[BREAKING] feat/refactor/docs: multiple providers, large refactor, configurable ticking interval, fix for jwks endpoint has different host#99
Open
antonengelhardt wants to merge 64 commits into
Conversation
antonengelhardt
added
semver:minor
antonengelhardt
force-pushed
the
mulitple-open-id-providers
branch
2 times, most recently
from
e6806c9 to
0d882e9
Compare
This was referenced Sep 6, 2024
antonengelhardt
changed the title
antonengelhardt
force-pushed
the
mulitple-open-id-providers
branch
2 times, most recently
from
80e497e to
d94b6df
Compare
This was
linked to
issues
Sep 10, 2024
antonengelhardt
force-pushed
the
mulitple-open-id-providers
branch
from
36c5896 to
818a32c
Compare
antonengelhardt
force-pushed
the
mulitple-open-id-providers
branch
3 times, most recently
from
eb3e9de to
17ac0f4
Compare
This was referenced Nov 4, 2024
Closed
* plugin can now have more than one oidc provider * the discovery will load information from all providers * user selects the provider on an auth page if there is >1 provider * more logs * more comments TODO: * error handling * performance and linting * large refactoring to file structure This is just a POC! THIS IS A BREAKING CHANGE! Signed-off-by: Anton Engelhardt <antoncengelhardt@icloud.com>
* add auth.rs for code flow * rename cookies.rs to session.rs * add pause.rs Signed-off-by: Anton Engelhardt <antoncengelhardt@icloud.com>
Signed-off-by: Anton Engelhardt <antoncengelhardt@icloud.com>
Signed-off-by: Anton Engelhardt <antoncengelhardt@icloud.com>
Signed-off-by: Anton Engelhardt <antoncengelhardt@icloud.com>
Signed-off-by: Anton Engelhardt <antoncengelhardt@icloud.com>
Signed-off-by: Anton Engelhardt <antoncengelhardt@icloud.com>
https://github.com/antonengelhardt/wasm-oidc-plugin/security/dependabot/5 Signed-off-by: Anton Engelhardt <antoncengelhardt@icloud.com>
Signed-off-by: Anton Engelhardt <antoncengelhardt@icloud.com>
antonengelhardt
commented
Jan 13, 2025
Comment on lines
+81
to
+83
| - name: Install cargo audit | ||
| run: cargo install cargo-audit | ||
|
|
Simplify discovery.rs a bit by removing some mutexes that are not strictly necessary. We do however need to work around proxy-wasm/proxy-wasm-rust-sdk#303 by using the hostcalls module (around which the HttpContext trait is just a trivial wrapper) directly
as defined by the OIDC spec: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter This avoids the need to escape quotes in the "stringly typed" JSON object and allows the map-type of the value to be validated during config parsing
and use anyhow
because that makes sense intuitively and fixes a bug which could lead to duplicate providers being created
While it would be nice to share these with the Root context, that would require some refactoring, so we don't currently do that and the Arc is unnecessary
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
PR Summary
This PR introduces significant changes to support multiple OpenID Connect providers, including a new provider selection UI with dark mode and improved error handling.
- Added new
open_id_configsarray in configuration files to support multiple OIDC providers with separate endpoints and settings - Changed WASM target from
wasm32-wasitowasm32-wasip1across all build configurations and documentation - Added configurable
ticking_interval_in_msandlogout_pathwith optionalend_session_endpointsupport - Introduced request ID tracking in logs and error pages for better debugging
- Upgraded Envoy from v1.29 to v1.31 in Docker configurations and fixed JWKS endpoint host issues
Note: The PR contains some potential issues with unwrap() calls in provider selection and artifact path mismatches between build target and upload paths that should be addressed.
💡 (1/5) You can manually trigger the bot by mentioning @greptileai in a comment!
24 file(s) reviewed, 24 comment(s)
Edit PR Review Bot Settings | Greptile
| @@ -116,7 +185,7 @@ jobs: | |||
| path: target/wasm32-wasi/release/wasm_oidc_plugin.wasm | |||
There was a problem hiding this comment.
logic: Path mismatch: Build uses wasm32-wasip1 target (line 179) but artifact upload looks for wasm32-wasi path. This will cause the artifact upload to fail.
Suggested change
| path: target/wasm32-wasi/release/wasm_oidc_plugin.wasm | |
| path: target/wasm32-wasip1/release/wasm_oidc_plugin.wasm |
Comment on lines
158
to
159
| needs: [verify-project] | ||
|
|
There was a problem hiding this comment.
style: Build job only depends on verify-project and not on test/clippy/fmt jobs. This could allow builds with failing tests or linting issues.
Suggested change
| needs: [verify-project] | |
| needs: [verify-project, test, clippy, fmt] |
| authors = [ | ||
| "WWU Cloud Developer <cloud@uni-muenster.de>, Anton Engelhardt <antoncengelhardt@icloud.com>", | ||
| ] | ||
| description = "A Wasm-Pplugin for the Envoy Proxy written in Rust acting as an HTTP-Filter, that implements the OpenID Authorization Code Flow. Requests sent to the filter are checked for the presence of a valid session cookie. If the cookie is not present, the user is redirected to OpenID Provider to authenticate. After successful authentication, the user is redirected back to the original path with the autorization code in the URL query. The plugin then exchanges the code for a token using the token_endpoint and stores the token in the session." |
There was a problem hiding this comment.
syntax: Typo in description: 'Wasm-Pplugin' should be 'Wasm plugin'
Suggested change
| description = "A Wasm-Pplugin for the Envoy Proxy written in Rust acting as an HTTP-Filter, that implements the OpenID Authorization Code Flow. Requests sent to the filter are checked for the presence of a valid session cookie. If the cookie is not present, the user is redirected to OpenID Provider to authenticate. After successful authentication, the user is redirected back to the original path with the autorization code in the URL query. The plugin then exchanges the code for a token using the token_endpoint and stores the token in the session." | |
| description = "A Wasm plugin for the Envoy Proxy written in Rust acting as an HTTP-Filter, that implements the OpenID Authorization Code Flow. Requests sent to the filter are checked for the presence of a valid session cookie. If the cookie is not present, the user is redirected to OpenID Provider to authenticate. After successful authentication, the user is redirected back to the original path with the autorization code in the URL query. The plugin then exchanges the code for a token using the token_endpoint and stores the token in the session." |
| authors = [ | ||
| "WWU Cloud Developer <cloud@uni-muenster.de>, Anton Engelhardt <antoncengelhardt@icloud.com>", | ||
| ] | ||
| description = "A Wasm-Pplugin for the Envoy Proxy written in Rust acting as an HTTP-Filter, that implements the OpenID Authorization Code Flow. Requests sent to the filter are checked for the presence of a valid session cookie. If the cookie is not present, the user is redirected to OpenID Provider to authenticate. After successful authentication, the user is redirected back to the original path with the autorization code in the URL query. The plugin then exchanges the code for a token using the token_endpoint and stores the token in the session." |
There was a problem hiding this comment.
syntax: Typo in description: 'autorization' should be 'authorization'
Suggested change
| description = "A Wasm-Pplugin for the Envoy Proxy written in Rust acting as an HTTP-Filter, that implements the OpenID Authorization Code Flow. Requests sent to the filter are checked for the presence of a valid session cookie. If the cookie is not present, the user is redirected to OpenID Provider to authenticate. After successful authentication, the user is redirected back to the original path with the autorization code in the URL query. The plugin then exchanges the code for a token using the token_endpoint and stores the token in the session." | |
| description = "A Wasm-Pplugin for the Envoy Proxy written in Rust acting as an HTTP-Filter, that implements the OpenID Authorization Code Flow. Requests sent to the filter are checked for the presence of a valid session cookie. If the cookie is not present, the user is redirected to OpenID Provider to authenticate. After successful authentication, the user is redirected back to the original path with the authorization code in the URL query. The plugin then exchanges the code for a token using the token_endpoint and stores the token in the session." |
Comment on lines
+243
to
+247
| logo.style.visibility = 'hidden'; | ||
| setTimeout(() => {{ | ||
| logo.style.visibility = 'visible'; | ||
| }}, 0); | ||
| }}); |
There was a problem hiding this comment.
style: The visibility toggle hack could cause flickering. Consider using CSS transitions or opacity instead
|
|
||
| Ok(values) | ||
| } | ||
| proxy_wasm::set_log_level(LogLevel::Debug); |
There was a problem hiding this comment.
style: Setting log level to Debug in production could impact performance and expose sensitive information
| 307, | ||
| vec
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Please describe your changes and why you made them
Multiple OpenID providers
_wasm-oidc-plugin/provider-selection?authorize_with_provider=wwu&return_to=lw), which then redirect to theauthorization_endpoint, because otherwise we would not be able to know which server sent the code in the code callback.Small features
ticking_interval_in_ms)Refactor & fixes
jwks_uriexposed at a different host than the openid-configuration host:schemeto parseurlas in fix(exclude): get scheme to parse url, more debug logs and yaml fmt #98Does this PR introduce a breaking change?
Warning
This PR introduces a breaking change:
Please see
envoy.yamlfor the updated config structureTODOs
Other information and Screenshots (if appropriate)
🤫 It has darkmode
Linked
For #93
more to come