Client Credentials Grant

[xtremerui]

so client can get access to Dex resources e.g. forwarding auth request and performing token exchange while handling callback from Dex.

[karunchennuri]

@xtremerui I've been evaluating Dex as SP front ending Okta IdP. One of the use cases, I was looking at is support for client_credentials grant type. In a way, I want client application to use static client id and secret, configured at the time of Dex connector configuration, to retrieve id_token, refresh_token, access_token, code from Dex.

This PR is going to support that? The connector type 'am exploring is OIDC.

[xtremerui]

@karunchennuri yes we have similar use case thus we implemented this in our fork https://github.com/concourse/dex. Not sure how it is gonna be in upstream.

[karunchennuri]

Thanks a lot I will use your fork to test today. Just checking it works on oidc connector type right? Also to test this do you have gRPC client application? With Regards Karun Chennuri

…

________________________________ From: Rui Yang <notifications@github.com> Sent: Wednesday, June 10, 2020 8:36:46 AM To: dexidp/dex <dex@noreply.github.com> Cc: Chennuri, Karun <Karun.Chennuri1@T-Mobile.com>; Mention <mention@noreply.github.com> Subject: Re: [dexidp/dex] Client Credentials Grant (#1629) [External] @karunchennuri<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkarunchennuri&data=02%7C01%7CKarun.Chennuri1%40T-Mobile.com%7C6f239a7bc83b41a37a7308d80d54162d%7Cbe0f980bdd994b19bd7bbc71a09b026c%7C0%7C0%7C637274002080775697&sdata=HpT4ik9WkAB8Q6q6OKT0tyZ0Ccuu2i8zRn1sXmhUOfU%3D&reserved=0> yes we have similar use case thus we implemented this in our fork https://github.com/concourse/dex<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fconcourse%2Fdex&data=02%7C01%7CKarun.Chennuri1%40T-Mobile.com%7C6f239a7bc83b41a37a7308d80d54162d%7Cbe0f980bdd994b19bd7bbc71a09b026c%7C0%7C0%7C637274002080785690&sdata=Rus8zrNYFO%2F5IJxTiMvBUvPENA0F671et8RgQldYIOk%3D&reserved=0>. Not sure how it is gonna be in upstream. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdexidp%2Fdex%2Fpull%2F1629%23issuecomment-642089715&data=02%7C01%7CKarun.Chennuri1%40T-Mobile.com%7C6f239a7bc83b41a37a7308d80d54162d%7Cbe0f980bdd994b19bd7bbc71a09b026c%7C0%7C0%7C637274002080785690&sdata=FslR9xe0EKNt6UDEZCZxt47DafA8gSyeseqIE8vYSec%3D&reserved=0>, or unsubscribe<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAEKPQROP4L4KGLBTMRRXKSDRV6SA5ANCNFSM4KHZYJOA&data=02%7C01%7CKarun.Chennuri1%40T-Mobile.com%7C6f239a7bc83b41a37a7308d80d54162d%7Cbe0f980bdd994b19bd7bbc71a09b026c%7C0%7C0%7C637274002080795681&sdata=w2qyKV2xd1aIAUbN744MuVDpCABSsaSAdMqpEsqiJmo%3D&reserved=0>.

[karunchennuri]

@xtremerui I tested this PR on the master branch of dex. Worked perfectly fine.
Somehow I had difficulty running local tests on the https://github.com/concourse/dex. That's the reason just cherry picked your PR. Thanks a lot for putting this together, I was reading some older posts on the reluctance to support client_credentials grant type, there must be a reason, I would be interested in knowing more on that from others on this thread.

[xtremerui]

@karunchennuri glad it works. The test could be ran using the Makefile

dex/Makefile

Lines 44 to 45 in 2ca992e

	test: bin/test/kube-apiserver bin/test/etcd
	@go test -v ./...

make test

[mvdkleijn]

@xtremerui Would you be open to update this PR since it has conflicts?

[xtremerui]

@mvdkleijn absolutely. Most of my PRs got conflicts I will update all of them. Thank you!

[xtremerui]

@sagikazarmark could I get some feedback on this PR please?

[RealHarshThakur]

Hey folks, is there anything I can do to help this PR move forward?

[cloudmarius]

Hi there, any intention still to merge this feature?

[jarrettprosser]

I've tested the fork this change is based on and found that in the case of a public client, Dex will issue client credentials for the public client if I provide the client ID and leave out the secret value (or set it to null). This is an issue for our use; simply knowing the client ID (which is sent in plaintext by the UI when getting a token) is enough to get an access token. Not sure if that has been resolved in this PR though.

We've ended up using the Device Code Flow with a staticClient and staticPassword as an alternative, but having full support for the Client Credentials Grant would be better.

[nabokihms]

With the allowedGrants, I think now we can add the support for client credentials grant and make it not enabled by default.

@sagikazarmark what do you think?

[smehboub]

Hello,

Thank you very much for your work.
Any news on progress ?

Thanks in advance :-)
Rgs

[cardoe]

@sagikazarmark and @nabokihms wanted to re-raise what you mentioned about including this and leaving it disabled by default. What would you think?

Reason I ask is that I know folks are using this for robot / machine accounts. It might also be acceptable to add the ability to have the hidden connectors that robot / machine accounts utilize without having that prompt users.

[testinfected]

@sagikazarmark We have exactly the same issue as @xtremerui and @kellyma2 with Flyte. Flyte deploys in a Kubernetes env and has a concept of a worker which needs to authenticate to the Flyte control plane. We can only setup a single OIDC/OAuth2 server, and we use Dex for it (Okta connector). Flyte uses client credentials grant for the worker.

As per @nabokihms @cardoe suggestions, would it be fine to disable it by default. Also, would need to add verification of the client secret as well. Currently only the ID is checked.

Thanks

[sagikazarmark]

I'm inclined to accept this given the popular demand.

Unfortunately I have limited time, so if someone could run some tests, it would be immensely helpful.

The code change itself is relatively small, so once we have confirmation it works as expected, we should be able to get this merged relatively quickly.

(I'm constantly flooded by GitHub emails, so keep pinging me if I don't respond. Thanks! 🙏 )

[cardoe]

To further this along, I've pulled this PR into build that I made at https://github.com/cardoe/dex/releases/tag/v2.44.90 You can grab the container to test with at ghcr.io/cardoe/dex:v2.44.90 and report back on this PR.

[testinfected]

I pulled this PR as well on my side and have tested it against Flyte (our use case). Works without issues. I have reviewed the code which looks alright (although I'm new to the codebase).

My 2 cents
Thanks guys

[sagikazarmark]

I really hate to be the gatekeeper (especially since @xtremerui has been rebasing this PR for years now), but I had some comments, one of them is potentially a blocker.

[sagikazarmark]

Correct me if I'm wrong, but client credentials grant isn't supposed to work with public clients, is it?

Shouldn't there be some sort of check here?

Technically, withClientFromStorage checks the secret, but public clients have empty secret, so it will always match.

If I'm right, this is a rather serious vulnerability.

@cardoe any chance you could give this a try in your build?

[sagikazarmark]

Also, it would probably be a good idea to cover at least the happy path with tests.

[sagikazarmark]

Is generating an access token always necessary? Shouldn't it be returned based on the requested scopes?

[sagikazarmark]

We've just merged #4457 removing internal error messages from responses. I think a generic error message should be returned here.

See the linked PR.

[sagikazarmark]

Same as above.