Rewrite token endpoint (#167)

## Overview Add a config to optionally proxy the token URL. Return the updated token URL in the `GetOAuth2Metadata` response. ## Test Plan - [x] Added a unittest - [x] Tested e2e as part of unionai/cloud#6881 ## Rollout Plan (if applicable) Disabled by default, so will generally be a noop. We can pick this up in cloud and combine with unionai/cloud#6881 to proxy auth token requests. ## Upstream Changes Should this change be upstreamed to OSS (flyteorg/flyte)? If so, please check this box for auditing. Note, this is the responsibility of each developer. See [this guide](https://unionai.atlassian.net/wiki/spaces/ENG/pages/447610883/Flyte+-+Union+Cloud+Development+Runbook/#When-are-versions-updated%3F). - [ ] To be upstreamed ## Jira Issue https://unionai.atlassian.net/browse/CLOUD-1690
flyteorg · Mar 24, 2024 · 91ff694 · 91ff694
1 parent 7a5f048
commit 91ff694
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 4 deletions.
diff --git a/flyteadmin/auth/authzserver/metadata_provider.go b/flyteadmin/auth/authzserver/metadata_provider.go
@@ -31,14 +31,14 @@ func (s OAuth2MetadataProvider) AuthFuncOverride(ctx context.Context, fullMethod
 }
 
 func (s OAuth2MetadataProvider) GetOAuth2Metadata(ctx context.Context, r *service.OAuth2MetadataRequest) (*service.OAuth2MetadataResponse, error) {
+	publicURL := auth.GetPublicURL(ctx, nil, s.cfg)
 	switch s.cfg.AppAuth.AuthServerType {
 	case authConfig.AuthorizationServerTypeSelf:
-		u := auth.GetPublicURL(ctx, nil, s.cfg)
 		doc := &service.OAuth2MetadataResponse{
 			Issuer:                        GetIssuer(ctx, nil, s.cfg),
-			AuthorizationEndpoint:         u.ResolveReference(authorizeRelativeURL).String(),
-			TokenEndpoint:                 u.ResolveReference(tokenRelativeURL).String(),
-			JwksUri:                       u.ResolveReference(jsonWebKeysURL).String(),
+			AuthorizationEndpoint:         publicURL.ResolveReference(authorizeRelativeURL).String(),
+			TokenEndpoint:                 publicURL.ResolveReference(tokenRelativeURL).String(),
+			JwksUri:                       publicURL.ResolveReference(jsonWebKeysURL).String(),
 			CodeChallengeMethodsSupported: []string{"S256"},
 			ResponseTypesSupported: []string{
 				"code",
@@ -96,6 +96,18 @@ func (s OAuth2MetadataProvider) GetOAuth2Metadata(ctx context.Context, r *servic
 			return nil, err
 		}
 
+		if len(s.cfg.TokenEndpointProxyPath) > 0 {
+			tokenEndpoint, err := url.Parse(resp.TokenEndpoint)
+			if err != nil {
+				return nil, flyteErrors.NewFlyteAdminError(codes.Internal, fmt.Sprintf("Failed to parse token endpoint [%v], err: %v", resp.TokenEndpoint, err))
+			}
+
+			tokenEndpoint.Host = publicURL.Host
+			tokenEndpoint.Path = s.cfg.TokenEndpointProxyPath + tokenEndpoint.Path
+			tokenEndpoint.RawPath = s.cfg.TokenEndpointProxyPath + tokenEndpoint.RawPath
+			resp.TokenEndpoint = tokenEndpoint.String()
+		}
+
 		return resp, nil
 	}
 }

diff --git a/flyteadmin/auth/authzserver/metadata_provider_test.go b/flyteadmin/auth/authzserver/metadata_provider_test.go
@@ -91,6 +91,28 @@ func TestOAuth2MetadataProvider_OAuth2Metadata(t *testing.T) {
 		ctx := context.Background()
 		resp, err := provider.GetOAuth2Metadata(ctx, &service.OAuth2MetadataRequest{})
 		assert.NoError(t, err)
+		assert.Equal(t, "https://example.com/auth", resp.AuthorizationEndpoint)
+		assert.Equal(t, "https://example.com/token", resp.TokenEndpoint)
+		assert.Equal(t, "https://dev-14186422.okta.com", resp.Issuer)
+	})
+
+	t.Run("External AuthServer with proxy", func(t *testing.T) {
+		provider := NewService(&authConfig.Config{
+			AuthorizedURIs: []config2.URL{{URL: *config.MustParseURL("https://issuer/")}},
+			AppAuth: authConfig.OAuth2Options{
+				AuthServerType: authConfig.AuthorizationServerTypeExternal,
+				ExternalAuthServer: authConfig.ExternalAuthorizationServer{
+					BaseURL: config2.URL{URL: *config.MustParseURL(s.URL)},
+				},
+			},
+			TokenEndpointProxyPath: "/my-proxy",
+		})
+
+		ctx := context.Background()
+		resp, err := provider.GetOAuth2Metadata(ctx, &service.OAuth2MetadataRequest{})
+		assert.NoError(t, err)
+		assert.Equal(t, "https://example.com/auth", resp.AuthorizationEndpoint)
+		assert.Equal(t, "https://issuer/my-proxy/token", resp.TokenEndpoint)
 		assert.Equal(t, "https://dev-14186422.okta.com", resp.Issuer)
 	})
 

diff --git a/flyteadmin/auth/config/config.go b/flyteadmin/auth/config/config.go
@@ -164,6 +164,9 @@ type Config struct {
 
 	// AppAuth settings used to authenticate and control/limit access scopes for apps.
 	AppAuth OAuth2Options `json:"appAuth" pflag:",Defines Auth options for apps. UserAuth must be enabled for AppAuth to work."`
+
+	// TokenEndpointProxyPath, if set, configures admin to proxy calls to the TokenURL using this path prefix.
+	TokenEndpointProxyPath string `json:"tokenEndpointProxyPath" pflag:",The path used to proxy calls to the TokenURL"`
 }
 
 type AuthorizationServer struct {

diff --git a/flyteadmin/auth/config/config_flags.go b/flyteadmin/auth/config/config_flags.go
diff --git a/flyteadmin/auth/config/config_flags_test.go b/flyteadmin/auth/config/config_flags_test.go