Skip to content
Merged
4 changes: 2 additions & 2 deletions docs/Configuring.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ Root level key `server`
| `auth.cache_refresh` | Interval in which the IDP jwks should be refreshed | `15m` | OPENTDF_SERVER_AUTH_CACHE_REFRESH |
| `auth.dpopskew` | The amount of time drift allowed between when the client generated a dpop proof and the server time. | `1h` | OPENTDF_SERVER_AUTH |
| `auth.skew` | The amount of time drift allowed between a tokens `exp` claim and the server time. | `1m` | OPENTDF_SERVER_AUTH_SKEW |
| `auth.public_client_id` | The oidc client id. This is leveraged by otdfctl. | | OPENTDF_SERVER_AUTH_PUBLIC_CLIENT_ID |
| `auth.public_client_id` | [DEPRECATED] The oidc client id. This is leveraged by otdfctl. | | OPENTDF_SERVER_AUTH_PUBLIC_CLIENT_ID |
| `auth.enforceDPoP` | If true, DPoP bindings on Access Tokens are enforced. | `false` | OPENTDF_SERVER_AUTH_ENFORCEDPOP |
| `cryptoProvider` | A list of public/private keypairs and their use. Described [below](#crypto-provider) | empty | |
| `enable_pprof` | Enable golang performance profiling | `false` | OPENTDF_SERVER_ENABLE_PPROF |
Expand Down Expand Up @@ -317,7 +317,7 @@ server:
auth:
enabled: true
enforceDPoP: false
public_client_id: 'opentdf-public'
public_client_id: 'opentdf-public' # DEPRECATED
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
public_client_id: 'opentdf-public' # DEPRECATED
# public_client_id: 'opentdf-public' # DEPRECATED

audience: 'http://localhost:8080'
issuer: http://keycloak:8888/auth/realms/opentdf
policy:
Expand Down
1 change: 0 additions & 1 deletion opentdf-core-mode.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ server:
auth:
enabled: false
enforceDPoP: false
public_client_id: 'opentdf-public'
audience: 'http://localhost:8080'
issuer: http://localhost:8888/auth/realms/tdf
cors:
Expand Down
1 change: 0 additions & 1 deletion opentdf-dev.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,6 @@ server:
auth:
enabled: true
enforceDPoP: false
public_client_id: "opentdf-public"
audience: "http://localhost:8080"
issuer: http://localhost:8888/auth/realms/opentdf
policy:
Expand Down
1 change: 0 additions & 1 deletion opentdf-ers-mode.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ server:
auth:
enabled: true
enforceDPoP: false
public_client_id: "opentdf-public"
audience: "http://localhost:8080"
issuer: http://localhost:8888/auth/realms/opentdf
policy:
Expand Down
1 change: 0 additions & 1 deletion opentdf-example.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,6 @@ server:
auth:
enabled: true
enforceDPoP: false
public_client_id: "opentdf-public"
audience: "http://localhost:8080"
issuer: http://keycloak:8888/auth/realms/opentdf
policy:
Expand Down
1 change: 0 additions & 1 deletion opentdf-kas-mode.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ server:
auth:
enabled: true
enforceDPoP: false
public_client_id: 'opentdf-public'
audience: 'http://localhost:8080'
issuer: http://localhost:8888/auth/realms/opentdf
policy:
Expand Down
1 change: 0 additions & 1 deletion sdk/kas_client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,6 @@ func Test_StoreKASKeys(t *testing.T) {
"issuer": "https://example.org",
"authorization_endpoint": "https://example.org/auth",
"token_endpoint": "https://example.org/token",
"public_client_id": "myclient",
},
}),
)
Expand Down
9 changes: 0 additions & 9 deletions sdk/platformconfig.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,15 +35,6 @@ func (c PlatformConfiguration) TokenEndpoint() (string, error) {
return value, nil
}

func (c PlatformConfiguration) PublicClientID() (string, error) {
idpCfg := c.getIdpConfig()
value, ok := idpCfg["public_client_id"].(string)
if !ok {
return "", ErrPlatformPublicClientIDNotFound
}
return value, nil
}

func (c PlatformConfiguration) platformEndpoint() (string, error) {
value, ok := c["platform_endpoint"].(string)
if !ok {
Expand Down
21 changes: 10 additions & 11 deletions sdk/sdk.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,17 +30,16 @@ import (
const (
// Failure while connecting to a service.
// Check your configuration and/or retry.
ErrGrpcDialFailed = Error("failed to dial grpc endpoint")
ErrShutdownFailed = Error("failed to shutdown sdk")
ErrPlatformUnreachable = Error("platform unreachable or not responding")
ErrPlatformConfigFailed = Error("failed to retrieve platform configuration")
ErrPlatformEndpointMalformed = Error("platform endpoint is malformed")
ErrPlatformIssuerNotFound = Error("issuer not found in well-known idp configuration")
ErrPlatformAuthzEndpointNotFound = Error("authorization_endpoint not found in well-known idp configuration")
ErrPlatformTokenEndpointNotFound = Error("token_endpoint not found in well-known idp configuration")
ErrPlatformPublicClientIDNotFound = Error("public_client_id not found in well-known idp configuration")
ErrPlatformEndpointNotFound = Error("platform_endpoint not found in well-known configuration")
ErrAccessTokenInvalid = Error("access token is invalid")
ErrGrpcDialFailed = Error("failed to dial grpc endpoint")
ErrShutdownFailed = Error("failed to shutdown sdk")
ErrPlatformUnreachable = Error("platform unreachable or not responding")
ErrPlatformConfigFailed = Error("failed to retrieve platform configuration")
ErrPlatformEndpointMalformed = Error("platform endpoint is malformed")
ErrPlatformIssuerNotFound = Error("issuer not found in well-known idp configuration")
ErrPlatformAuthzEndpointNotFound = Error("authorization_endpoint not found in well-known idp configuration")
ErrPlatformTokenEndpointNotFound = Error("token_endpoint not found in well-known idp configuration")
ErrPlatformEndpointNotFound = Error("platform_endpoint not found in well-known configuration")
ErrAccessTokenInvalid = Error("access token is invalid")
)

type Error string
Expand Down
10 changes: 0 additions & 10 deletions sdk/sdk_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,6 @@ func TestNew_ShouldCreateSDK(t *testing.T) {
"issuer": "https://example.org",
"authorization_endpoint": "https://example.org/auth",
"token_endpoint": "https://example.org/token",
"public_client_id": "myclient",
},
}),
sdk.WithClientCredentials("myid", "mysecret", nil),
Expand All @@ -60,11 +59,6 @@ func TestNew_ShouldCreateSDK(t *testing.T) {
assert.Equal(t, "https://example.org/token", tokenEndpoint)
require.NoError(t, err)

// Check platform public client id
publicClientID, err := s.PlatformConfiguration.PublicClientID()
assert.Equal(t, "myclient", publicClientID)
require.NoError(t, err)

// check if the clients are available
assert.NotNil(t, s.Attributes)
assert.NotNil(t, s.ResourceMapping)
Expand All @@ -85,10 +79,6 @@ func Test_PlatformConfiguration_BadCases(t *testing.T) {
tokenEndpoint, err := s.PlatformConfiguration.TokenEndpoint()
assert.Empty(t, tokenEndpoint)
require.ErrorIs(t, err, sdk.ErrPlatformTokenEndpointNotFound)

publicClientID, err := s.PlatformConfiguration.PublicClientID()
assert.Empty(t, publicClientID)
require.ErrorIs(t, err, sdk.ErrPlatformPublicClientIDNotFound)
}

noIdpValsSDK, err := sdk.New(goodPlatformEndpoint,
Expand Down
2 changes: 0 additions & 2 deletions service/internal/auth/authn.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,8 +113,6 @@ func NewAuthenticator(ctx context.Context, cfg Config, logger *logger.Logger, we
if err != nil {
return nil, err
}
// Assign configured public_client_id
oidcConfig.PublicClientID = cfg.PublicClientID

// If the issuer is different from the one in the configuration, update the configuration
// This could happen if we are hitting an internal endpoint. Example we might point to https://keycloak.opentdf.svc/realms/opentdf
Expand Down
19 changes: 7 additions & 12 deletions service/internal/auth/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,13 @@ type Config struct {

// AuthNConfig is the configuration need for the platform to validate tokens
type AuthNConfig struct { //nolint:revive // AuthNConfig is a valid name
EnforceDPoP bool `mapstructure:"enforceDPoP" json:"enforceDPoP" default:"false"`
Issuer string `mapstructure:"issuer" json:"issuer"`
Audience string `mapstructure:"audience" json:"audience"`
Policy PolicyConfig `mapstructure:"policy" json:"policy"`
CacheRefresh string `mapstructure:"cache_refresh_interval"`
DPoPSkew time.Duration `mapstructure:"dpopskew" default:"1h"`
TokenSkew time.Duration `mapstructure:"skew" default:"1m"`
PublicClientID string `mapstructure:"public_client_id" json:"public_client_id,omitempty"`
EnforceDPoP bool `mapstructure:"enforceDPoP" json:"enforceDPoP" default:"false"`
Issuer string `mapstructure:"issuer" json:"issuer"`
Audience string `mapstructure:"audience" json:"audience"`
Policy PolicyConfig `mapstructure:"policy" json:"policy"`
CacheRefresh string `mapstructure:"cache_refresh_interval"`
DPoPSkew time.Duration `mapstructure:"dpopskew" default:"1h"`
TokenSkew time.Duration `mapstructure:"skew" default:"1m"`
}

type PolicyConfig struct {
Expand Down Expand Up @@ -57,10 +56,6 @@ func (c AuthNConfig) validateAuthNConfig(logger *logger.Logger) error {
return errors.New("config Auth.Audience is required")
}

if c.PublicClientID == "" {
logger.Warn("config Auth.PublicClientID is empty and is required for discovery via well-known configuration.")
}

if !c.EnforceDPoP {
logger.Warn("config Auth.EnforceDPoP is false. DPoP will not be enforced.")
}
Expand Down
1 change: 0 additions & 1 deletion service/internal/auth/discovery.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ type OIDCConfiguration struct {
SubjectTypesSupported []string `json:"subject_types_supported"`
IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
RequireRequestURIRegistration bool `json:"require_request_uri_registration"`
PublicClientID string `json:"public_client_id,omitempty"`
}

// DiscoverOPENIDConfiguration discovers the openid configuration for the issuer provided
Expand Down
1 change: 0 additions & 1 deletion service/pkg/server/testdata/all-no-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@ server:
auth:
enabled: true
enforceDPoP: false
public_client_id: "opentdf-public"
audience: "http://localhost:8080"
issuer: http://localhost:8888/auth/realms/opentdf
policy:
Expand Down
Loading