diff --git a/pkg/cmd/get_token.go b/pkg/cmd/get_token.go index bff4bc07..2877ae41 100644 --- a/pkg/cmd/get_token.go +++ b/pkg/cmd/get_token.go @@ -14,6 +14,7 @@ import ( // getTokenOptions represents the options for get-token command. type getTokenOptions struct { IssuerURL string + IssuerURLOverride string ClientID string ClientSecret string ExtraScopes []string @@ -26,6 +27,7 @@ type getTokenOptions struct { func (o *getTokenOptions) addFlags(f *pflag.FlagSet) { f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider (mandatory)") + f.StringVar(&o.IssuerURLOverride, "oidc-issuer-url-override", "", "Override Issuer URL") f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)") f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider") f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider") @@ -75,11 +77,12 @@ func (cmd *GetToken) New() *cobra.Command { } in := credentialplugin.Input{ Provider: oidc.Provider{ - IssuerURL: o.IssuerURL, - ClientID: o.ClientID, - ClientSecret: o.ClientSecret, - UsePKCE: o.UsePKCE, - ExtraScopes: o.ExtraScopes, + IssuerURL: o.IssuerURL, + IssuerURLOverride: o.IssuerURLOverride, + ClientID: o.ClientID, + ClientSecret: o.ClientSecret, + UsePKCE: o.UsePKCE, + ExtraScopes: o.ExtraScopes, }, TokenCacheDir: o.TokenCacheDir, GrantOptionSet: grantOptionSet, diff --git a/pkg/cmd/setup.go b/pkg/cmd/setup.go index 4e90c2d2..ff8421d7 100644 --- a/pkg/cmd/setup.go +++ b/pkg/cmd/setup.go @@ -11,6 +11,7 @@ import ( // setupOptions represents the options for setup command. type setupOptions struct { IssuerURL string + IssuerURLOverride string ClientID string ClientSecret string ExtraScopes []string @@ -21,6 +22,7 @@ type setupOptions struct { func (o *setupOptions) addFlags(f *pflag.FlagSet) { f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider") + f.StringVar(&o.IssuerURLOverride, "oidc-issuer-url-override", "", "Overrided Issuer URL of the provider") f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider") f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider") f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider") @@ -45,13 +47,14 @@ func (cmd *Setup) New() *cobra.Command { return fmt.Errorf("setup: %w", err) } in := setup.Stage2Input{ - IssuerURL: o.IssuerURL, - ClientID: o.ClientID, - ClientSecret: o.ClientSecret, - ExtraScopes: o.ExtraScopes, - UsePKCE: o.UsePKCE, - GrantOptionSet: grantOptionSet, - TLSClientConfig: o.tlsOptions.tlsClientConfig(), + IssuerURL: o.IssuerURL, + IssuerURLOverride: o.IssuerURLOverride, + ClientID: o.ClientID, + ClientSecret: o.ClientSecret, + ExtraScopes: o.ExtraScopes, + UsePKCE: o.UsePKCE, + GrantOptionSet: grantOptionSet, + TLSClientConfig: o.tlsOptions.tlsClientConfig(), } if c.Flags().Lookup("listen-address").Changed { in.ListenAddressArgs = o.authenticationOptions.ListenAddress diff --git a/pkg/oidc/client/factory.go b/pkg/oidc/client/factory.go index 4a9ee332..036744a4 100644 --- a/pkg/oidc/client/factory.go +++ b/pkg/oidc/client/factory.go @@ -52,6 +52,11 @@ func (f *Factory) New(ctx context.Context, p oidc.Provider, tlsClientConfig tlsc } ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient) + + if p.IssuerURLOverride != "" { + ctx = gooidc.InsecureIssuerURLContext(ctx, p.IssuerURLOverride) + } + provider, err := gooidc.NewProvider(ctx, p.IssuerURL) if err != nil { return nil, fmt.Errorf("oidc discovery error: %w", err) diff --git a/pkg/oidc/oidc.go b/pkg/oidc/oidc.go index d8f0ec0d..fdd16a19 100644 --- a/pkg/oidc/oidc.go +++ b/pkg/oidc/oidc.go @@ -11,11 +11,12 @@ import ( // Provider represents an OIDC provider. type Provider struct { - IssuerURL string - ClientID string - ClientSecret string // optional - ExtraScopes []string // optional - UsePKCE bool // optional + IssuerURL string + IssuerURLOverride string // optional + ClientID string + ClientSecret string // optional + ExtraScopes []string // optional + UsePKCE bool // optional } // TokenSet represents a set of ID token and refresh token. diff --git a/pkg/usecases/setup/stage2.go b/pkg/usecases/setup/stage2.go index ced1b648..2c8464fb 100644 --- a/pkg/usecases/setup/stage2.go +++ b/pkg/usecases/setup/stage2.go @@ -65,11 +65,13 @@ type stage2Vars struct { ClientID string Args []string Subject string + IssuerURLOverride string } // Stage2Input represents an input DTO of the stage2. type Stage2Input struct { IssuerURL string + IssuerURLOverride string ClientID string ClientSecret string ExtraScopes []string // optional @@ -83,11 +85,12 @@ func (u *Setup) DoStage2(ctx context.Context, in Stage2Input) error { u.Logger.Printf("authentication in progress...") out, err := u.Authentication.Do(ctx, authentication.Input{ Provider: oidc.Provider{ - IssuerURL: in.IssuerURL, - ClientID: in.ClientID, - ClientSecret: in.ClientSecret, - ExtraScopes: in.ExtraScopes, - UsePKCE: in.UsePKCE, + IssuerURL: in.IssuerURL, + IssuerURLOverride: in.IssuerURLOverride, + ClientID: in.ClientID, + ClientSecret: in.ClientSecret, + ExtraScopes: in.ExtraScopes, + UsePKCE: in.UsePKCE, }, GrantOptionSet: in.GrantOptionSet, TLSClientConfig: in.TLSClientConfig, @@ -103,6 +106,7 @@ func (u *Setup) DoStage2(ctx context.Context, in Stage2Input) error { v := stage2Vars{ IDTokenPrettyJSON: idTokenClaims.Pretty, IssuerURL: in.IssuerURL, + IssuerURLOverride: in.IssuerURLOverride, ClientID: in.ClientID, Args: makeCredentialPluginArgs(in), Subject: idTokenClaims.Subject, @@ -118,6 +122,7 @@ func (u *Setup) DoStage2(ctx context.Context, in Stage2Input) error { func makeCredentialPluginArgs(in Stage2Input) []string { var args []string args = append(args, "--oidc-issuer-url="+in.IssuerURL) + args = append(args, "--oidc-issuer-url-override="+in.IssuerURL) args = append(args, "--oidc-client-id="+in.ClientID) if in.ClientSecret != "" { args = append(args, "--oidc-client-secret="+in.ClientSecret)