2056483 – [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2

Summary: [RFE] Add sssd internal krb5 plugin for authentication against external IdP v...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Pavel Březina
QA Contact:	Scott Poore
Docs Contact:	Josip Vilicic
URL:
Whiteboard:	sync-to-jira
Depends On:	2056482
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-21 10:48 UTC by Pavel Březina
Modified:	2023-09-18 04:32 UTC (History)
CC List:	14 users (show)
Fixed In Version:	sssd-2.7.0-2.el8
Doc Type:	Technology Preview
Doc Text:	.SSSD internal krb5 idp plugin available as a Technology Preview The SSSD krb5 `idp` plugin allows you to authenticate against an external identity provider (IdP) using the OAuth2 protocol. This feature is available only with IdM servers on RHEL 8.7 and later.
Clone Of:	2056482
Environment:
Last Closed:	2022-11-08 10:51:22 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-112901	None	None	None	2022-02-21 11:00:22 UTC
Red Hat Issue Tracker	SSSD-4347	None	None	None	2022-02-21 20:15:48 UTC
Red Hat Product Errata	RHBA-2022:7739	None	None	None	2022-11-08 10:51:43 UTC

Description Pavel Březina 2022-02-21 10:48:40 UTC

+++ This bug was initially created as a clone of Bug #2056482 +++

This is a request to include sssd internal krb5 plugin that are currently under development in https://github.com/SSSD/sssd/pull/5762.

Comment 3 Alexey Tikhonov 2022-03-16 11:28:45 UTC

Pushed PR: https://github.com/SSSD/sssd/pull/5762

* `master`
    * 918d493c38138cf1008c7e117be4e416adae22f5 - pam: add oauth2 url+pin prompt
    * 95495e7b4f3111cfd4508025bca3d66c84f7cd87 - krb5: add keep alive timeout for krb5_child
    * 8cba6b4b40cda6b3d50b137ec9a566d16ea9e3c8 - krb5: fix memory hierarchy in krb5_child unpack_buffer()
    * dcd7133e1ce0791dab4a7ecfcd46c228c35c2bd9 - krb5: add support for idp:oauth2 responder question
    * 689bb4f8bfc6c434f2004bf2051777637f958b35 - krb5: exchange messages with krb5_child with exact length
    * 5f9e5c2e0365fd3debd48ab1fd96c77efffed05b - krb5: terminate child if it fails to setup
    * 3a2add67f897b78450291b7c41b32f18b42c17a2 - krb5: support to exchange multiple messages with the same child
    * 68a8a2d71b77fbc5e7a748307ac4164ebd8125f3 - krb5: add idp preauth plugins
    * 6731494204a623da79297047b108d133de377c97 - make: define RUNDIR
    * 8ca8fcf01d6854c739a090778bc1c3e0e3579e0c - conf: add libjansson dependency
    * 7d688556bfff7b508ce4982d4240a6e1d0bf31f4 - pam: add new SSS_PAM_OAUTH2_INFO pam item
    * 292bde667c8cf40eb13fd1593d9a968ab753338f - pam: add new SSS_CHILD_KEEP_ALIVE pam item
    * 709e9cc9a12853e3f243e6aac349c02d09b12acf - authtok: add SSS_AUTHTOK_TYPE_OAUTH2

Comment 4 Alexey Tikhonov 2022-04-01 15:13:36 UTC

Additional PR: https://github.com/SSSD/sssd/pull/6090

Comment 5 Alexey Tikhonov 2022-04-08 10:54:12 UTC

Pushed PR: https://github.com/SSSD/sssd/pull/6090

* `master`
    * 74cb09ea21432e986034bbb2ee2b477644ac8ae3 - krb5: idp method is only supported if FAST channel is available
    * 63e6365cb18033114d21c6c263c4971552847481 - krb5: switch to Proxy-State in idp plugin reply
    * f853a868309fe11c591a103152c9191ea0432462 - krb5: switch to Proxy-State in idp plugin

Comment 12 errata-xmlrpc 2022-11-08 10:51:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7739

Comment 15 Red Hat Bugzilla 2023-09-18 04:32:25 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.