From 8117c695565d70a613dd349d64488e261add1b97 Mon Sep 17 00:00:00 2001 From: arekkas Date: Mon, 6 Aug 2018 11:10:50 +0200 Subject: [PATCH] cmd: Introduce subject type algorithm configuration See #950 Signed-off-by: arekkas --- cmd/root.go | 3 +++ cmd/serve.go | 3 +++ cmd/server/handler_client_factory.go | 7 ++++++- config/config.go | 9 +++++++++ 4 files changed, 21 insertions(+), 1 deletion(-) diff --git a/cmd/root.go b/cmd/root.go index f2c0f69f3f4..a7e83273558 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -188,6 +188,9 @@ func initConfig() { viper.BindEnv("OIDC_DISCOVERY_USERINFO_ENDPOINT") viper.SetDefault("OIDC_DISCOVERY_USERINFO_ENDPOINT", "") + viper.BindEnv("OIDC_SUBJECT_TYPES_SUPPORTED") + viper.SetDefault("OIDC_SUBJECT_TYPES_SUPPORTED", "public") + // If a config file is found, read it in. if err := viper.ReadInConfig(); err != nil { fmt.Printf(`Config file not found because "%s"`, err) diff --git a/cmd/serve.go b/cmd/serve.go index 66f4e60ac07..110527e362b 100644 --- a/cmd/serve.go +++ b/cmd/serve.go @@ -140,6 +140,9 @@ OPENID CONNECT CONTROLS "scope" key in the registration payload, effectively disabling the concept of whitelisted scopes. Example: OIDC_DYNAMIC_CLIENT_REGISTRATION_DEFAULT_SCOPE=openid,offline,scope-a,scope-b +- OIDC_SUBJECT_TYPES_SUPPORTED: Sets which pairwise identifier algorithms (comma-separated) should be supported. + Can be "public" or "pairwise" or both. Defaults to "public". + Example: OIDC_SUBJECT_TYPES_SUPPORTED=public,pairwise HTTPS CONTROLS ============== diff --git a/cmd/server/handler_client_factory.go b/cmd/server/handler_client_factory.go index de3c1efefdb..22b30b2f848 100644 --- a/cmd/server/handler_client_factory.go +++ b/cmd/server/handler_client_factory.go @@ -39,7 +39,12 @@ func newClientHandler(c *config.Config, router *httprouter.Router, manager clien w.ErrorEnhancer = writerErrorEnhancer expectDependency(c.GetLogger(), manager) - h := client.NewHandler(manager, w, strings.Split(c.DefaultClientScope, ",")) + h := client.NewHandler( + manager, + w, + strings.Split(c.DefaultClientScope, ","), + c.GetSubjectTypesSupported(), + ) h.SetRoutes(router) return h } diff --git a/config/config.go b/config/config.go index b76e3d65cc7..5bc347afda0 100644 --- a/config/config.go +++ b/config/config.go @@ -63,6 +63,7 @@ type Config struct { ConsentURL string `mapstructure:"OAUTH2_CONSENT_URL" yaml:"-"` LoginURL string `mapstructure:"OAUTH2_LOGIN_URL" yaml:"-"` DefaultClientScope string `mapstructure:"OIDC_DYNAMIC_CLIENT_REGISTRATION_DEFAULT_SCOPE" yaml:"-"` + SubjectTypesSupported string `mapstructure:"OIDC_SUBJECT_TYPES_SUPPORTED" yaml:"-"` ErrorURL string `mapstructure:"OAUTH2_ERROR_URL" yaml:"-"` AllowTLSTermination string `mapstructure:"HTTPS_ALLOW_TERMINATION_FROM" yaml:"-"` BCryptWorkFactor int `mapstructure:"BCRYPT_COST" yaml:"-"` @@ -93,6 +94,14 @@ type Config struct { systemSecret []byte `yaml:"-"` } +func (c *Config) GetSubjectTypesSupported() []string { + types := strings.Split(c.SubjectTypesSupported, ",") + if len(types) == 0 { + return []string{"public"} + } + return types +} + func (c *Config) GetClusterURLWithoutTailingSlashOrFail(cmd *cobra.Command) string { endpoint := c.GetClusterURLWithoutTailingSlash(cmd) if endpoint == "" {