OIDC Auth Provider #59
Conversation
jcrowthe
commented
Oct 11, 2021
jcrowthe
commented
- Add support for OIDC auth provider
- Fix a bug where policies were queried more than once
- Improve error messages on failure to login
- Fix a bug where policies were queried more than once - Improve error messages on failure to login
| if (server.listening != true) { | ||
| server.listen({ | ||
| host: '127.0.0.1', | ||
| port: 8250, |
There was a problem hiding this comment.
Maybe the server port should be configurable in case it could collide with something?
There was a problem hiding this comment.
TL;DR; Cryptr has been written with the YAGNI principle in mind.
This is unfortunately a complex problem. If the server:port combination used by Cryptr is not also in the approved callback URLs list configured in the OIDC provider, the OIDC provider will cancel the login attempt and produce an error.
By default, Vault CLI uses http:https://127.0.0.1:8250 as its callback URL, and as such, this URL has the highest likelihood of already being in the OIDC provider's allowlist. For this reason this server:port combination is hardcoded here. Should sufficient need arise for customizing this port, a request can be evaluated.
To avoid port conflicts, Cryptr listens on 127.0.0.1:8250 for as short a time as possible. Error handling and retries have been added to ensure Cryptr owns (and is the sole listener on) the port before allowing the OIDC auth flow to proceed. A quick search indicates that few other pieces of software specifically claim this port, so the likelihood of always-on software claiming this port is extremely low.
