Skip to content

OIDC provider#602

Open
dasarinaidu wants to merge 1 commit into
rancher:mainfrom
dasarinaidu:oidc-provider
Open

OIDC provider#602
dasarinaidu wants to merge 1 commit into
rancher:mainfrom
dasarinaidu:oidc-provider

Conversation

@dasarinaidu
Copy link
Copy Markdown
Contributor

@dasarinaidu dasarinaidu commented Apr 3, 2026

  1. Added new tests for OIDC Provider
  2. Rancher Card : [RFE] Support OAUTH2 rancher#52716

@dasarinaidu dasarinaidu requested a review from a team as a code owner April 3, 2026 20:06
@dasarinaidu dasarinaidu force-pushed the oidc-provider branch 5 times, most recently from 16e3798 to 8cfecfc Compare April 3, 2026 23:02
joesims22
joesims22 reviewed Apr 6, 2026
View reviewed changes
Comment thread validation/auth/oidc/oidc_test.go Outdated
Comment thread validation/auth/oidc/oidc_test.go Outdated
Comment thread validation/auth/oidc/oidc_test.go Outdated
Comment thread actions/oidc/oidc.go Outdated
Comment thread actions/oidc/oidc.go Outdated
Comment thread actions/oidc/oidc.go Outdated
Comment thread validation/auth/oidc/oidc_test.go Outdated
Comment thread validation/auth/oidc/oidc_test.go Outdated
Comment thread validation/auth/oidc/oidc_test.go Outdated
Comment thread validation/auth/oidc/oidc_test.go Outdated
@dasarinaidu dasarinaidu force-pushed the oidc-provider branch 4 times, most recently from a19218e to dd86b5b Compare April 9, 2026 00:11
joesims22
joesims22 reviewed Apr 9, 2026
View reviewed changes
Comment thread validation/auth/oidc/oidc_test.go Outdated
@dasarinaidu dasarinaidu force-pushed the oidc-provider branch 3 times, most recently from 6eb571e to 6f92cf0 Compare April 10, 2026 20:34
@dasarinaidu dasarinaidu requested a review from a team as a code owner April 10, 2026 20:34
@dasarinaidu dasarinaidu force-pushed the oidc-provider branch 4 times, most recently from a2403d0 to 395513d Compare April 10, 2026 21:10
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 10, 2026

OIDCTestSuite SetupSuite
OIDCTestSuite TearDownSuite
OIDCTestSuite TestFeatureFlagEnabledAllowsAccessTokenAuth
OIDCTestSuite TestDiscoveryWellKnownEndpointReturns200
OIDCTestSuite TestDiscoveryContainsRequiredRFC8414Fields
OIDCTestSuite TestDiscoveryContainsMCPRequiredFields
OIDCTestSuite TestOIDCClientUnregisteredScopeIsRejected
OIDCTestSuite TestOIDCClientScopeListLimitsIDToken
OIDCTestSuite TestAccessTokenAuthenticatesV3UsersAPI
OIDCTestSuite TestAccessTokenJWTContainsRequiredClaims
OIDCTestSuite TestAccessTokenTamperedTokenReturns401
OIDCTestSuite TestAccessTokenV3ClustersAccessible
OIDCTestSuite TestAccessTokenAdminTokenUnaffectedByFlag
OIDCTestSuite TestTokenEndpointPKCEFlowProducesValidTokens
OIDCTestSuite TestTokenEndpointRefreshTokenExchangeWorks
OIDCTestSuite TestTokenEndpointWrongClientSecretReturns4xx
OIDCTestSuite TestSecurityMissingAuthHeaderReturns401
OIDCTestSuite TestSecurityMalformedBearerTokenReturns401
OIDCTestSuite TestSecurityNonStringKidDoesNotPanic
OIDCTestSuite TestSecurityTamperedSignatureReturns401
OIDCTestSuite TestRegressionBothOIDCAndAdminTokenWork
OIDCTestSuite TestRegressionDiscoveryDocumentIssuerMatchesRancherURL
OIDCTestSuite TestTokenWhenFeatureFlagDisabled

TestSuites above were modified. TestSuites below use modified code from this PR.

TestOIDCProviderSuite

@dasarinaidu dasarinaidu force-pushed the oidc-provider branch 2 times, most recently from a2403d0 to a9ee4f3 Compare April 10, 2026 21:23
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 10, 2026

OIDCTestSuite SetupSuite
OIDCTestSuite TearDownSuite
OIDCTestSuite TestFeatureFlagEnabledAllowsAccessTokenAuth
OIDCTestSuite TestDiscoveryWellKnownEndpointReturns200
OIDCTestSuite TestDiscoveryContainsRequiredRFC8414Fields
OIDCTestSuite TestDiscoveryContainsMCPRequiredFields
OIDCTestSuite TestOIDCClientUnregisteredScopeIsRejected
OIDCTestSuite TestOIDCClientScopeListLimitsIDToken
OIDCTestSuite TestAccessTokenAuthenticatesV3UsersAPI
OIDCTestSuite TestAccessTokenJWTContainsRequiredClaims
OIDCTestSuite TestAccessTokenTamperedTokenReturns401
OIDCTestSuite TestAccessTokenV3ClustersAccessible
OIDCTestSuite TestAccessTokenAdminTokenUnaffectedByFlag
OIDCTestSuite TestTokenEndpointPKCEFlowProducesValidTokens
OIDCTestSuite TestTokenEndpointRefreshTokenExchangeWorks
OIDCTestSuite TestTokenEndpointWrongClientSecretReturns4xx
OIDCTestSuite TestSecurityMissingAuthHeaderReturns401
OIDCTestSuite TestSecurityMalformedBearerTokenReturns401
OIDCTestSuite TestSecurityNonStringKidDoesNotPanic
OIDCTestSuite TestSecurityTamperedSignatureReturns401
OIDCTestSuite TestRegressionBothOIDCAndAdminTokenWork
OIDCTestSuite TestRegressionDiscoveryDocumentIssuerMatchesRancherURL
OIDCTestSuite TestTokenWhenFeatureFlagDisabled

TestSuites above were modified. TestSuites below use modified code from this PR.

TestOIDCProviderSuite

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 10, 2026

OIDCTestSuite SetupSuite
OIDCTestSuite TearDownSuite
OIDCTestSuite TestFeatureFlagEnabledAllowsAccessTokenAuth
OIDCTestSuite TestDiscoveryWellKnownEndpointReturns200
OIDCTestSuite TestDiscoveryContainsRequiredRFC8414Fields
OIDCTestSuite TestDiscoveryContainsMCPRequiredFields
OIDCTestSuite TestOIDCClientUnregisteredScopeIsRejected
OIDCTestSuite TestOIDCClientScopeListLimitsIDToken
OIDCTestSuite TestAccessTokenAuthenticatesV3UsersAPI
OIDCTestSuite TestAccessTokenJWTContainsRequiredClaims
OIDCTestSuite TestAccessTokenTamperedTokenReturns401
OIDCTestSuite TestAccessTokenV3ClustersAccessible
OIDCTestSuite TestAccessTokenAdminTokenUnaffectedByFlag
OIDCTestSuite TestTokenEndpointPKCEFlowProducesValidTokens
OIDCTestSuite TestTokenEndpointRefreshTokenExchangeWorks
OIDCTestSuite TestTokenEndpointWrongClientSecretReturns4xx
OIDCTestSuite TestSecurityMissingAuthHeaderReturns401
OIDCTestSuite TestSecurityMalformedBearerTokenReturns401
OIDCTestSuite TestSecurityNonStringKidDoesNotPanic
OIDCTestSuite TestSecurityTamperedSignatureReturns401
OIDCTestSuite TestRegressionBothOIDCAndAdminTokenWork
OIDCTestSuite TestRegressionDiscoveryDocumentIssuerMatchesRancherURL
OIDCTestSuite TestTokenWhenFeatureFlagDisabled

TestSuites above were modified. TestSuites below use modified code from this PR.

TestOIDCProviderSuite

Priyashetty17
Priyashetty17 reviewed Apr 10, 2026
View reviewed changes
Comment thread actions/oidc/oidc.go Outdated
Priyashetty17
Priyashetty17 reviewed Apr 10, 2026
View reviewed changes
Comment thread actions/oidc/oidc.go Outdated
@dasarinaidu dasarinaidu force-pushed the oidc-provider branch 7 times, most recently from 3668de2 to cb6e46a Compare April 29, 2026 19:54
Priyashetty17
Priyashetty17 reviewed Apr 29, 2026
View reviewed changes
Comment thread validation/auth/oidc/oidc_test.go
"Rancher did not become ready after enabling oidc-provider")

logrus.Infof("Creating OIDCClient %q", s.oidcConfig.ClientName)
spec := oidcclient.ClientSpec{
Copy link
Copy Markdown
Contributor

@Priyashetty17 Priyashetty17 Apr 29, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be:

spec := v3.OIDCClientSpec{
    RedirectURIs:                  []string{s.oidcConfig.RedirectURI},
    ...
}

For this, you need to import v3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"

Copy link
Copy Markdown
Contributor Author

@dasarinaidu dasarinaidu Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same situation as the oidcclient.go typed-wrangler comment on shepherd PR #547 — the currently vendored v3.OIDCClientSpec lacks the Scopes field (added in newer pkg/apis). Once the pkg/apis bump PR lands, this becomes a one-line swap:
▎ oidcclient.ClientSpec → v3.OIDCClientSpec, drop the local struct definition. Tracking under the same follow-up PR we discussed.

Copy link
Copy Markdown
Contributor

@Priyashetty17 Priyashetty17 Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, for this to work, you need to bump the pkg/apis version in rancher/tests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Priyashetty17 Priyashetty17 Priyashetty17 left review comments

@joesims22 joesims22 joesims22 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dasarinaidu @Priyashetty17 @joesims22