diff --git a/plugin/pkg/auth/authenticator/token/oidc/oidc.go b/plugin/pkg/auth/authenticator/token/oidc/oidc.go index 4c042d6115a..c9071b1d723 100644 --- a/plugin/pkg/auth/authenticator/token/oidc/oidc.go +++ b/plugin/pkg/auth/authenticator/token/oidc/oidc.go @@ -99,10 +99,6 @@ func New(issuerURL, clientID, caFile, usernameClaim, groupsClaim string) (*OIDCA glog.Infof("Fetched provider config from %s: %#v", issuerURL, cfg) - if cfg.KeysEndpoint == "" { - return nil, fmt.Errorf("OIDC provider must provide 'jwks_uri' for public key discovery") - } - ccfg := oidc.ClientConfig{ HTTPClient: hc, Credentials: oidc.ClientCredentials{ID: clientID}, diff --git a/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go b/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go index d8260b842f7..a2e3559ce29 100644 --- a/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go +++ b/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go @@ -31,6 +31,7 @@ import ( "net" "net/http" "net/http/httptest" + "net/url" "os" "path" "path/filepath" @@ -70,8 +71,16 @@ func newOIDCProvider(t *testing.T) *oidcProvider { } +func mustParseURL(t *testing.T, s string) *url.URL { + u, err := url.Parse(s) + if err != nil { + t.Fatalf("Failed to parse url: %v", err) + } + return u +} + func (op *oidcProvider) handleConfig(w http.ResponseWriter, req *http.Request) { - b, err := json.Marshal(op.pcfg) + b, err := json.Marshal(&op.pcfg) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return @@ -203,7 +212,7 @@ func TestOIDCDiscoveryTimeout(t *testing.T) { func TestOIDCDiscoveryNoKeyEndpoint(t *testing.T) { var err error - expectErr := fmt.Errorf("OIDC provider must provide 'jwks_uri' for public key discovery") + expectErr := fmt.Errorf("failed to fetch provider config after 3 retries") cert := path.Join(os.TempDir(), "oidc-cert") key := path.Join(os.TempDir(), "oidc-key") @@ -225,7 +234,7 @@ func TestOIDCDiscoveryNoKeyEndpoint(t *testing.T) { // defer srv.Close() op.pcfg = oidc.ProviderConfig{ - Issuer: srv.URL, + Issuer: mustParseURL(t, srv.URL), // An invalid ProviderConfig. Keys endpoint is required. } _, err = New(srv.URL, "client-foo", cert, "sub", "") @@ -245,8 +254,8 @@ func TestOIDCDiscoverySecureConnection(t *testing.T) { // defer srv.Close() op.pcfg = oidc.ProviderConfig{ - Issuer: srv.URL, - KeysEndpoint: srv.URL + "/keys", + Issuer: mustParseURL(t, srv.URL), + KeysEndpoint: mustParseURL(t, srv.URL+"/keys"), } expectErr := fmt.Errorf("'oidc-issuer-url' (%q) has invalid scheme (%q), require 'https'", srv.URL, "http") @@ -282,8 +291,8 @@ func TestOIDCDiscoverySecureConnection(t *testing.T) { // defer tlsSrv.Close() op.pcfg = oidc.ProviderConfig{ - Issuer: tlsSrv.URL, - KeysEndpoint: tlsSrv.URL + "/keys", + Issuer: mustParseURL(t, tlsSrv.URL), + KeysEndpoint: mustParseURL(t, tlsSrv.URL+"/keys"), } // Create a client using cert2, should fail. @@ -317,9 +326,15 @@ func TestOIDCAuthentication(t *testing.T) { // TODO: Uncomment when fix #19254 // defer srv.Close() + // A provider config with all required fields. op.pcfg = oidc.ProviderConfig{ - Issuer: srv.URL, - KeysEndpoint: srv.URL + "/keys", + Issuer: mustParseURL(t, srv.URL), + AuthEndpoint: mustParseURL(t, srv.URL+"/auth"), + TokenEndpoint: mustParseURL(t, srv.URL+"/token"), + KeysEndpoint: mustParseURL(t, srv.URL+"/keys"), + ResponseTypesSupported: []string{"code"}, + SubjectTypesSupported: []string{"public"}, + IDTokenSigningAlgValues: []string{"RS256"}, } tests := []struct { @@ -371,7 +386,7 @@ func TestOIDCAuthentication(t *testing.T) { op.generateMalformedToken(t, srv.URL, "client-foo", "client-foo", "sub", "user-foo", "", nil), nil, false, - "malformed JWS, unable to decode signature", + "oidc: unable to verify JWT signature: no matching keys", }, { // Invalid 'aud'. @@ -404,7 +419,8 @@ func TestOIDCAuthentication(t *testing.T) { for i, tt := range tests { client, err := New(srv.URL, "client-foo", cert, tt.userClaim, tt.groupsClaim) if err != nil { - t.Fatalf("Unexpected error: %v", err) + t.Errorf("Unexpected error: %v", err) + continue } user, result, err := client.AuthenticateToken(tt.token)