Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

OAuth now uses client TLS certs (if configured)#5042

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
kylecarbs merged 6 commits intocoder:mainfromnormana10:oauth-use-client-certificate
Nov 13, 2022

Conversation

normana10
Copy link
Contributor

Hi,

I'm trying to get Coder deployed within my organization but our OpenID Connect providerrequires valid TLS client certificates before it will respond to the.well-known HTTP call that theoidc library makes

These changes configure theoidc library to use (optional and configurable) client TLS certificates

I've verified these changes work withmy personal/homelab OpenID Connect provider when I configure my reverse proxy to require TLS client certs

(Let me know if I missed anything, I'm new to Go 😄)

Also let me know if there's some glaringly obvious Go-ish way to do this with like environment variables or command line args that I'm unaware of

Thanks!

Copy link
Member

@kylecarbskylecarbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Your contribution is appreciated!

Is it possible for us to use the existingClientCAFile property instead of adding these new ones? RIght now, it's consumed when TLS is enabled, but it seems like we should make italways apply instead and add theoauth2.HTTPClient to the context.

If you need help or have questions, feel free to ping me! Happy to add this (and we can do a release afterward so you can use it).

@@ -1248,3 +1253,21 @@ func startBuiltinPostgres(ctx context.Context, cfg config.Root, logger slog.Logg
}
return connectionURL, ep.Stop, nil
}

func handleOauth2ClientCertificates(cfg *codersdk.DeploymentConfig, ctx context.Context) (context.Context, error) {
if cfg.TLS.ClientCertFile.Value != "" && cfg.TLS.ClientKeyFile.Value != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

We already haveClientCAFile as a configuration option, so you should be able to remove the configuration changes here!

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I'm going to expand on my use-case a bit more because Ithink it's slightly different

So with my changes in the config file we have:

  • CertFiles
  • KeyFiles
  • ClientCAFile
  • ClientCertFile (new)
  • ClientKeyFile (new)

In my org, I have been given a wildcard cert*.coder.normana10.example.com and a "system/identity" certnormana10.example.com

I need to use the wildcard cert for all "serving" and the "identity" cert for all external callsthat Coder makes

(I'm not going to say this is "correct", but it's just how my org does things)

So if I wanted Coder to terminate TLS my config would look like:

  • CertFiles =/path/to/wildcard.cert
  • KeyFiles =/path/to/wildcard.key
  • ClientCAFile =/path/to/ca.cert (Only used to verify client certs ifClientAuth is set to verify)
  • ClientCertFile (new) =/path/to/identity.cert
  • ClientKeyFile (new) =/path/to/identity.key

SoClientCAFile (as far as I've seen) looks like it's just used to verifyclients connecting to Coder. Where I'm looking to set the client certsCoder uses when connecting to external services

If that makes sense?

For full transparency, myactual config doesn't have Coder terminating TLS, so realistically I'djust have my two new configs set

kylecarbs reacted with thumbs up emoji
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

All makes sense! I appreciate the context... the changes look good to me!

@normana10normana10 requested a review froma team as acode ownerNovember 13, 2022 01:55
@normana10normana10 requested review fromjsjoeio and removed request fora teamNovember 13, 2022 01:55
@@ -1248,3 +1253,21 @@ func startBuiltinPostgres(ctx context.Context, cfg config.Root, logger slog.Logg
}
return connectionURL, ep.Stop, nil
}

func handleOauth2ClientCertificates(ctx context.Context, cfg *codersdk.DeploymentConfig) (context.Context, error) {
if cfg.TLS.ClientCertFile.Value != "" && cfg.TLS.ClientKeyFile.Value != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

nit (not blocking merge): You could invert the control-flow here to reduce indentation!

@kylecarbskylecarbs merged commit9578ce9 intocoder:mainNov 13, 2022
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsNov 13, 2022
@github-actionsgithub-actionsbot deleted the oauth-use-client-certificate branchMay 17, 2024 00:31
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Reviewers

@kylecarbskylecarbskylecarbs approved these changes

@jsjoeiojsjoeioAwaiting requested review from jsjoeiojsjoeio was automatically assigned from coder/ts

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

2 participants
@normana10@kylecarbs
[8]ページ先頭
©2009-2025 Movatter.jp