.com/smallstep/assert"
@ -82,6 +83,10 @@ func testAuthority(t *testing.T, opts ...Option) *Authority {
}
a, err := New(c, opts...)
assert.FatalError(t, err)
// Avoid errors when test tokens are created before the test authority. This
// happens in some tests where we re-create the same authority to test
// special cases without re-creating the token.
a.startTime = a.startTime.Add(-1 * time.Minute)
return a
}

View file

@ -37,8 +37,9 @@ func (p provisionerSlice) Swap(i, j int) { p[i], p[j] = p[j], p[i] }
// provisioner.
type loadByTokenPayload struct {
jose.Claims
AuthorizedParty string `json:"azp"` // OIDC client id
TenantID string `json:"tid"` // Microsoft Azure tenant id
Email string `json:"email"` // OIDC email
AuthorizedParty string `json:"azp"` // OIDC client id
TenantID string `json:"tid"` // Microsoft Azure tenant id
}
// Collection is a memory map of provisioners.
@ -129,12 +130,20 @@ func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims)
return p, ok
}
}
// Try with tid (Azure)
// Try with tid (Azure, Azure OIDC)
if payload.TenantID != "" {
// Try to load an OIDC provisioner first.
if payload.Email != "" {
if p, ok := c.LoadByTokenID(payload.Audience[0]); ok {
return p, ok
}
}
// Try to load an Azure provisioner.
if p, ok := c.LoadByTokenID(payload.TenantID); ok {
return p, ok
}
}
// Fallback to aud
return c.LoadByTokenID(payload.Audience[0])
}