Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Close security gaps OIDC implementation to make it work with Okta #2916

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: Close security gaps OIDC implementation to make it work with Okta #2916

wants to merge 2 commits into from

Conversation

02strich
Copy link

The OIDC implementation in Kargo is a good starting point with using PKCE and looking to leverage latest security practices. Unfortunately, it still has some issues that make it incompatible with some providers, e.g. Okta. This PR adds usage of the state variable to add a further data point around call validation, and removes the offline_access forced scope as both are considered security requirements by Okta. Neither should create issues for existing customers as state usage is standards-compliant (and quite common) and the removed scope can be re-added in configuration.

Does that seem reasonable?

@02strich 02strich requested a review from a team as a code owner November 12, 2024 04:33
@netlify Netlify
Copy link

netlify bot commented Nov 12, 2024
edited
Loading

Deploy Preview for docs-kargo-io canceled.

Name Link
🔨 Latest commit f415100
🔍 Latest deploy log https://app.netlify.com/sites/docs-kargo-io/deploys/6732dba00971d800084bffab

@02strich 02strich changed the title Update OIDC implementation to make it work with Okta feat: Update OIDC implementation to make it work with Okta Nov 12, 2024
@02strich
feat: Add OIDC State
2a094f2 
When using PKCE it is recommended to send and validate a state variable to make sure the response fits. While this is not required by the specification, it is recommended, and turns out to be required by some implementations so doing it.

Signed-off-by: Stefan Richter <[email protected]>
@02strich
feat: Remove forced offline_access scope
f415100 
The offline_access scope is considered to be a security concern when used in web apps by some people. This leads to some OIDC implementations enforcing it to not be used. Anyone who needs it/would like to use it, can configure to add it again.

Signed-off-by: Stefan Richter <[email protected]>
@krancour
Copy link
Member

We can take a look at this, but it may be a while.

My initial instinct is to avoid this sort of change. Part of the reason we ship with the option to integrate Dex is that it easily corrects for incompatibilities of this nature. For instance, some IDPs don't (yet) support PKCE. Others, like GitHub, don't support OIDC at all. With Dex, resolving these things is a matter of a little configuration instead of code changes.

@krancour krancour self-assigned this Nov 13, 2024
@02strich 02strich changed the title feat: Update OIDC implementation to make it work with Okta feat: Close security gaps OIDC implementation to make it work with Okta Nov 17, 2024
@02strich
Copy link
Author

@krancour happy to wait! In general

I would agree with you, though both changes I am making in this PR are security things that Okta just happens to enforce, while the standard just strongly recommends them. I believe they close issues with the implementation as is (I would expect even using it with Dex). Let me know what you think once you have time to look at it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@krancour krancour

Labels
area/cli area/security area/ui kind/enhancement kind/proposal priority/low
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@02strich @krancour