From 075daaccdfff59377da5a5769df48b400c58b425 Mon Sep 17 00:00:00 2001 From: Hulto <7121375+hulto@users.noreply.github.com> Date: Fri, 5 Jul 2024 16:06:33 +0000 Subject: [PATCH 1/2] Easy Peezy --- tavern/app.go | 2 +- tavern/config.go | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/tavern/app.go b/tavern/app.go index 68295dcab..b1349a378 100644 --- a/tavern/app.go +++ b/tavern/app.go @@ -184,7 +184,7 @@ func NewServer(ctx context.Context, options ...func(*Config)) (*Server, error) { cfg.oauth, pubKey, client, - "https://www.googleapis.com/oauth2/v3/userinfo", + cfg.userProfiles, ), AllowUnauthenticated: true, AllowUnactivated: true, diff --git a/tavern/config.go b/tavern/config.go index 54531df05..365e66b28 100644 --- a/tavern/config.go +++ b/tavern/config.go @@ -79,8 +79,9 @@ type Config struct { mysqlDSN string - client *ent.Client - oauth oauth2.Config + client *ent.Client + oauth oauth2.Config + userProfiles string } // Connect to the database using configured drivers and uri @@ -238,6 +239,7 @@ func ConfigureOAuthFromEnv(redirectPath string) func(*Config) { domain = fmt.Sprintf("https://%s", domain) } + // Google OAuth backend cfg.oauth = oauth2.Config{ ClientID: clientID, ClientSecret: clientSecret, @@ -247,6 +249,7 @@ func ConfigureOAuthFromEnv(redirectPath string) func(*Config) { }, Endpoint: google.Endpoint, } + cfg.userProfiles = "https://www.googleapis.com/oauth2/v3/userinfo" } } From fc9a54518f3d868a41f8a770444958ba91b3e571 Mon Sep 17 00:00:00 2001 From: Hulto <7121375+hulto@users.noreply.github.com> Date: Fri, 5 Jul 2024 16:12:00 +0000 Subject: [PATCH 2/2] Add docs --- docs/_docs/dev-guide/tavern.md | 49 ++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/docs/_docs/dev-guide/tavern.md b/docs/_docs/dev-guide/tavern.md index 2176b9d33..b83e8a264 100644 --- a/docs/_docs/dev-guide/tavern.md +++ b/docs/_docs/dev-guide/tavern.md @@ -109,3 +109,52 @@ If you wish to develop an agent using a different transport method (e.g. DNS), y 2. Execute [Tasks](/user-guide/terminology#task) (happens in parallel and may not finish within one loop) 3. Report available output from [Task](/user-guide/terminology#task) execution 4. Sleep for an interval and repeat + +## Custom oauth2 backend + +If you can't use the default google oauth2 backend Realm has a flexible implementation that allows you to implement your own backends. + +For example to add Hashicorp Vault as an OIDC backend you'll need to: + +1. Setup an OIDC provider in vault - +2. Get the relevant variables from the '.well-known/openid-configuration` endpoint: `authorization_endpoint`,`token_endpoint`,`userinfo_endpoint`,`scopes_supported` +3. Open the `tavern/config.go` file and find where the `oauth2.Config` is initalized. +4. You'll need to change `Endpoint: google.Endpoint` to `oauth2.Endpoint{}` and fill in the `AuthURL` and `TokenURL` with `authorization_endpoint` and `token_endpoint` respectively. +5. Update the `cfg.userProfiles` link with the `userinfo_endpoint` +6. Update `Scopes:` with the scopes in `scopes_supported` + +For example using vault might look like: + +```go +// ConfigureOAuthFromEnv sets OAuth config values from the environment +func ConfigureOAuthFromEnv(redirectPath string) func(*Config) { + return func(cfg *Config) { + var ( + clientID = EnvOAuthClientID.String() + clientSecret = EnvOAuthClientSecret.String() + domain = EnvOAuthDomain.String() + ) + + // ..... + // ..... + + // Vault OAuth backend + cfg.oauth = oauth2.Config{ + ClientID: clientID, + ClientSecret: clientSecret, + RedirectURL: domain + redirectPath, + Scopes: []string{ + "openid", + }, + Endpoint: oauth2.Endpoint{ + AuthURL: "https://vault.example.com/ui/vault/identity/oidc/provider/default/authorize", + TokenURL: "https://vault.example.com/v1/identity/oidc/provider/default/token", + }, + } + cfg.userProfiles = "https://vault.example.com/v1/identity/oidc/provider/default/userinfo" + } +} + +``` + +_Keep in mind `/default/` in vault corresponds to the name of the OIDC provider and may be different in your environemnet. You may need to include / create additional scopes to get things like profile pictures and users names from vault into Tavern_