Add support for HTTPS redirect URI (#381)

* Add local server certificate option

* fix trailing slash from step 5 kubectl config set-credentials

* Add local https documentation

* Change flags to --local-server-cert and --local-server-key

* Add tests for flags

Co-authored-by: TJ Miller <[email protected]>
Co-authored-by: Hidetake Iwata <[email protected]>

docs/usage.md

@@ -18,6 +18,8 @@ Flags:
       --grant-type string                               Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
       --listen-address strings                          [authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
       --skip-open-browser                               [authcode] Do not open the browser automatically
+      --local-server-cert string                        [authcode] Certificate path for the local server
+      --local-server-key string                         [authcode] Certificate key path for the local server
       --open-url-after-authentication string            [authcode] If set, open the URL in the browser after authentication
       --oidc-redirect-url-hostname string               [authcode] Hostname of the redirect URL (default "localhost")
       --oidc-auth-request-extra-params stringToString   [authcode, authcode-keyboard] Extra query parameters to send with an authentication request (default [])
@@ -66,6 +68,14 @@ You can use your self-signed certificate for the provider.
 You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
 See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
 
+### Local Server HTTPS
+
+You can specify a certificate for the local webserver if HTTPS is required by your identity provider.
+
+```yaml
+      - --local-server-cert=localhost.crt
+      - --local-server-key=localhost.key
+```
 
 ## Authentication flows
 

go.sum

@@ -570,6 +570,7 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0 h1:UhZDfRO8JRQru4/+LlLE0BRKGF8L+PICnvYZmx/fEGA=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
+google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=

pkg/adaptors/cmd/authentication.go

@@ -16,6 +16,8 @@ type authenticationOptions struct {
 	ListenAddress              []string
 	ListenPort                 []int // deprecated
 	SkipOpenBrowser            bool
+	LocalServerCertFile        string
+	LocalServerKeyFile         string
 	OpenURLAfterAuthentication string
 	RedirectURLHostname        string
 	AuthRequestExtraParams     map[string]string
@@ -54,6 +56,8 @@ func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
 		panic(err)
 	}
 	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "[authcode] Do not open the browser automatically")
+	f.StringVar(&o.LocalServerCertFile, "local-server-cert", "", "[authcode] Certificate path for the local server")
+	f.StringVar(&o.LocalServerKeyFile, "local-server-key", "", "[authcode] Certificate key path for the local server")
 	f.StringVar(&o.OpenURLAfterAuthentication, "open-url-after-authentication", "", "[authcode] If set, open the URL in the browser after authentication")
 	f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "localhost", "[authcode] Hostname of the redirect URL")
 	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "[authcode, authcode-keyboard] Extra query parameters to send with an authentication request")
@@ -67,6 +71,8 @@ func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSe
 		s.AuthCodeBrowserOption = &authcode.BrowserOption{
 			BindAddress:                o.determineListenAddress(),
 			SkipOpenBrowser:            o.SkipOpenBrowser,
+			LocalServerCertFile:        o.LocalServerCertFile,
+			LocalServerKeyFile:         o.LocalServerKeyFile,
 			OpenURLAfterAuthentication: o.OpenURLAfterAuthentication,
 			RedirectURLHostname:        o.RedirectURLHostname,
 			AuthRequestExtraParams:     o.AuthRequestExtraParams,

pkg/adaptors/cmd/cmd_test.go

@@ -80,6 +80,8 @@ func TestCmd_Run(t *testing.T) {
 					"--listen-address", "127.0.0.1:10080",
 					"--listen-address", "127.0.0.1:20080",
 					"--skip-open-browser",
+					"--local-server-cert", "/path/to/local-server-cert",
+					"--local-server-key", "/path/to/local-server-key",
 					"--open-url-after-authentication", "https://example.com/success.html",
 					"--username", "USER",
 					"--password", "PASS",
@@ -95,6 +97,8 @@ func TestCmd_Run(t *testing.T) {
 						AuthCodeBrowserOption: &authcode.BrowserOption{
 							BindAddress:                []string{"127.0.0.1:10080", "127.0.0.1:20080"},
 							SkipOpenBrowser:            true,
+							LocalServerCertFile:        "/path/to/local-server-cert",
+							LocalServerKeyFile:         "/path/to/local-server-key",
 							OpenURLAfterAuthentication: "https://example.com/success.html",
 							RedirectURLHostname:        "localhost",
 						},
@@ -223,6 +227,8 @@ func TestCmd_Run(t *testing.T) {
 					"--listen-address", "127.0.0.1:10080",
 					"--listen-address", "127.0.0.1:20080",
 					"--skip-open-browser",
+					"--local-server-cert", "/path/to/local-server-cert",
+					"--local-server-key", "/path/to/local-server-key",
 					"--open-url-after-authentication", "https://example.com/success.html",
 					"--oidc-auth-request-extra-params", "ttl=86400",
 					"--oidc-auth-request-extra-params", "reauth=true",
@@ -242,6 +248,8 @@ func TestCmd_Run(t *testing.T) {
 						AuthCodeBrowserOption: &authcode.BrowserOption{
 							BindAddress:                []string{"127.0.0.1:10080", "127.0.0.1:20080"},
 							SkipOpenBrowser:            true,
+							LocalServerCertFile:        "/path/to/local-server-cert",
+							LocalServerKeyFile:         "/path/to/local-server-key",
 							OpenURLAfterAuthentication: "https://example.com/success.html",
 							RedirectURLHostname:        "localhost",
 							AuthRequestExtraParams:     map[string]string{"ttl": "86400", "reauth": "true"},

pkg/adaptors/oidcclient/oidcclient.go

@@ -50,6 +50,8 @@ type GetTokenByAuthCodeInput struct {
 	RedirectURLHostname    string
 	AuthRequestExtraParams map[string]string
 	LocalServerSuccessHTML string
+	LocalServerCertFile    string
+	LocalServerKeyFile     string
 }
 
 type client struct {
@@ -80,6 +82,8 @@ func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeIn
 		LocalServerReadyChan:   localServerReadyChan,
 		RedirectURLHostname:    in.RedirectURLHostname,
 		LocalServerSuccessHTML: in.LocalServerSuccessHTML,
+		LocalServerCertFile:    in.LocalServerCertFile,
+		LocalServerKeyFile:     in.LocalServerKeyFile,
 		Logf:                   c.logger.V(1).Infof,
 	}
 	token, err := oauth2cli.GetToken(ctx, config)

pkg/usecases/authentication/authcode/browser.go

@@ -18,6 +18,8 @@ type BrowserOption struct {
 	OpenURLAfterAuthentication string
 	RedirectURLHostname        string
 	AuthRequestExtraParams     map[string]string
+	LocalServerCertFile        string
+	LocalServerKeyFile         string
 }
 
 // Browser provides the authentication code flow using the browser.
@@ -52,6 +54,8 @@ func (u *Browser) Do(ctx context.Context, o *BrowserOption, client oidcclient.In
 		RedirectURLHostname:    o.RedirectURLHostname,
 		AuthRequestExtraParams: o.AuthRequestExtraParams,
 		LocalServerSuccessHTML: successHTML,
+		LocalServerCertFile:    o.LocalServerCertFile,
+		LocalServerKeyFile:     o.LocalServerKeyFile,
 	}
 	readyChan := make(chan string, 1)
 	var out *oidc.TokenSet

pkg/usecases/authentication/authcode/browser_test.go

@@ -31,6 +31,8 @@ func TestBrowser_Do(t *testing.T) {
 		o := &BrowserOption{
 			BindAddress:                []string{"127.0.0.1:8000"},
 			SkipOpenBrowser:            true,
+			LocalServerCertFile:        "/path/to/local-server-cert",
+			LocalServerKeyFile:         "/path/to/local-server-key",
 			OpenURLAfterAuthentication: "https://example.com/success.html",
 			RedirectURLHostname:        "localhost",
 			AuthRequestExtraParams:     map[string]string{"ttl": "86400", "reauth": "true"},
@@ -52,6 +54,12 @@ func TestBrowser_Do(t *testing.T) {
 				if diff := cmp.Diff(o.AuthRequestExtraParams, in.AuthRequestExtraParams); diff != "" {
 					t.Errorf("AuthRequestExtraParams mismatch (-want +got):\n%s", diff)
 				}
+				if diff := cmp.Diff(o.LocalServerKeyFile, in.LocalServerKeyFile); diff != "" {
+					t.Errorf("LocalServerKeyFile mismatch (-want +got):\n%s", diff)
+				}
+				if diff := cmp.Diff(o.LocalServerCertFile, in.LocalServerCertFile); diff != "" {
+					t.Errorf("LocalServerCertFile mismatch (-want +got):\n%s", diff)
+				}
 				readyChan <- "LOCAL_SERVER_URL"
 			}).
 			Return(&oidc.TokenSet{

pkg/usecases/setup/stage2.go

@@ -2,6 +2,7 @@ package setup
 
 import (
 	"context"
+	"path/filepath"
 	"strings"
 	"text/template"
 
@@ -38,8 +39,9 @@ Run the following command:
 	  --exec-command=kubectl \
 	  --exec-arg=oidc-login \
 	  --exec-arg=get-token \
-{{- range .Args }}
-	  --exec-arg={{ . }} \
+{{- range $index, $arg := .Args }}
+	  {{- if $index}} \{{end}}
+	  --exec-arg={{ $arg }}
 {{- end }}
 
 ## 6. Verify cluster access
@@ -141,6 +143,20 @@ func makeCredentialPluginArgs(in Stage2Input) []string {
 		if in.GrantOptionSet.AuthCodeBrowserOption.SkipOpenBrowser {
 			args = append(args, "--skip-open-browser")
 		}
+		if in.GrantOptionSet.AuthCodeBrowserOption.LocalServerCertFile != "" {
+			// Resolve the absolute path for the cert files so the user doesn't have to know
+			// to use one when running setup.
+			certpath, err := filepath.Abs(in.GrantOptionSet.AuthCodeBrowserOption.LocalServerCertFile)
+			if err != nil {
+				panic(err)
+			}
+			keypath, err := filepath.Abs(in.GrantOptionSet.AuthCodeBrowserOption.LocalServerKeyFile)
+			if err != nil {
+				panic(err)
+			}
+			args = append(args, "--local-server-cert="+certpath)
+			args = append(args, "--local-server-key="+keypath)
+		}
 	}
 	args = append(args, in.ListenAddressArgs...)
 	if in.GrantOptionSet.ROPCOption != nil {