cyberark / conjur

CyberArk Conjur automatically secures secrets used by privileged users and machine identities
https://conjur.org
Other
782 stars 124 forks source link

SDK support for OIDC Authn #1032

Open InbalZilberman opened 5 years ago

InbalZilberman commented 5 years ago

Feature Overview & Customer Need The customer, would like to use OIDC authenticator while developing his application using Conjur SDKs (JAVA and Python for each one we will have a different user story). The user, a developer of an application, would like to use the SDK to connect to Conjur, authenticate using OIDC authenticator and retrieve secrets.

Important Lets find a generic way to provide this support in the SDK while taking into account all authenticators will use the practice we will decide upon. Generic between different SDKs and generic between authenticators.

JAVA SDK Flow The JAVA application developer, Fay, would like to use Conjur SDK and use OIDC authenticator

  1. She set the following environment variables in the application machine
    CONJUR_APPLIANCE_URL= https://conjur.myorg.com/api
    CONJUR_AUTHN_SUFFIX = oidc-authn/okta
    CONJUR_ACCOUNT=myorg
  2. More settings can be done for SSL like described here: https://github.com/cyberark/conjur-api-java
  3. In her application code she uses the SDK:
    ID_token = retrieveIDToken(); //non SDK method see * below  
    Conjur conjur = new Conjur (ID_token);
    String retrievedSecret = conjur.variables().retrieveSecret(VARIABLE_KEY);
    • It is the responsibility of the app dev to implement this method in which ID token is retrieved from the OIDC provider for example Okta. Logging The SDK should be able to write logs to a given input according provided as an input.

Failure Scenarios Failure Scenarios should be document and reviewed. Scenarios:

  1. Invalid env var - new case here is related to CONJUR_AUTHN_SUFFIX if the value is not reaching a valid authenticator a log should be written to the output of the sdk logs,

  2. All other failure scenarios oidc authenticator has should be propagated to the SDK.

  3. As we know that OIDC authenticator is not supported before a certain version if the connection is done to an old Conjur it would be nice if we can give a good message for this case.

Documentation This change in SDK should be documented together with:

DOD

orenbm commented 5 years ago

Hi,

This looks good! A few comments:

  1. I prefer CONJUR_AUTHN_SUFFIX rather than CONJUR_AUTH_SUFFIX as we use authn all around.
  2. retrieveIDToken() is against the OIDC provider right? We succeeded to do this against OKTA in the script but it's not generic. Not sure how feasible this will be. If it's not possible, we can create an IDToken object with an id_token string as an input from the user (env var?).

Also, a question - what do you mean by Lets find a generic way to provide this support in the SDK? Is this generic between different SDKs? Generic between authenticators?

InbalZilberman commented 5 years ago
  1. Done :) thanks!
  2. nop, retrieveIDToken is against the OIDC provider for example Okta. it is the responsibility of the app dev to figure how it is done. I added a clarification in the above description.
  3. Both, generic between different SDKs and generic between authenticators. Added to above