Add OIDC PKCE configuration through policy (#7765)

* Fix leading whitespace in tmpl files

* Add PKCE Enabled flag

* Implement pkce in configs

* Add check for OIDC to guard for a nil pointer

* Fix some whitespace alignment in tmpl files

* Update snapshots to realign with whitespaces

* Add tests for PKCE enabled true

* Update CRDs based on policy files

* Add pkceEnabled to oidc pytest setup yaml

* Terminate include directive with a ;

* Set pkce enabled to an int instead of a string

* OIDC test doesn't need pkce enabled

* Add PKCE pytest

* Update snapshot after changing a str -> int

* oidc and pkce pytest fixture scope to function

* OIDC tests should be class fixtured

* Remove a parameter from pkce test

* pkce test fixture should also be class scoped

* Add debug prints

* Merge pkce test into oidc test file

* Add unit tests for the bool to int util function

* Add docs to create keycloak client via api

* Reword options because no tabs

* OIDC example deploy keycloak into nginx-ingress ns

* Add plus-mgmt-configmap.yaml to instructions

* Redo list numbers in oidc example readme

* Reset keycloak to be in default namespace

* Add note on not using client secret for PKCE

* Move applying the plus mgmt to common resources

* Add pkceEnabled to policy resource doc

* Rename pkceEnabled from past to present tense

* Fix product name in example readme

* Change console code type to shell

* Turn choice into unordered list

* Replace const default pkce secret with init val

* Change pkce and client secret validations

* Update snapshots

* Do not use default client secret

* Add more validation and tests

* Add note to OIDC policy docs about pkce-clientsecret

* Remove clientsecret from e2e test for pkce

Author: javorszky

charts/tests/__snapshots__/helmunit_test.snap

@@ -442,8 +442,6 @@ spec:
           - -ssl-dynamic-reload=true
           - -enable-telemetry-reporting=true
           - -weight-changes-dynamic-reload=false
-      
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1
@@ -911,8 +909,6 @@ spec:
           - -ssl-dynamic-reload=true
           - -enable-telemetry-reporting=true
           - -weight-changes-dynamic-reload=false
-      
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1
@@ -1449,8 +1445,6 @@ spec:
           - -weight-changes-dynamic-reload=false
           - -agent=true
           - -agent-instance-group=app-protect-waf-agentv2-nginx-ingress-controller
-      
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1
@@ -1965,7 +1959,6 @@ spec:
             mountPath: /opt/app_protect/config
           - name: app-protect-bundles
             mountPath: /etc/app_protect/bundles
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1
@@ -2547,7 +2540,6 @@ spec:
             mountPath: /opt/app_protect/config
           - name: app-protect-bundles
             mountPath: /etc/app_protect/bundles
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1
@@ -2961,8 +2953,6 @@ spec:
           - -ssl-dynamic-reload=true
           - -enable-telemetry-reporting=true
           - -weight-changes-dynamic-reload=false
-      
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1
@@ -3406,8 +3396,6 @@ spec:
           - -ssl-dynamic-reload=true
           - -enable-telemetry-reporting=true
           - -weight-changes-dynamic-reload=false
-      
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1
@@ -3851,8 +3839,6 @@ spec:
           - -ssl-dynamic-reload=true
           - -enable-telemetry-reporting=true
           - -weight-changes-dynamic-reload=false
-      
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1
@@ -4297,8 +4283,6 @@ spec:
           - -ssl-dynamic-reload=true
           - -enable-telemetry-reporting=true
           - -weight-changes-dynamic-reload=false
-      
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1
@@ -4763,8 +4747,6 @@ spec:
           - -ssl-dynamic-reload=true
           - -enable-telemetry-reporting=true
           - -weight-changes-dynamic-reload=false
-      
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1
@@ -5210,8 +5192,6 @@ spec:
           - -ssl-dynamic-reload=true
           - -enable-telemetry-reporting=true
           - -weight-changes-dynamic-reload=false
-      
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1
@@ -5672,8 +5652,6 @@ spec:
           - -ssl-dynamic-reload=true
           - -enable-telemetry-reporting=true
           - -weight-changes-dynamic-reload=false
-      
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1
@@ -6141,8 +6119,6 @@ spec:
           - -ssl-dynamic-reload=true
           - -enable-telemetry-reporting=true
           - -weight-changes-dynamic-reload=false
-      
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1
@@ -6620,8 +6596,6 @@ spec:
           - -ssl-dynamic-reload=true
           - -enable-telemetry-reporting=true
           - -weight-changes-dynamic-reload=false
-      
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1
@@ -7080,8 +7054,6 @@ spec:
           - -ssl-dynamic-reload=true
           - -enable-telemetry-reporting=true
           - -weight-changes-dynamic-reload=false
-      
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1
@@ -7540,8 +7512,6 @@ spec:
           - -ssl-dynamic-reload=true
           - -enable-telemetry-reporting=true
           - -weight-changes-dynamic-reload=false
-      
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1
@@ -8010,8 +7980,6 @@ spec:
           - -ssl-dynamic-reload=true
           - -enable-telemetry-reporting=true
           - -weight-changes-dynamic-reload=false
-      
-  minReadySeconds: 0
 /-/-/-/
 # Source: nginx-ingress/templates/controller-ingress-class.yaml
 apiVersion: networking.k8s.io/v1

config/crd/bases/k8s.nginx.org_policies.yaml

@@ -163,6 +163,8 @@ spec:
                     type: string
                   jwksURI:
                     type: string
+                  pkceEnable:
+                    type: boolean
                   postLogoutRedirectURI:
                     type: string
                   redirectURI:

deploy/crds.yaml

@@ -325,6 +325,8 @@ spec:
                     type: string
                   jwksURI:
                     type: string
+                  pkceEnable:
+                    type: boolean
                   postLogoutRedirectURI:
                     type: string
                   redirectURI:

examples/custom-resources/oidc/README.md

@@ -5,12 +5,24 @@ application using an OpenID Connect policy and [Keycloak](https://www.keycloak.o
 
 **Note**: The KeyCloak container does not support IPv6 environments.
 
+**Note**: This example assumes that your default namespace is set to `default`. You can check this with
+
+```shell
+kubectl config view --minify | grep namespace
+```
+
+If it's not empty, and anything other than `default`, you can set to `default` with the following command:
+
+```shell
+kubectl config set-context --namespace default --current
+```
+
 ## Prerequisites
 
 1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/)
-   instructions to deploy the Ingress Controller. This example requires that the HTTPS port of the Ingress Controller is
-   `443`.
-1. Save the public IP address of the Ingress Controller into `/etc/hosts` of your machine:
+   instructions to deploy NGINX Ingress Controller. This example requires that the HTTPS port of the Ingress
+   Controller is `443`.
+2. Save the public IP address of the Ingress Controller into `/etc/hosts` of your machine:
 
     ```text
     ...
@@ -27,29 +39,29 @@ application using an OpenID Connect policy and [Keycloak](https://www.keycloak.o
 Create a secret with the TLS certificate and key that will be used for TLS termination of the web application and
 Keycloak:
 
-```console
+```shell
 kubectl apply -f tls-secret.yaml
 ```
 
 ## Step 2 - Deploy a Web Application
 
 Create the application deployment and service:
 
-```console
+```shell
 kubectl apply -f webapp.yaml
 ```
 
 ## Step 3 - Deploy Keycloak
 
 1. Create the Keycloak deployment and service:
 
-    ```console
+    ```shell
     kubectl apply -f keycloak.yaml
     ```
 
-1. Create a VirtualServer resource for Keycloak:
+2. Create a VirtualServer resource for Keycloak:
 
-    ```console
+    ```shell
     kubectl apply -f virtual-server-idp.yaml
     ```
 
@@ -59,27 +71,30 @@ To set up Keycloak:
 
 1. Follow the steps in the "Configuring Keycloak" [section of the documentation](https://docs.nginx.com/nginx/deployment-guides/single-sign-on/keycloak/#configuring-keycloak):
     1. To connect to Keycloak, use `https://keycloak.example.com`.
-    1. Make sure to save the client secret for NGINX-Plus client to the `SECRET` shell variable:
+    2. Make sure to save the client secret for NGINX-Plus client to the `SECRET` shell variable:
 
-        ```console
+        ```shell
         SECRET=value
         ```
 
-1. Alternatively, [execute the commands](./keycloak_setup.md).
+2. Alternatively, [execute the commands](./keycloak_setup.md).
 
 ## Step 5 - Deploy the Client Secret
 
+**Note**: If you're using PKCE, skip this step. PKCE clients do not have client secrets. Applying this will result
+in a broken deployment.
+
 1. Encode the secret, obtained in the previous step:
 
-    ```console
+    ```shell
     echo -n $SECRET | base64
     ```
 
-1. Edit `client-secret.yaml`, replacing `<insert-secret-here>` with the encoded secret.
+2. Edit `client-secret.yaml`, replacing `<insert-secret-here>` with the encoded secret.
 
-1. Create a secret with the name `oidc-secret` that will be used by the OIDC policy:
+3. Create a secret with the name `oidc-secret` that will be used by the OIDC policy:
 
-    ```console
+    ```shell
     kubectl apply -f client-secret.yaml
     ```
 
@@ -96,23 +111,23 @@ Steps:
 
 1. Apply the ConfigMap `nginx-config.yaml`, which contains `zone-sync` configuration parameter that enable zone synchronization and the resolver using the kube-dns service.
 
-    ```console
+    ```shell
     kubectl apply -f nginx-config.yaml
     ```
 
 ## Step 7 - Deploy the OIDC Policy
 
 Create a policy with the name `oidc-policy` that references the secret from the previous step:
 
-```console
+```shell
 kubectl apply -f oidc.yaml
 ```
 
 ## Step 8 - Configure Load Balancing
 
 Create a VirtualServer resource for the web application:
 
-```console
+```shell
 kubectl apply -f virtual-server.yaml
 ```
 
@@ -122,15 +137,15 @@ Note that the VirtualServer references the policy `oidc-policy` created in Step
 
 1. Open a web browser and navigate to the URL of the web application: `https://webapp.example.com`. You will be
    redirected to Keycloak.
-1. Log in with the username and password for the user you created in Keycloak, `nginx-user` and `test`.
+2. Log in with the username and password for the user you created in Keycloak, `nginx-user` and `test`.
 ![keycloak](./keycloak.png)
-1. Once logged in, you will be redirected to the web application and get a response from it. Notice the field `User ID`
+3. Once logged in, you will be redirected to the web application and get a response from it. Notice the field `User ID`
 in the response, this will match the ID for your user in Keycloak. ![webapp](./webapp.png)
 
 ## Step 10 - Log Out
 
 1. To log out, navigate to `https://webapp.example.com/logout`. Your session will be terminated, and you will be
    redirected to the default post logout URI `https://webapp.example.com/_logout`.
 ![logout](./logout.png)
-1. To confirm that you have been logged out, navigate to `https://webapp.example.com`. You will be redirected to
+2. To confirm that you have been logged out, navigate to `https://webapp.example.com`. You will be redirected to
    Keycloak to log in again.

examples/custom-resources/oidc/keycloak_setup.md

@@ -17,39 +17,63 @@ Steps:
 
 1. Save the address of Keycloak into a shell variable:
 
-    ```console
+    ```shell
     KEYCLOAK_ADDRESS=keycloak.example.com
     ```
 
-1. Retrieve the access token and store it into a shell variable:
+2. Retrieve the access token and store it into a shell variable:
 
-    ```console
+    ```shell
     TOKEN=`curl -sS -k --data "username=admin&password=admin&grant_type=password&client_id=admin-cli" "https://${KEYCLOAK_ADDRESS}/realms/master/protocol/openid-connect/token" | jq -r .access_token`
     ```
 
    Ensure the request was successful and the token is stored in the shell variable by running:
 
-   ```console
+   ```shell
    echo $TOKEN
    ```
 
    ***Note***: The access token lifespan is very short. If it expires between commands, retrieve it again with the
    command above.
 
-1. Create the user `nginx-user`:
+3. Create the user `nginx-user`:
 
-    ```console
+    ```shell
     curl -sS -k -X POST -d '{ "username": "nginx-user", "enabled": true, "credentials":[{"type": "password", "value": "test", "temporary": false}]}' -H "Content-Type:application/json" -H "Authorization: bearer ${TOKEN}" https://${KEYCLOAK_ADDRESS}/admin/realms/master/users
     ```
 
-1. Create the client `nginx-plus` and retrieve the secret:
-
-    ```console
-    SECRET=`curl -sS -k -X POST -d '{ "clientId": "nginx-plus", "redirectUris": ["https://webapp.example.com:443/_codexch"], "attributes": {"post.logout.redirect.uris": "https://webapp.example.com:443/*"}}' -H "Content-Type:application/json" -H "Authorization: bearer ${TOKEN}" https://${KEYCLOAK_ADDRESS}/realms/master/clients-registrations/default | jq -r .secret`
-    ```
-
-   If everything went well you should have the secret stored in $SECRET. To double check run:
-
-    ```console
-    echo $SECRET
-    ```
+4. Create the client `nginx-plus`:
+
+    - If you are not using PKCE, use the following command to create an OIDC client that does not use PKCE:
+
+        ```shell
+        SECRET=`curl -sS -k -X POST -d '{ "clientId": "nginx-plus", "redirectUris": ["https://webapp.example.com:443/_codexch"], "attributes": {"post.logout.redirect.uris": "https://webapp.example.com:443/*"}}' -H "Content-Type:application/json" -H "Authorization: bearer ${TOKEN}" https://${KEYCLOAK_ADDRESS}/realms/master/clients-registrations/default | jq -r .secret`
+        ```
+
+        If everything went well, you should have the secret stored in $SECRET. To double-check, run:
+
+        ```shell
+        echo $SECRET
+        ```
+
+    - Or if you are using PKCE with OIDC, use the following command to create the client:
+
+        ```shell
+        curl -sS -k -H "Content-Type: application/json" -H "Authorization: Bearer ${TOKEN}" \
+        --data '{
+            "clientId": "nginx-plus",
+            "enabled": true,
+            "standardFlowEnabled": true,
+            "directAccessGrantsEnabled": false,
+            "publicClient": true,
+            "redirectUris": [
+                "https://webapp.example.com:443/_codexch"
+            ],
+            "attributes": {
+                "pkce.code.challenge.method":"S256",
+                "post.logout.redirect.uris": "https://webapp.example.com:443/*"
+            },
+            "protocol": "openid-connect"
+        }' \
+        https://${KEYCLOAK_ADDRESS}/admin/realms/master/clients
+        ```