Closes #7266

What this does

This implements Azure's Certificate Credentials for OIDC providers. This uses a client certificate and key instead of client_secret for oauth2 auth.

To use

--oidc-issuer-url="<issuer>" --oidc-client-id="<client_id>" --oidc-client-cert-file=<file.crt> --oidc-client-key-file=<file.key>

There implementation is a super-set of the standard. So this might work for other providers, however I am sure they probably all have their own unique quirks. So I am not going to try and make this compatible with other providers until we get those requests.

Implementation

I just wrote a wrapper for the existing oauth2 config. So the oauth flow remains the same, I just add to the oauth2 context on the Exchange call:

For the TokenSource, I had to write my own. I used the internal one in the oauth2 package as a guide:

Testing

The unit tests only focus on asserting the client requests to the IDP. I do not attempt to actually implement some fake IDP.

The first is TestAzureADPKIOIDC which tests the Exchange method adds the correct client_assertion for the PKI auth.

The second is a more e2e test for the oauth2 flow, TestSavedAzureADPKIOIDC. It mocks out all the responses by making a fake http.Client with a transport. I did this because I wanted to use a real oauth2.Config to actually invoke the right code paths. The oauth2.Config is what sets the auth payload in the header or the params. The existing fake oidc code does not use the oauth2 package, so it didn't allow me to assert the proper request payloads.

I used actual response from a real Azure AD instance, and stubbed out some of the JWTs that do not do anything. This means I can test both the initial Exchange and the token refresh and assert the actual http.Requests sent have the right authoriazation fields.

Errors

If you provide a key + cert pair that is invalid:

{"message":"Internal error exchanging Oauth code.","detail":"oauth2: \"invalid_client\" \"AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: 'B847C7861E8C8F123E3176C95EBD71CA0AD0AB71', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id '<app_id>'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0\u0026tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/<app_id>'].\\r\\nTrace ID: 2960d3ed-7bc1-4c78-8590-39bf0d5b6300\\r\\nCorrelation ID: <id>\\r\\nTimestamp: 2023-08-11 17:53:01Z\" \"https://login.microsoftonline.com/error?code=700027\""}