# This must be exactly equal to the URL returned by the issuer
# itself in its config response ("isser" key). If the
# configured value is "https://example" and the provider
- # returns "https://example:443" then login will fail, even
- # though those URLs are equivalent (RFC3986).
- #
- # If the configured URL's path component is just "/" then it
- # is stripped. Therefore, an issuer advertising itself as
- # "https://example/" cannot be used -- but "https://example",
- # "https://example/foo", and "https://example/foo/" are
- # supported.
+ # returns "https://example:443" or "https://example/" then
+ # login will fail, even though those URLs are equivalent
+ # (RFC3986).
Issuer: ""
# Your client ID and client secret (supplied by the provider).
# This must be exactly equal to the URL returned by the issuer
# itself in its config response ("isser" key). If the
# configured value is "https://example" and the provider
- # returns "https://example:443" then login will fail, even
- # though those URLs are equivalent (RFC3986).
- #
- # If the configured URL's path component is just "/" then it
- # is stripped. Therefore, an issuer advertising itself as
- # "https://example/" cannot be used -- but "https://example",
- # "https://example/foo", and "https://example/foo/" are
- # supported.
+ # returns "https://example:443" or "https://example/" then
+ # login will fail, even though those URLs are equivalent
+ # (RFC3986).
Issuer: ""
# Your client ID and client secret (supplied by the provider).
UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses,
}
case !wantGoogle && wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP:
- issuer := cluster.Login.OpenIDConnect.Issuer
- if issuer.Path == "/" {
- // The OIDC library returns an error if the
- // config says "https://example/" and the
- // issuer identifies itself as
- // "https://example", even though those URLs
- // are equivalent
- // (https://tools.ietf.org/html/rfc3986#section-6.2.3).
- //
- // Our config loader adds "/" to URLs with
- // empty path, so we strip it off here and
- // count on the issuer to do the same when
- // identifying itself, as Google does.
- //
- // (Non-empty paths as in
- // "https://example/foo/" are preserved by the
- // config loader so the config just has to
- // match the issuer's response.)
- issuer.Path = ""
- }
return &oidcLoginController{
Cluster: cluster,
RailsProxy: railsProxy,
- Issuer: issuer.String(),
+ Issuer: cluster.Login.OpenIDConnect.Issuer,
ClientID: cluster.Login.OpenIDConnect.ClientID,
ClientSecret: cluster.Login.OpenIDConnect.ClientSecret,
}
func (s *OIDCLoginSuite) TestConfig(c *check.C) {
s.cluster.Login.Google.Enable = false
s.cluster.Login.OpenIDConnect.Enable = true
- s.cluster.Login.OpenIDConnect.Issuer = arvados.URL{Scheme: "https", Host: "accounts.example.com", Path: "/"}
+ s.cluster.Login.OpenIDConnect.Issuer = "https://accounts.example.com/"
s.cluster.Login.OpenIDConnect.ClientID = "oidc-client-id"
s.cluster.Login.OpenIDConnect.ClientSecret = "oidc-client-secret"
localdb := NewConn(s.cluster)
ctrl := localdb.loginController.(*oidcLoginController)
- c.Check(ctrl.Issuer, check.Equals, "https://accounts.example.com")
+ c.Check(ctrl.Issuer, check.Equals, "https://accounts.example.com/")
c.Check(ctrl.ClientID, check.Equals, "oidc-client-id")
c.Check(ctrl.ClientSecret, check.Equals, "oidc-client-secret")
c.Check(ctrl.UseGooglePeopleAPI, check.Equals, false)
}
OpenIDConnect struct {
Enable bool
- Issuer URL
+ Issuer string
ClientID string
ClientSecret string
}