fix(core): swap out internal issuer for external issuer endpoint (#1027)

When the platform points to an internal issuer endpoint. Example keycloak is running within a k8s cluster we should try to replace it if its different from what is returned from the discovery endpoint.
opentdf · Jun 24, 2024 · c3828d0 · c3828d0
1 parent 65894ae
commit c3828d0
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 8 deletions.
diff --git a/service/internal/auth/authn.go b/service/internal/auth/authn.go
@@ -5,6 +5,7 @@ import (
 	"crypto"
 	"crypto/sha256"
 	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"log/slog"
 	"net/http"
@@ -86,7 +87,7 @@ type Authentication struct {
 }
 
 // Creates new authN which is used to verify tokens for a set of given issuers
-func NewAuthenticator(ctx context.Context, cfg Config, logr *logger.Logger) (*Authentication, error) {
+func NewAuthenticator(ctx context.Context, cfg Config, logr *logger.Logger, wellknownRegistration func(namespace string, config any) error) (*Authentication, error) {
 	a := &Authentication{
 		enforceDPoP: cfg.EnforceDPoP,
 		logger:      logr,
@@ -106,6 +107,13 @@ func NewAuthenticator(ctx context.Context, cfg Config, logr *logger.Logger) (*Au
 		return nil, err
 	}
 
+	// If the issuer is different from the one in the configuration, update the configuration
+	// This could happen if we are hitting an internal endpoint. Example we might point to https://keycloak.opentdf.svc/realms/opentdf
+	// but the external facing issuer is https://keycloak.opentdf.local/realms/opentdf
+	if oidcConfig.Issuer != cfg.Issuer {
+		cfg.Issuer = oidcConfig.Issuer
+	}
+
 	cacheInterval, err := time.ParseDuration(cfg.CacheRefresh)
 	if err != nil {
 		logr.ErrorContext(ctx, fmt.Sprintf("Invalid cache_refresh_interval [%s]", cfg.CacheRefresh), "err", err)
@@ -140,6 +148,27 @@ func NewAuthenticator(ctx context.Context, cfg Config, logr *logger.Logger) (*Au
 
 	a.oidcConfiguration = cfg.AuthNConfig
 
+	// Try an register oidc issuer to wellknown service but don't return an error if it fails
+	if err := wellknownRegistration("platform_issuer", cfg.Issuer); err != nil {
+		logr.Warn("failed to register platform issuer", slog.String("error", err.Error()))
+	}
+
+	var oidcConfigMap map[string]any
+
+	// Create a map of the oidc configuration
+	oidcConfigBytes, err := json.Marshal(oidcConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := json.Unmarshal(oidcConfigBytes, &oidcConfigMap); err != nil {
+		return nil, err
+	}
+
+	if err := wellknownRegistration("idp", oidcConfigMap); err != nil {
+		logr.Warn("failed to register platform idp information", slog.String("error", err.Error()))
+	}
+
 	return a, nil
 }
 

diff --git a/service/internal/auth/authn_test.go b/service/internal/auth/authn_test.go
@@ -136,7 +136,7 @@ func (s *AuthSuite) SetupTest() {
 	s.server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 		if r.URL.Path == "/.well-known/openid-configuration" {
-			_, err := w.Write([]byte(fmt.Sprintf(`{"jwks_uri": "%s/jwks"}`, s.server.URL)))
+			_, err := w.Write([]byte(fmt.Sprintf(`{"issuer":"%s","jwks_uri": "%s/jwks"}`, s.server.URL, s.server.URL)))
 			if err != nil {
 				panic(err)
 			}
@@ -173,6 +173,7 @@ func (s *AuthSuite) SetupTest() {
 		&logger.Logger{
 			Logger: slog.New(slog.Default().Handler()),
 		},
+		func(_ string, _ any) error { return nil },
 	)
 
 	s.Require().NoError(err)
@@ -603,7 +604,9 @@ func (s *AuthSuite) Test_Allowing_Auth_With_No_DPoP() {
 	config.AuthNConfig = authnConfig
 	auth, err := NewAuthenticator(context.Background(), config, &logger.Logger{
 		Logger: slog.New(slog.Default().Handler()),
-	})
+	},
+		func(_ string, _ any) error { return nil },
+	)
 
 	s.Require().NoError(err)
 

diff --git a/service/internal/server/server.go b/service/internal/server/server.go
@@ -118,6 +118,7 @@ func NewOpenTDFServer(config Config, logr *logger.Logger) (*OpenTDFServer, error
 			context.Background(),
 			config.Auth,
 			logr,
+			config.WellKnownConfigRegister,
 		)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create authentication interceptor: %w", err)
@@ -127,11 +128,6 @@ func NewOpenTDFServer(config Config, logr *logger.Logger) (*OpenTDFServer, error
 		logr.Warn("disabling authentication. this is deprecated and will be removed. if you are using an IdP without DPoP set `enforceDPoP = false`")
 	}
 
-	// Try an register oidc issuer to wellknown service but don't return an error if it fails
-	if err := config.WellKnownConfigRegister("platform_issuer", config.Auth.Issuer); err != nil {
-		logr.Warn("failed to register platform issuer", slog.String("error", err.Error()))
-	}
-
 	// Create grpc server and in process grpc server
 	grpcServer, err := newGrpcServer(config, authN)
 	if err != nil {