jetstack
diff --git a/‎README.md
Lines changed: 3 additions & 0 deletions b/‎README.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎cmd/options/options.go
Lines changed: 29 additions & 14 deletions b/‎cmd/options/options.go
Lines changed: 29 additions & 14 deletions
diff --git a/‎cmd/run.go
Lines changed: 17 additions & 1 deletion b/‎cmd/run.go
Lines changed: 17 additions & 1 deletion
diff --git a/‎docs/tasks/token-passthrough.md
Lines changed: 24 additions & 0 deletions b/‎docs/tasks/token-passthrough.md
Lines changed: 24 additions & 0 deletions
diff --git a/‎pkg/e2e/e2e.go
Lines changed: 55 additions & 11 deletions b/‎pkg/e2e/e2e.go
Lines changed: 55 additions & 11 deletions
diff --git a/‎pkg/e2e/issuer/issuer.go
Lines changed: 11 additions & 22 deletions b/‎pkg/e2e/issuer/issuer.go
Lines changed: 11 additions & 22 deletions
@@ -125,5 +125,8 @@ users:
       name: oidc
 ```
 
+## Configuration
+ - [Token Passthrough](./docs/tasks/token-passthrough.md)
+
 ## Development
 *NOTE*: building kube-oidc-proxy requires Go version 1.12 or higher.
@@ -9,6 +9,25 @@ import (
 	cliflag "k8s.io/component-base/cli/flag"
 )
 
+type TokenPassthroughOptions struct {
+	Audiences []string
+	Enabled   bool
+}
+
+func (t *TokenPassthroughOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.StringSliceVar(&t.Audiences, "token-passthrough-audiences", t.Audiences, ""+
+		"List of the identifiers that the resource server presented with the token "+
+		"identifies as. The resoure server will verify that non OIDC tokens are intended "+
+		"for at least one of the audiences in this list. If no audiences are "+
+		"provided, the audience will default to the audience of the Kubernetes "+
+		"apiserver.")
+
+	fs.BoolVar(&t.Enabled, "token-passthrough", t.Enabled, ""+
+		"Requests with Bearer tokens that fail OIDC validation are tried against "+
+		"the API server using the Token Review endpoint. If successful, the request "+
+		"is sent on as is, with no impersonation.")
+}
+
 type OIDCAuthenticationOptions struct {
 	APIAudiences   []string
 	CAFile         string
@@ -32,26 +51,23 @@ func (o *OIDCAuthenticationOptions) Validate() error {
 
 func (o *OIDCAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringSliceVar(&o.APIAudiences, "api-audiences", o.APIAudiences, ""+
-		"Identifiers of the API. The service account token authenticator will validate that "+
-		"tokens used against the API are bound to at least one of these audiences. If the "+
-		"--service-account-issuer flag is configured and this flag is not, this field "+
-		"defaults to a single element list containing the issuer URL .")
+		"Identifiers of the API. This can be used as an additional list of "+
+		"identifiers that exist in the target audiences of requests when "+
+		"authenticating with OIDC.")
 
 	fs.StringVar(&o.IssuerURL, "oidc-issuer-url", o.IssuerURL, ""+
-		"The URL of the OpenID issuer, only HTTPS scheme will be accepted. "+
-		"If set, it will be used to verify the OIDC JSON Web Token (JWT).")
+		"The URL of the OpenID issuer, only HTTPS scheme will be accepted.")
 
 	fs.StringVar(&o.ClientID, "oidc-client-id", o.ClientID,
-		"The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.")
+		"The client ID for the OpenID Connect client.")
 
 	fs.StringVar(&o.CAFile, "oidc-ca-file", o.CAFile, ""+
-		"If set, the OpenID server's certificate will be verified by one of the authorities "+
-		"in the oidc-ca-file, otherwise the host's root CA set will be used.")
+		"The OpenID server's certificate will be verified by one of the authorities "+
+		"in the oidc-ca-file, otherwise the host's root CA set will be used")
 
 	fs.StringVar(&o.UsernameClaim, "oidc-username-claim", "sub", ""+
-		"The OpenID claim to use as the user name. Note that claims other than the default ('sub') "+
-		"is not guaranteed to be unique and immutable. This flag is experimental, please see "+
-		"the authentication documentation for further details.")
+		"The OpenID claim to use as the username. Note that claims other than the default ('sub') "+
+		"is not guaranteed to be unique and immutable")
 
 	fs.StringVar(&o.UsernamePrefix, "oidc-username-prefix", "", ""+
 		"If provided, all usernames will be prefixed with this value. If not provided, "+
@@ -60,8 +76,7 @@ func (o *OIDCAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 
 	fs.StringVar(&o.GroupsClaim, "oidc-groups-claim", "", ""+
 		"If provided, the name of a custom OpenID Connect claim for specifying user groups. "+
-		"The claim value is expected to be a string or array of strings. This flag is experimental, "+
-		"please see the authentication documentation for further details.")
+		"The claim value is expected to be a string or array of strings.")
 
 	fs.StringVar(&o.GroupsPrefix, "oidc-groups-prefix", "", ""+
 		"If provided, all groups will be prefixed with this value to prevent conflicts with "+
 
@@ -22,6 +22,7 @@ import (
 	"github.com/jetstack/kube-oidc-proxy/cmd/options"
 	"github.com/jetstack/kube-oidc-proxy/pkg/probe"
 	"github.com/jetstack/kube-oidc-proxy/pkg/proxy"
+	"github.com/jetstack/kube-oidc-proxy/pkg/proxy/tokenreview"
 	"github.com/jetstack/kube-oidc-proxy/pkg/version"
 )
 
@@ -44,6 +45,8 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 	}
 	ssoptionsWithLB := ssoptions.WithLoopback()
 
+	tpOptions := new(options.TokenPassthroughOptions)
+
 	clientConfigFlags := genericclioptions.NewConfigFlags(true)
 
 	healthCheck := probe.New(strconv.Itoa(readinessProbePort))
@@ -93,14 +96,24 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 				return err
 			}
 
+			// Init token reviewer if enabled
+			var tokenReviewer *tokenreview.TokenReview
+			if tpOptions.Enabled {
+				tokenReviewer, err = tokenreview.New(restConfig, tpOptions.Audiences)
+				if err != nil {
+					return err
+				}
+			}
+
 			// oidc auther from config
 			reqAuther := bearertoken.New(oidcAuther)
 			secureServingInfo := new(server.SecureServingInfo)
 			if err := ssoptionsWithLB.ApplyTo(&secureServingInfo, nil); err != nil {
 				return err
 			}
 
-			p := proxy.New(restConfig, reqAuther, secureServingInfo)
+			p := proxy.New(restConfig, reqAuther, tokenReviewer,
+				secureServingInfo)
 
 			// run proxy
 			waitCh, err := p.Run(stopCh)
@@ -124,6 +137,9 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 	oidcfs := namedFlagSets.FlagSet("OIDC")
 	oidcOptions.AddFlags(oidcfs)
 
+	tpfs := namedFlagSets.FlagSet("Token Passthrough (Alpha)")
+	tpOptions.AddFlags(tpfs)
+
 	ssoptionsWithLB.AddFlags(namedFlagSets.FlagSet("secure serving"))
 
 	clientConfigFlags.CacheDir = nil
 
@@ -0,0 +1,24 @@
+# Token Passthrough
+
+kube-oidc-proxy can be configured to enable 'token passthrough' for tokens that
+fail OIDC authentication. If enabled, kube-oidc-proxy will perform a [token
+review](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication)
+API call to the configured target backend using the Kubernetes API. If
+successful, the request will be passed through as-is, with the token intact in
+the request and no other authentication used by kube-oidc-proxy.
+
+To enable token passthrough, include the following flag:
+
+```
+--token-passthrough
+```
+
+In the case of the Kubernetes API server, the authenticator, if audience aware,
+will validate the audiences of tokens using the audience of the API server. A
+new set of audiences can also be given which will be used to validate the token
+against. At least one of these audiences need to be present in the audiences of
+the token to be successful:
+
+```
+---token-passthrough-audiences=aud1.foo.bar,aud2.foo.bar
+```
@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"net/http"
@@ -40,9 +41,10 @@ type E2E struct {
 	proxyClient    *http.Client
 	proxyCmd       *exec.Cmd
 	proxyPort      string
-	proxyCert      []byte
 	proxyTransport *http.Transport
 
+	proxyKeyCertPair *util.KeyCertPair
+
 	tmpDir string
 }
 
@@ -141,24 +143,24 @@ func (e *E2E) newIssuerProxyPair() (*http.Transport, error) {
 	}
 	e.issuer = issuer
 
-	proxyCertPath, proxyKeyPath, _, proxyCert, err := util.NewTLSSelfSignedCertKey(pairTmpDir, "")
+	pkcp, err := util.NewTLSSelfSignedCertKey(pairTmpDir, "")
 	if err != nil {
 		return nil, fmt.Errorf("failed to create key pair: %s", err)
 	}
-	e.proxyCert = proxyCert
+	e.proxyKeyCertPair = pkcp
 
 	signer, err := jose.NewSigner(jose.SigningKey{
 		Algorithm: jose.SignatureAlgorithm("RS256"),
-		Key:       issuer.Key(),
+		Key:       issuer.KeyCertPair().Key,
 	}, nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialise new jwt signer: %s", err)
 	}
 	e.signer = signer
 
 	certPool := x509.NewCertPool()
-	if ok := certPool.AppendCertsFromPEM(proxyCert); !ok {
-		return nil, fmt.Errorf("failed to append proxy cert data to cert pool %s", proxyCertPath)
+	if ok := certPool.AppendCertsFromPEM(pkcp.Cert); !ok {
+		return nil, fmt.Errorf("failed to append proxy cert data to cert pool %s", pkcp.CertPath)
 	}
 
 	transport := &http.Transport{
@@ -175,16 +177,16 @@ func (e *E2E) newIssuerProxyPair() (*http.Transport, error) {
 
 	cmd := exec.Command("../../kube-oidc-proxy",
 		fmt.Sprintf("--oidc-issuer-url=https://127.0.0.1:%s", issuer.Port()),
-		fmt.Sprintf("--oidc-ca-file=%s", issuer.CertPath()),
+		fmt.Sprintf("--oidc-ca-file=%s", e.issuer.KeyCertPair().CertPath),
 		"--oidc-client-id=kube-oidc-proxy_e2e_client-id",
 		"--oidc-username-claim=e2e-username-claim",
 		"--oidc-groups-claim=e2e-groups-claim",
 		"--oidc-signing-algs=RS256",
 
 		"--bind-address=127.0.0.1",
-		fmt.Sprintf("--secure-port=%s", proxyPort),
-		fmt.Sprintf("--tls-cert-file=%s", proxyCertPath),
-		fmt.Sprintf("--tls-private-key-file=%s", proxyKeyPath),
+		fmt.Sprintf("--secure-port=%s", e.proxyPort),
+		fmt.Sprintf("--tls-cert-file=%s", e.proxyKeyCertPair.CertPath),
+		fmt.Sprintf("--tls-private-key-file=%s", e.proxyKeyCertPair.KeyPath),
 
 		fmt.Sprintf("--kubeconfig=%s", e.kubeKubeconfig),
 	)
@@ -245,7 +247,7 @@ func (e *E2E) proxyRestClient() (*rest.Config, error) {
 			},
 		},
 		TLSClientConfig: rest.TLSClientConfig{
-			CAData: e.proxyCert,
+			CAData: e.proxyKeyCertPair.Cert,
 		},
 
 		APIPath: "/api",
@@ -265,5 +267,47 @@ func (e *E2E) cleanup() {
 				err)
 		}
 
+		e.proxyCmd = nil
+	}
+}
+
+func (e *E2E) runProxy(extraArgs ...string) error {
+	if e.issuer == nil {
+		return errors.New("failed to run proxy: issuer not ready")
+	}
+
+	args := append(
+		[]string{
+			fmt.Sprintf("--oidc-issuer-url=https://127.0.0.1:%s", e.issuer.Port()),
+			fmt.Sprintf("--oidc-ca-file=%s", e.issuer.KeyCertPair().CertPath),
+			"--oidc-client-id=kube-oidc-proxy_e2e_client-id",
+			"--oidc-username-claim=e2e-username-claim",
+			"--oidc-groups-claim=e2e-groups-claim",
+			"--oidc-signing-algs=RS256",
+			"--v=5",
+
+			"--bind-address=127.0.0.1",
+			fmt.Sprintf("--secure-port=%s", e.proxyPort),
+			fmt.Sprintf("--tls-cert-file=%s", e.proxyKeyCertPair.CertPath),
+			fmt.Sprintf("--tls-private-key-file=%s", e.proxyKeyCertPair.KeyPath),
+
+			fmt.Sprintf("--kubeconfig=%s", e.kubeKubeconfig),
+		},
+		extraArgs...,
+	)
+
+	cmd := exec.Command("../../kube-oidc-proxy", args...)
+
+	cmd.Stderr = os.Stderr
+	cmd.Stdout = os.Stdout
+	if err := cmd.Start(); err != nil {
+		return err
 	}
+
+	e.proxyCmd = cmd
+
+	// wait more than enough for proxy to become ready
+	time.Sleep(time.Second * 13)
+
+	return nil
 }
@@ -2,22 +2,21 @@
 package issuer
 
 import (
-	"crypto/rsa"
 	"encoding/base64"
 	"fmt"
 	"net/http"
 	"time"
 
-	"github.com/jetstack/kube-oidc-proxy/pkg/util"
 	"k8s.io/klog"
+
+	"github.com/jetstack/kube-oidc-proxy/pkg/util"
 )
 
 type Issuer struct {
-	tlsDir            string
-	listenPort        string
-	certPath, keyPath string
+	tlsDir     string
+	listenPort string
 
-	sk *rsa.PrivateKey
+	keyCertPair *util.KeyCertPair
 }
 
 func New(tlsDir string) *Issuer {
@@ -33,18 +32,16 @@ func (i *Issuer) Run() error {
 	}
 	i.listenPort = listenPort
 
-	certPath, keyPath, sk, _, err := util.NewTLSSelfSignedCertKey(i.tlsDir, "oidc-issuer")
+	kcp, err := util.NewTLSSelfSignedCertKey(i.tlsDir, "oidc-issuer")
 	if err != nil {
 		return fmt.Errorf("failed to create issuer key pair: %s", err)
 	}
-	i.certPath = certPath
-	i.keyPath = keyPath
-	i.sk = sk
+	i.keyCertPair = kcp
 
 	serveAddr := fmt.Sprintf("127.0.0.1:%s", i.listenPort)
 
 	go func() {
-		err = http.ListenAndServeTLS(serveAddr, i.certPath, i.keyPath, i)
+		err = http.ListenAndServeTLS(serveAddr, i.keyCertPair.CertPath, i.keyCertPair.KeyPath, i)
 		if err != nil {
 			klog.Errorf("failed to server secure tls: %s", err)
 		}
@@ -80,16 +77,8 @@ func (i *Issuer) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func (i *Issuer) CertPath() string {
-	return i.certPath
-}
-
-func (i *Issuer) KeyPath() string {
-	return i.keyPath
-}
-
-func (i *Issuer) Key() *rsa.PrivateKey {
-	return i.sk
+func (i *Issuer) KeyCertPair() *util.KeyCertPair {
+	return i.keyCertPair
 }
 
 func (i *Issuer) Port() string {
@@ -128,7 +117,7 @@ func (i *Issuer) wellKnownResponse() []byte {
 }
 
 func (i *Issuer) CertsDisc() []byte {
-	n := base64.RawURLEncoding.EncodeToString(i.sk.N.Bytes())
+	n := base64.RawURLEncoding.EncodeToString(i.keyCertPair.Key.N.Bytes())
 
 	return []byte(fmt.Sprintf(`{
 	  "keys": [