diff --git a/main_test.go b/main_test.go index cbe79683..a90f1a38 100644 --- a/main_test.go +++ b/main_test.go @@ -186,6 +186,7 @@ redirect_url="http://localhost:4180/oauth2/callback" InsecureAllowUnverifiedEmail: ptr.To(false), InsecureSkipIssuerVerification: ptr.To(false), SkipDiscovery: ptr.To(false), + EnabledSigningAlgs: []string{}, }, MicrosoftEntraIDConfig: options.MicrosoftEntraIDOptions{ FederatedTokenAuth: ptr.To(false), diff --git a/pkg/apis/options/legacy_options.go b/pkg/apis/options/legacy_options.go index b4f37aaf..99e3679f 100644 --- a/pkg/apis/options/legacy_options.go +++ b/pkg/apis/options/legacy_options.go @@ -51,15 +51,16 @@ func NewLegacyOptions() *LegacyOptions { }, LegacyProvider: LegacyProvider{ - ProviderType: "google", - AzureTenant: "common", - ApprovalPrompt: "force", - UserIDClaim: "email", - OIDCEmailClaim: "email", - OIDCGroupsClaim: "groups", - OIDCAudienceClaims: []string{"aud"}, - OIDCExtraAudiences: []string{}, - InsecureOIDCSkipNonce: true, + ProviderType: "google", + AzureTenant: "common", + ApprovalPrompt: "force", + UserIDClaim: "email", + OIDCEmailClaim: "email", + OIDCGroupsClaim: "groups", + OIDCAudienceClaims: []string{"aud"}, + OIDCExtraAudiences: []string{}, + OIDCEnabledSigningAlgs: []string{}, + InsecureOIDCSkipNonce: true, }, Options: *NewOptions(), @@ -545,6 +546,7 @@ type LegacyProvider struct { OIDCAudienceClaims []string `flag:"oidc-audience-claim" cfg:"oidc_audience_claims"` OIDCExtraAudiences []string `flag:"oidc-extra-audience" cfg:"oidc_extra_audiences"` OIDCPublicKeyFiles []string `flag:"oidc-public-key-file" cfg:"oidc_public_key_files"` + OIDCEnabledSigningAlgs []string `flag:"oidc-enabled-signing-alg" cfg:"oidc_enabled_signing_algs"` LoginURL string `flag:"login-url" cfg:"login_url"` AuthRequestResponseMode string `flag:"auth-request-response-mode" cfg:"auth_request_response_mode"` RedeemURL string `flag:"redeem-url" cfg:"redeem_url"` @@ -606,6 +608,7 @@ func legacyProviderFlagSet() *pflag.FlagSet { flagSet.StringSlice("oidc-audience-claim", OIDCAudienceClaims, "which OIDC claims are used as audience to verify against client id") flagSet.StringSlice("oidc-extra-audience", []string{}, "additional audiences allowed to pass audience verification") flagSet.StringSlice("oidc-public-key-file", []string{}, "path to public key file in PEM format to use for verifying JWT tokens (may be given multiple times)") + flagSet.StringSlice("oidc-enabled-signing-alg", []string{}, "accepted signing algorithms for provider to use") flagSet.String("login-url", "", "Authentication endpoint") flagSet.String("redeem-url", "", "Token redemption endpoint") flagSet.String("profile-url", "", "Profile access endpoint") @@ -727,6 +730,7 @@ func (l *LegacyProvider) convert() (Providers, error) { AudienceClaims: l.OIDCAudienceClaims, ExtraAudiences: l.OIDCExtraAudiences, PublicKeyFiles: l.OIDCPublicKeyFiles, + EnabledSigningAlgs: l.OIDCEnabledSigningAlgs, } // Support for legacy configuration option diff --git a/pkg/apis/options/legacy_options_test.go b/pkg/apis/options/legacy_options_test.go index d8d14bb0..5d0a4da9 100644 --- a/pkg/apis/options/legacy_options_test.go +++ b/pkg/apis/options/legacy_options_test.go @@ -27,6 +27,7 @@ var _ = Describe("Legacy Options", func() { legacyOpts.LegacyUpstreams.Upstreams = []string{"http://foo.bar/baz", "file:///var/lib/website#/bar", "static://204"} legacyOpts.LegacyProvider.ClientID = "oauth-proxy" legacyOpts.LegacyUpstreams.DisableKeepAlives = false + legacyOpts.LegacyProvider.OIDCEnabledSigningAlgs = []string{"EdDSA"} staticCode := 204 opts.UpstreamServers = UpstreamConfig{ @@ -128,6 +129,7 @@ var _ = Describe("Legacy Options", func() { opts.Providers[0].OIDCConfig.ExtraAudiences = []string{} opts.Providers[0].OIDCConfig.InsecureSkipNonce = ptr.To(true) opts.Providers[0].OIDCConfig.InsecureSkipIssuerVerification = ptr.To(false) + opts.Providers[0].OIDCConfig.EnabledSigningAlgs = []string{"EdDSA"} opts.Providers[0].LoginURLParameters = []LoginURLParameter{ {Name: "approval_prompt", Default: []string{"force"}}, } diff --git a/pkg/apis/options/providers.go b/pkg/apis/options/providers.go index 94bdb592..fff9737c 100644 --- a/pkg/apis/options/providers.go +++ b/pkg/apis/options/providers.go @@ -318,6 +318,8 @@ type OIDCOptions struct { // ExtraAudiences is a list of additional audiences that are allowed // to pass verification in addition to the client id. ExtraAudiences []string `yaml:"extraAudiences,omitempty"` + // EnabledSigningAlgs is a list of allowed JWT signing algorithms + EnabledSigningAlgs []string `json:"enabledSigningAlgs"` } type LoginGovOptions struct { diff --git a/providers/providers.go b/providers/providers.go index 6af51ecf..2fba73f5 100644 --- a/providers/providers.go +++ b/providers/providers.go @@ -99,6 +99,7 @@ func newProviderDataFromConfig(providerConfig options.Provider) (*ProviderData, IssuerURL: providerConfig.OIDCConfig.IssuerURL, JWKsURL: providerConfig.OIDCConfig.JwksURL, PublicKeyFiles: providerConfig.OIDCConfig.PublicKeyFiles, + SupportedSigningAlgs: providerConfig.OIDCConfig.EnabledSigningAlgs, SkipDiscovery: ptr.Deref(providerConfig.OIDCConfig.SkipDiscovery, options.DefaultSkipDiscovery), SkipIssuerVerification: ptr.Deref(providerConfig.OIDCConfig.InsecureSkipIssuerVerification, options.DefaultInsecureSkipIssuerVerification), })