feat(auth): add PKCE authentication support to OIDC Single Sign-On (SSO)#16288
Open
ArjunPakhan wants to merge 2 commits into
Open
feat(auth): add PKCE authentication support to OIDC Single Sign-On (SSO)#16288ArjunPakhan wants to merge 2 commits into
ArjunPakhan wants to merge 2 commits into
Conversation
argoproj#16190) Signed-off-by: Arjun Pakhan <arjunpakhan@gmail.com>
Adds EnablePKCEAuthentication config field and implements structural S256 code challenge generation and verifier extraction via stateless cookie tracking.
Member
|
Hey a few things that should be done in order to get this into a reviewable state. Run |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR introduces support for Proof Key for Code Exchange (PKCE) (RFC 7636) within the Argo Workflows Single Sign-On (SSO) authentication pipeline.
By utilizing PKCE with the
S256challenge method, the authorization flow becomes resilient to authorization code interception attacks. This significantly strengthens security postures when utilizing public or loosely protected OpenID Connect (OIDC) / OAuth2 identity providers.Key Changes
EnablePKCEAuthenticationconfiguration flag inconfig/sso.goto safely opt-in to the PKCE pipeline.HandleRedirectinsideserver/auth/sso/sso.goto securely generate a high-entropy 43-charactercode_verifier, calculate its SHA-256 hash (code_challenge), and statefully append the verifier to the localized state cookie (verifier|finalRedirectURL).HandleCallbackto safely parse and extract thecode_verifierback from the incoming state validation cookie, passing it directly into the downstream execution block fors.config.Exchange(...).EnablePKCEAuthenticationis turned off.Type of Change
Verification & Testing Results
Automated Tests
Ran internal SSO ecosystem test sweeps locally to ensure Zero-Regression across traditional state matching logic:
go test -v ./server/auth/sso/...