-
-
Notifications
You must be signed in to change notification settings - Fork 135
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
147 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,9 +1,67 @@ | ||
| namespace VaultSharp.V1.AuthMethods.JWT | ||
| using System.Threading.Tasks; | ||
| using VaultSharp.V1.AuthMethods.JWT.Models; | ||
| using VaultSharp.V1.Commons; | ||
|
|
||
| namespace VaultSharp.V1.AuthMethods.JWT | ||
| { | ||
| /// <summary> | ||
| /// | ||
| /// Non Login methods | ||
| /// </summary> | ||
| public interface IJWTAuthMethod | ||
| { | ||
| /// <summary> | ||
| /// Obtain an authorization URL from Vault to start an OIDC login flow. | ||
| /// </summary> | ||
| /// <param name="redirectUri"> | ||
| /// <para>[required]</para> | ||
| /// Path to the callback to complete the login. | ||
| /// This will be of the form, "https://.../oidc/callback" where the leading portion is dependent on | ||
| /// your Vault server location, port, and the mount of the JWT plugin. | ||
| /// This must be configured with Vault and the provider. | ||
| /// </param> | ||
| /// <param name="roleName"> | ||
| /// <para>[optional]</para> | ||
| /// Name of the role against which the login is being attempted. | ||
| /// Defaults to configured default_role if not provided. | ||
| /// </param> | ||
| /// <param name="clientNonce"> | ||
| /// <para>[optional]</para> | ||
| /// Optional client-provided nonce that must match the client_nonce value provided | ||
| /// during a subsequent request to the callback API. | ||
| /// </param> | ||
| /// <param name="mountPoint"> | ||
| /// Mount point of the JWT Auth method | ||
| /// </param> | ||
| /// <returns>The OIDC Auth URL</returns> | ||
| Task<Secret<OIDCAuthURLInfo>> GetOIDCAuthURLAsync(string redirectUri, string roleName = null, string clientNonce = null, string mountPoint = AuthMethodDefaultPaths.JWT); | ||
|
|
||
| /// <summary> | ||
| /// Exchange an authorization code for an OIDC ID Token. | ||
| /// The ID token will be further validated against any bound claims, and if valid a Vault token will be returned. | ||
| /// </summary> | ||
| /// <param name="state"> | ||
| /// <para>[required]</para> | ||
| /// Opaque state ID that is part of the Authorization URL and will be included in | ||
| /// the the redirect following successful authentication on the provider. | ||
| /// </param> | ||
| /// <param name="nonce"> | ||
| /// <para>[required]</para> | ||
| /// Opaque nonce that is part of the Authorization URL and will be | ||
| /// included in the the redirect following successful authentication on the provider. | ||
| /// </param> | ||
| /// <param name="code"> | ||
| /// <para>[required]</para> | ||
| /// Provider-generated authorization code that Vault will exchange for an ID token. | ||
| /// </param> | ||
| /// <param name="clientNonce"> | ||
| /// <para>[optional]</para> | ||
| /// Optional client-provided nonce that must match the client_nonce value | ||
| /// provided during the prior request to the auth API. | ||
| /// </param> | ||
| /// <param name="mountPoint"> | ||
| /// Mount point of the JWT Auth method | ||
| /// </param> | ||
| /// <returns>The OIDC Vault Token</returns> | ||
| Task<Secret<AuthInfo>> DoOIDCCallbackAsync(string state, string nonce, string code, string clientNonce = null, string mountPoint = AuthMethodDefaultPaths.JWT); | ||
| } | ||
| } |
68 changes: 68 additions & 0 deletions
68
src/VaultSharp/V1/AuthMethods/JWT/JWTAuthMethodProvider.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| using System.Collections.Generic; | ||
| using System.Net.Http; | ||
| using System.Threading.Tasks; | ||
| using VaultSharp.Core; | ||
| using VaultSharp.V1.AuthMethods.JWT.Models; | ||
| using VaultSharp.V1.Commons; | ||
|
|
||
| namespace VaultSharp.V1.AuthMethods.JWT | ||
| { | ||
| internal class JWTAuthMethodProvider : IJWTAuthMethod | ||
| { | ||
| private readonly Polymath _polymath; | ||
|
|
||
| public JWTAuthMethodProvider(Polymath polymath) | ||
| { | ||
| Checker.NotNull(polymath, "polymath"); | ||
| this._polymath = polymath; | ||
| } | ||
|
|
||
| public async Task<Secret<OIDCAuthURLInfo>> GetOIDCAuthURLAsync(string redirectUri, string roleName = null, string clientNonce = null, string mountPoint = AuthMethodDefaultPaths.JWT) | ||
| { | ||
| Checker.NotNull(mountPoint, "mountPoint"); | ||
| Checker.NotNull(redirectUri, "redirectUri"); | ||
|
|
||
| var requestData = new Dictionary<string, string> | ||
| { | ||
| { "redirect_uri", redirectUri } | ||
| }; | ||
|
|
||
| if (!string.IsNullOrWhiteSpace(roleName)) | ||
| { | ||
| requestData.Add("role", roleName); | ||
| } | ||
|
|
||
| if (!string.IsNullOrWhiteSpace(clientNonce)) | ||
| { | ||
| requestData.Add("client_nonce", clientNonce); | ||
| } | ||
|
|
||
| return await _polymath.MakeVaultApiRequest<Secret<OIDCAuthURLInfo>>("v1/auth/" + mountPoint.Trim('/') + "/oidc/auth_url", HttpMethod.Post, requestData: requestData).ConfigureAwait(_polymath.VaultClientSettings.ContinueAsyncTasksOnCapturedContext); | ||
| } | ||
|
|
||
| public async Task<Secret<AuthInfo>> DoOIDCCallbackAsync(string state, string nonce, string code, string clientNonce = null, string mountPoint = AuthMethodDefaultPaths.JWT) | ||
| { | ||
| Checker.NotNull(state, "state"); | ||
| Checker.NotNull(nonce, "nonce"); | ||
| Checker.NotNull(code, "code"); | ||
|
|
||
| Checker.NotNull(mountPoint, "mountPoint"); | ||
|
|
||
| var queryStrings = new List<string> | ||
| { | ||
| "state=" + state, | ||
| "nonce=" + nonce, | ||
| "code=" + code | ||
| }; | ||
|
|
||
| if (!string.IsNullOrWhiteSpace(clientNonce)) | ||
| { | ||
| queryStrings.Add("client_nonce=" + clientNonce); | ||
| } | ||
|
|
||
| var queryString = "?" + string.Join("&", queryStrings); | ||
|
|
||
| return await _polymath.MakeVaultApiRequest<Secret<AuthInfo>>("v1/auth/" + mountPoint.Trim('/') + "/oidc/callback" + queryString, HttpMethod.Get).ConfigureAwait(_polymath.VaultClientSettings.ContinueAsyncTasksOnCapturedContext); | ||
| } | ||
| } | ||
| } |
10 changes: 10 additions & 0 deletions
10
src/VaultSharp/V1/AuthMethods/JWT/Models/OIDCAuthURLInfo.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| using Newtonsoft.Json; | ||
|
|
||
| namespace VaultSharp.V1.AuthMethods.JWT.Models | ||
| { | ||
| public class OIDCAuthURLInfo | ||
| { | ||
| [JsonProperty("auth_url")] | ||
| public string AuthorizationURL { get; set; } | ||
| } | ||
| } |