[oidc] encode and validate state params

[AlexTugarev]

After this PR is merged, the state param of the OIDC/OAuth2 gets signed and verified. Validating of integrity is crucial, as this piece of information contains the ID of the OIDC client to continue with when Gitpod receives the callback from a 3rd party. Tests should show that expiration time is checked and signature validation is effective.

Related Issue(s)

Part of #15956

How to test

See internal post for test credentials.

1. Create new Org
2. Create new SSO client under settings
3. Select Login from actions menu (three dot button)
4. Copy the full URL (starting with https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?) from browser's location bar.
5. Now, first see a working login into your @gitpod.io account if you proceed.
6. Take the URL from step 4.), find the state query param, alter the last segment (they are separated by .), then paste it into a new tab. You should see client config not found. The logs will contain the bad state param as reason.

Release Notes

NONE

Documentation

Build Options:

• /werft with-github-actions
  Experimental feature to run the build with GitHub Actions (and not in Werft).
• leeway-no-cache
  leeway-target=components:all
• /werft no-test
  Run Leeway with --dont-test

Publish Options

• /werft publish-to-npm
• /werft publish-to-jb-marketplace

Installer Options

• with-ee-license
• with-slow-database
• with-dedicated-emulation
• with-ws-manager-mk2
• workspace-feature-flags
  Add desired feature flags to the end of the line above, space separated

Preview Environment Options:

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview
• /werft with-large-vm
• /werft with-gce-vm
  If enabled this will create the environment on GCE infra
• /werft with-integration-tests=all
  Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh

[werft-gitpod-dev-com]

started the job as gitpod-build-at-state-jwt.1 because the annotations in the pull request description changed
(with .werft/ from main)

[easyCZ]

LGTM in general. Let's find a better way to avoid the skipVerification, as that pushes test code into our main implementation.

[easyCZ]

In some way, the fact that it's a JWT is an implementation detail. And as such, here we could go with an interface rather than the fact that it is JWT

You could express this as

type State interface {
  Encode(..)
  Decode(..)
}

While this creates indirection, it does help future readers to not have to know the details of how it's encoded, just that it is.

[easyCZ]

Up to you.

[easyCZ]

Either move this to a test package, or make it a first class constructor which doens't mention Test. It's an anti-pattern in Go to have test code alongisde the non-test implementation.

But I think we shouldn't have the skipVerifyIdToken as a thing on this service at all. We should either abstract the verification behind an interface, such that we can mock/stub it in tests, or actually run the verification check.

[easyCZ]

Alternatively, if you want to provide this as an option for the caller, encode it into the request such that the caller can choose to have the verification skipped.

[easyCZ]

Let me know if you'd like to pair on this.

[AlexTugarev]

'Removed newTestService.

skipVerifyIdToken is passed to a constructor from a library. It was a recommended way to use this shortcut and remove skipVerifyIdToken in a separate PR.

With the added golang-jwt/jwt, it's now easier to extend the mocked service to actually to the checks instead of skipping verification.

[AlexTugarev]

Let's find a better way to avoid the skipVerification, as that pushes test code into our main implementation.

skipVerification is deemed to be removed in following PR.

[easyCZ]

/hold for final Qs

[easyCZ]

How do we communicate that this is a User Error, and not a system error?

[AlexTugarev]

same as #16331 (comment)

That needs improvements.

[easyCZ]

If there's no secret, the stateJWT can now be nil. We're passing it into

oidc.NewService(cfg.SessionServiceAddress, dbConn, cipherSet, stateJWT)

Where it will panic when we try to access it on the calls. Should we hard fail if we don't have the secret? How do we handle this case?

[AlexTugarev]

Was about to raise this question as well.

First of, adding config for staging and prod in ops.

Should we hard fail if we don't have the secret? How do we handle this case?

Failing the whole component is really bad, but doesn't seem to be wrong as this as crucial bits from security perspective, i.e. falling back to a default is a "no go".

OTOH, a second option might be to check for stateJWT == nil in handlers and fail late. That comes at the cost of monitoring, as we'd need to cover that independently.

How was that discussed with PATs and Stripe integration?

[AlexTugarev]

@easyCZ, I'm opting for not failing hard for now. We can change later on. Reason: for now this is all experimental and behind the scene, so let's keep risk at minimum.

[AlexTugarev]

Done. Now it should not panic, but any attempt to call the endpoints while the signing key is not provided will be cancelled with an error.

[easyCZ]

IMO, it's better to hard-fail in this case, I'm happy to do a follow-up change. With Stripe, we didn't hard fail because we had the use-case that we couldn't control the stripe configuration but needed the rest of the server to work. But here, we get a better rollout signal when we rollout and miss something.

[AlexTugarev]

@easyCZ, let's do in follow-ups, please!

What else is required to release the breaks on this?

[easyCZ]

PR is approved, feel free to land

[AlexTugarev]

/hold cancel