SDK support for OIDC Authn

[InbalZilberman]

Feature Overview & Customer Need The customer, would like to use OIDC authenticator while developing his application using Conjur SDKs (JAVA and Python for each one we will have a different user story). The user, a developer of an application, would like to use the SDK to connect to Conjur, authenticate using OIDC authenticator and retrieve secrets.

Important Lets find a generic way to provide this support in the SDK while taking into account all authenticators will use the practice we will decide upon. Generic between different SDKs and generic between authenticators.

JAVA SDK Flow The JAVA application developer, Fay, would like to use Conjur SDK and use OIDC authenticator

1. She set the following environment variables in the application machine

   CONJUR_APPLIANCE_URL= https://conjur.myorg.com/api
   CONJUR_AUTHN_SUFFIX = oidc-authn/okta
   CONJUR_ACCOUNT=myorg

2. More settings can be done for SSL like described here: https://github.com/cyberark/conjur-api-java
3. In her application code she uses the SDK:

   ID_token = retrieveIDToken(); //non SDK method see * below  
   Conjur conjur = new Conjur (ID_token);
   String retrievedSecret = conjur.variables().retrieveSecret(VARIABLE_KEY);

   • It is the responsibility of the app dev to implement this method in which ID token is retrieved from the OIDC provider for example Okta. Logging The SDK should be able to write logs to a given input according provided as an input.

Failure Scenarios Failure Scenarios should be document and reviewed. Scenarios:

1. Invalid env var - new case here is related to CONJUR_AUTHN_SUFFIX if the value is not reaching a valid authenticator a log should be written to the output of the sdk logs,

2. All other failure scenarios oidc authenticator has should be propagated to the SDK.

3. As we know that OIDC authenticator is not supported before a certain version if the connection is done to an old Conjur it would be nice if we can give a good message for this case.

Documentation This change in SDK should be documented together with:

• logs of SDK
• Best practices on how to handle an error of the SDK

DOD

• [ ] Research page with all options to represent authenticators and OIDC authenticator in JAVA & Python SDKs
• [ ] Test plan written and reviewed by PO & QAA
• [ ] Security review was done and issues were raised
• [ ] Research results presented and shared

[orenbm]

Hi,

This looks good! A few comments:

1. I prefer CONJUR_AUTHN_SUFFIX rather than CONJUR_AUTH_SUFFIX as we use authn all around.
2. retrieveIDToken() is against the OIDC provider right? We succeeded to do this against OKTA in the script but it's not generic. Not sure how feasible this will be. If it's not possible, we can create an IDToken object with an id_token string as an input from the user (env var?).

Also, a question - what do you mean by Lets find a generic way to provide this support in the SDK? Is this generic between different SDKs? Generic between authenticators?

[InbalZilberman]

1. Done :) thanks!
2. nop, retrieveIDToken is against the OIDC provider for example Okta. it is the responsibility of the app dev to figure how it is done. I added a clarification in the above description.
3. Both, generic between different SDKs and generic between authenticators. Added to above