This is an automated email from the ASF dual-hosted git repository.
srijeet0406 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/master by this push:
new c36c7b0df4 Oauth go dependency change (#7619)
c36c7b0df4 is described below
commit c36c7b0df4e9fbd83f3fe5d581ee2f37351d69e1
Author: Kurtis Michie <[email protected]>
AuthorDate: Fri Jul 7 18:11:50 2023 -0600
Oauth go dependency change (#7619)
* Created new field and logic for OAuth validation for use in Microsoft SSO
instances
* Added documentation for "oauth_user_attribute"
* Changelog addition
* Corrected spacing and table layout, error message format, and key
description
---
CHANGELOG.md | 1 +
dev/traffic_ops/cdn.json | 1 +
docs/source/admin/quick_howto/oauth_login.rst | 19 +++++++++++--------
docs/source/admin/traffic_ops.rst | 3 ++-
traffic_ops/traffic_ops_golang/config/config.go | 1 +
traffic_ops/traffic_ops_golang/login/login.go | 24 ++++++++++++++++++------
6 files changed, 34 insertions(+), 15 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7c44cfab32..60d99aad61 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -40,6 +40,7 @@ The format is based on [Keep a
Changelog](http://keepachangelog.com/en/1.0.0/).
- [#7543](https://github.com/apache/trafficcontrol/pull/7543) *Traffic Portal*
New Ansible Role to use Traffic Portal v2
- [#7516](https://github.com/apache/trafficcontrol/pull/7516) *t3c* added
command line arg to control go_direct in parent.config
- [#7602](https://github.com/apache/trafficcontrol/pull/7602) *t3c* added
installed package data to t3c-apply-metadata.json
+- [#7619](https://github.com/apache/trafficcontrol/pull/7619) Traffic Ops*
added optional field `oauth_user_attribute` for OAuth login credentials
### Changed
- [#7584](https://github.com/apache/trafficcontrol/pull/7584) *Documentation*
Upgrade Traffic Control Sphinx documentation Makefile OS intelligent.
diff --git a/dev/traffic_ops/cdn.json b/dev/traffic_ops/cdn.json
index 561564c306..171fb7cd23 100644
--- a/dev/traffic_ops/cdn.json
+++ b/dev/traffic_ops/cdn.json
@@ -10,6 +10,7 @@
"log_location_event": "stdout",
"whitelisted_oauth_urls": [],
"oauth_client_secret": "",
+ "oauth_user_attribute": "unique_name",
"traffic_vault_backend": "postgres",
"traffic_vault_config": {
"aes_key_location": "/aes.key",
diff --git a/docs/source/admin/quick_howto/oauth_login.rst
b/docs/source/admin/quick_howto/oauth_login.rst
index 96d5d812d6..4b14fc7ab0 100644
--- a/docs/source/admin/quick_howto/oauth_login.rst
+++ b/docs/source/admin/quick_howto/oauth_login.rst
@@ -69,13 +69,15 @@ To configure OAuth login:
.. table:: OAuth Configuration Property Definitions In cdn.conf
-
+--------------------------+--------------------+-----------------------------------------------------------------------------------------------------------------+
- | Name | Type | Description
|
-
+==========================+====================+=================================================================================================================+
- | whitelisted_oauth_urls | Array of strings | List of
whitelisted URLs for the JSON public key set returned by OAuth provider. Can
contain ``*`` wildcards. |
-
+--------------------------+--------------------+-----------------------------------------------------------------------------------------------------------------+
- | oauth_client_secret | string | Client secret
registered with OAuth provider to verify client, passed in with `client_secret`
parameter |
-
+--------------------------+--------------------+-----------------------------------------------------------------------------------------------------------------+
+
+--------------------------+--------------------+---------------------------------------------------------------------------------------------------------------------+
+ | Name | Type | Description
|
+
+==========================+====================+=====================================================================================================================+
+ | whitelisted_oauth_urls | Array of strings | List of
whitelisted URLs for the JSON public key set returned by OAuth provider. Can
contain ``*`` wildcards. |
+
+--------------------------+--------------------+---------------------------------------------------------------------------------------------------------------------+
+ | oauth_client_secret | string | Client secret
registered with OAuth provider to verify client, passed in with
`oauth_client_secret` parameter |
+
+--------------------------+--------------------+---------------------------------------------------------------------------------------------------------------------+
+ | oauth_user_attribute | string | Client
username registered with OAuth provider to verify client, passed in with
`oauth_user_attribute` parameter |
+
+--------------------------+--------------------+---------------------------------------------------------------------------------------------------------------------+
.. code-block:: json
@@ -85,7 +87,8 @@ To configure OAuth login:
"traffic_ops_golang": {
"whitelisted_oauth_urls": [
"oauth.example.com",
- "*.example.com"
+ "*.example.com",
+ "[email protected]"
],
"oauth_client_secret": "secret"
}
diff --git a/docs/source/admin/traffic_ops.rst
b/docs/source/admin/traffic_ops.rst
index 7cd30dc1ac..91fb8e05c9 100644
--- a/docs/source/admin/traffic_ops.rst
+++ b/docs/source/admin/traffic_ops.rst
@@ -427,7 +427,8 @@ This file deals with the configuration parameters of
running Traffic Ops itself.
:log_location_info: This optional field, if specified, should either be
the location of a file to which informational-level output will be logged, or
one of the special strings ``"stdout"`` which indicates that STDOUT should be
used, ``"stderr"`` which indicates that STDERR should be used or ``"null"``
which indicates that no output of this level should be generated. An empty
string (``""``) and literally ``null`` are equivalent to ``"null"``. Default if
not specified is ``"null"``.
:log_location_warning: This optional field, if specified, should either
be the location of a file to which warning-level output will be logged, or one
of the special strings ``"stdout"`` which indicates that STDOUT should be used,
``"stderr"`` which indicates that STDERR should be used or ``"null"`` which
indicates that no output of this level should be generated. An empty string
(``""``) and literally ``null`` are equivalent to ``"null"``. Default if not
specified is ``"null"``.
:max_db_connections: An optional limit on the number of allowed
concurrent connections to the Traffic Ops Database. If it is less than or equal
to zero, there is no limit. Default if not specified is zero.
- :oauth_client_secret: An optional secret string to be shared with
OAuth-capable clients attempting to authenticate via OAuth. The default
behavior if this is not defined - or is an empty string (``""``) or ``null`` is
to disallow authentication via OAuth.
+ :oauth_client_secret: An optional secret string to be shared with
OAuth-capable clients attempting to authenticate via OAuth. The default
behavior if this is not defined ``-`` or is an empty string (``""``) or
``null`` is to disallow authentication via OAuth.
+ :oauth_user_attribute: An optional username string to be shared with
OAuth-capable clients attempting to authenticate via OAuth. The default
behavior if this is not defined ``-`` or is an empty string (``""``) or
``null`` is to disallow authentication via OAuth.
.. warning:: OAuth support in Traffic Ops is still in its
infancy, so most users are advised to avoid defining this field without good
cause.
diff --git a/traffic_ops/traffic_ops_golang/config/config.go
b/traffic_ops/traffic_ops_golang/config/config.go
index 1a79231fe3..8a8fee6d07 100644
--- a/traffic_ops/traffic_ops_golang/config/config.go
+++ b/traffic_ops/traffic_ops_golang/config/config.go
@@ -133,6 +133,7 @@ type ConfigTrafficOpsGolang struct {
RiakPort *uint `json:"riak_port"`
WhitelistedOAuthUrls []string `json:"whitelisted_oauth_urls"`
OAuthClientSecret string `json:"oauth_client_secret"`
+ OAuthUserAttribute string `json:"oauth_user_attribute"`
RoutingBlacklist `json:"routing_blacklist"`
SupportedDSMetrics []string `json:"supported_ds_metrics"`
TLSConfig *tls.Config `json:"tls_config"`
diff --git a/traffic_ops/traffic_ops_golang/login/login.go
b/traffic_ops/traffic_ops_golang/login/login.go
index 8ead7d842f..95a2959c46 100644
--- a/traffic_ops/traffic_ops_golang/login/login.go
+++ b/traffic_ops/traffic_ops_golang/login/login.go
@@ -483,17 +483,29 @@ func OauthLoginHandler(db *sqlx.DB, cfg config.Config)
http.HandlerFunc {
return
}
- decodedToken, err := jwt.Parse(
+ var decodedToken jwt.Token
+ if decodedToken, err = jwt.Parse(
[]byte(encodedToken),
jwt.WithVerifyAuto(true),
jwt.WithJWKSetFetcher(jwksFetcher),
- )
- if err != nil {
- api.HandleErr(w, r, nil,
http.StatusInternalServerError, nil, fmt.Errorf("Error decoding token with
message: %w", err))
- return
+ ); err != nil {
+ if decodedToken, err = jwt.Parse(
+ []byte(encodedToken),
+ jwt.WithVerifyAuto(false),
+ jwt.WithJWKSetFetcher(jwksFetcher),
+ ); err != nil {
+ api.HandleErr(w, r, nil,
http.StatusInternalServerError, nil, fmt.Errorf("error decoding token with
message: %w", err))
+ return
+ }
}
- userId := decodedToken.Subject()
+ var userId string
+ if cfg.OAuthUserAttribute != "" {
+ attributes := decodedToken.PrivateClaims()
+ userId = attributes[cfg.OAuthUserAttribute].(string)
+ } else {
+ userId = decodedToken.Subject()
+ }
form.Username = userId
dbCtx, cancelTx := context.WithTimeout(r.Context(),
time.Duration(cfg.DBQueryTimeoutSeconds)*time.Second)
