-
Notifications
You must be signed in to change notification settings - Fork 200
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(server/auth): validate flipt_client_token cookie in middleware #1139
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1139 +/- ##
==========================================
+ Coverage 79.87% 80.15% +0.27%
==========================================
Files 38 38
Lines 2758 2796 +38
==========================================
+ Hits 2203 2241 +38
Misses 451 451
Partials 104 104
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
// which skips authentication when the provided server instance matches the intercepted | ||
// calls parent server instance. | ||
// This allows the caller to registers servers which explicitly skip authentication (e.g. OIDC). | ||
func WithServerSkipsAuthentication(server any) containers.Option[InterceptorOptions] { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there anyway to identify a server by name instead of doing pointer comparison (when checking for if it's in the o.skippedServers[]
)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there might be. We could do a comparison on the string of the full method: https://pkg.go.dev/google.golang.org/grpc#UnaryServerInfo
However, I felt this was relatively more concrete. Since it is direct pointer comparison with the instance we want to skip auth on. We compare with the method name and then someone renames a package or type, and it moves under us.
While this does use any
you still have to pass it something and if that something gets renamed it won't compile until you correct it.
Supports #779
Fixes FLI-50
This adds support for passing a Flipt client token via the
flipt_client_token
key in theCookie
header.This is necessary to support browser/cookie-based sessions.
The middleware now checks for the presence of either header key
Authorization
orCookie
.Depending on which key is present, it parses them appropriately.
One additional change is optional support for skipping auth.
This is done by passing the pointer of the server instance to
WithServerSkipsAuthentication(server)
.The OIDC server implementation itself requires open access. Since it provides delegated authentication via an Authentication Server.
The authorize URL action simply returns a string which points to the delegated authenticator.
The callback URL must be provided with a valid and verifiable
code
for auth to be granted.