sso-proxy: support Authorization: Bearer <token>

[sporkmonger]

In Kubernetes, the most preferred way of authenticating to the dashboard is via an authenticating proxy.
https://github.com/kubernetes/dashboard/wiki/Access-control#authentication

The authentication mechanism that Kubernetes expects is an Authorization: Bearer <token>, where the token is typically going to be the JWT ID token.
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

While headers like X-Forwarded-Email and X-Forwarded-Groups are certainly more approachable and accessible for upstream services to consume, these aren't currently supported by Kubernetes, and unless you enable Gap-Signature, there's no guarantees beyond what firewalling you do between the proxy and the upstream service in terms of preventing impersonation. The Gap-Signature scheme doesn't appear to be standardized, so it makes more sense to me to put the feature request on the proxy side rather than to try to have the Kubernetes dashboard support X-Forwarded-Email and X-Forwarded-Groups.

[sporkmonger]

I'm happy to contribute a PR for this.

[remm]

It would be great to write doc for this feature. Actually, I trying now to configure ( kubernetes dashboard + sso + nginx ) for authentication to kubernetes dashboard.

[sporkmonger]

So the main issue I see is that the HTTP spec has pretty clear language on how proxies should handle this header. Namely, if the downstream client sends that header, the proxy should (according to the spec) leave it alone and send it through. For things like proxying say an internal tool with an HTTP Basic login check, you maybe don't want to interfere with that login form. Most web applications will ignore an Authorization header (or any other header) they weren't expecting. But not all. So it definitely needs to be configurable in the upstream_configs.yml file whether to enable the Authorization: Bearer <token> header or not. So probably best to disable it by default and turn on only for apps that need it. But then there's the question of whether to follow the spec strictly and let client Authorization headers take precedence or ignore that because in this use case the spec kinda doesn't make sense.

I also see two options for what the token could be. Either pass through the ID token you obtain from the IdP as-is or mint a new one with more configurable contents and have upstreams trust that signing key. The latter is obviously a fair bit more complex and I don't think I'd want to try to tackle that right away, but depending on what a given IdP does/doesn't package in the token metadata, it might be needed in some cases.

[brunnels]

I've been using the helm chart for oauth2_proxy to accomplish the same thing. It has now been abandoned with the original maintainer pointing here as an alternative. Maybe the helm config for outh2_proxy could provide some insight into getting sso working as a replacement?

[katzdm]

Hey all - I've been looking into this for the past couple of days. It sounds like what is needed for the Kubernetes Dashboard is as follows:

• Retain the id_token field from the OAuth2 response as a part of the session cookie
• Forward the id_token field to the upstream service in a request header, formatted:
  Authorization: Bearer ${ID_TOKEN}
• Make this feature opt-in configurable (say, via an environment variable ENABLE_OICD_AUTH_HEADER)

Does that sound as if it will address this use-case? Any thoughts?

[sporkmonger]

@katzdm I've gone back and forth on whether retaining the ID token is the right answer and I'm increasingly thinking it maybe isn't. The main problem is that ID tokens are very different depending on providers and in particular, the token from Azure AD is gargantuan and absolutely loaded down with cruft.

The tokens issued by AD (but also many other providers) also specify a specific audience and technically applications should probably reject tokens intended for a different audience. In this case, the specified audience will always be the auth server, not the upstream service.

And then there's also groups. Depending on your permissions/configuration, AD may bake group information into the token, which may be useful, however it renders group membership as UUIDs which is unlikely to be what you want and there's not much control over it. Also, many providers won't include group information, and if you want upstreams to be able to rely on that, you may need to merge information from multiple sources (e.g. OAuth flow metadata + API calls).

I'm thinking that maybe the right answer is to generate tokens on a per-upstream basis, with separate tokens for each (can't have upstream 1 pass a token to upstream 2 and reuse the token as an attack vector, provided that services check intended audience). Then configure the k8s dashboard to look for tokens issued by the proxy server rather than tokens issued by the provider.

[sporkmonger]

I also have concerns about proceeding w/ this issue until after we at least have a second provider merged. I'm worried about tight coupling risks.

[sporkmonger]

I think the auth header option should not be global but rather per-upstream.

[sporkmonger]

FWIW, I'm really close on the AD PR, just wrapping up tests and minor refactoring, so shouldn't be much of a wait on a second provider.