Add embedded oidc provider for quick start

Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
On-behalf-of: @SAP mangirdas.judeikis@sap.com

Author: mjudeikis

.gitignore

@@ -20,4 +20,6 @@ apiserviceexport.yaml
 # Frontend dependencies and build
 web/node_modules/
 web/.vite/
-web/*.tsbuildinfo
+web/*.tsbuildinfo
+go.work
+go.work.sum

backend/auth/handler.go

@@ -17,6 +17,7 @@ limitations under the License.
 package auth
 
 import (
+	"context"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
@@ -34,14 +35,23 @@ import (
 	"github.com/kube-bind/kube-bind/backend/session"
 )
 
+type OIDCProvider interface {
+	GetOIDCProvider(ctx context.Context) (*OIDCServiceProvider, error)
+}
+
+type AuthHandlerInterface interface {
+	HandleAuthorize(w http.ResponseWriter, r *http.Request)
+	HandleCallback(w http.ResponseWriter, r *http.Request)
+}
+
 type AuthHandler struct {
-	oidc                *OIDCServiceProvider
+	oidc                OIDCProvider
 	jwtService          *JWTService
 	cookieSigningKey    []byte
 	cookieEncryptionKey []byte
 }
 
-func NewAuthHandler(oidc *OIDCServiceProvider, jwtService *JWTService, cookieSigningKey, cookieEncryptionKey []byte) *AuthHandler {
+func NewAuthHandler(oidc OIDCProvider, jwtService *JWTService, cookieSigningKey, cookieEncryptionKey []byte) *AuthHandler {
 	return &AuthHandler{
 		oidc:                oidc,
 		jwtService:          jwtService,
@@ -85,8 +95,15 @@ func (ah *AuthHandler) HandleAuthorize(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	provider, err := ah.oidc.GetOIDCProvider(r.Context())
+	if err != nil {
+		logger.Info("failed to get OIDC provider", "error", err)
+		ah.respondWithError(w, authReq.ClientType, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
 	encoded := base64.URLEncoding.EncodeToString(dataCode)
-	authURL := ah.oidc.OIDCProviderConfig(scopes).AuthCodeURL(encoded)
+	authURL := provider.OIDCProviderConfig(scopes).AuthCodeURL(encoded)
 
 	http.Redirect(w, r, authURL, http.StatusFound)
 }
@@ -133,7 +150,25 @@ func (ah *AuthHandler) HandleCallback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	token, err := ah.oidc.OIDCProviderConfig(nil).Exchange(r.Context(), code)
+	provider, err := ah.oidc.GetOIDCProvider(r.Context())
+	if err != nil {
+		logger.Info("failed to get OIDC provider", "error", err)
+		ah.respondWithError(w, authCode.ClientType, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	// Create context with custom HTTP client if TLS config is available
+	ctx := r.Context()
+	if tlsConfig := provider.GetTLSConfig(); tlsConfig != nil {
+		client := &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: tlsConfig,
+			},
+		}
+		ctx = context.WithValue(ctx, oauth2.HTTPClient, client)
+	}
+
+	token, err := provider.OIDCProviderConfig(nil).Exchange(ctx, code)
 	if err != nil {
 		logger.Error(err, "failed to exchange token")
 		http.Error(w, "internal error", http.StatusInternalServerError)

backend/auth/types.go

@@ -18,6 +18,8 @@ package auth
 
 import (
 	"context"
+	"crypto/tls"
+	"net/http"
 	"time"
 
 	oidc "github.com/coreos/go-oidc/v3/oidc"
@@ -67,8 +69,9 @@ type OIDCServiceProvider struct {
 	redirectURI  string
 	issuerURL    string
 
-	verifier *oidc.IDTokenVerifier
-	provider *oidc.Provider
+	verifier  *oidc.IDTokenVerifier
+	provider  *oidc.Provider
+	tlsConfig *tls.Config
 }
 
 func NewOIDCServiceProvider(ctx context.Context, clientID, clientSecret, redirectURI, issuerURL string) (*OIDCServiceProvider, error) {
@@ -84,15 +87,53 @@ func NewOIDCServiceProvider(ctx context.Context, clientID, clientSecret, redirec
 		issuerURL:    issuerURL,
 		provider:     provider,
 		verifier:     provider.Verifier(&oidc.Config{ClientID: clientID}),
+		tlsConfig:    nil,
+	}, nil
+}
+
+func NewOIDCServiceProviderWithTLS(
+	ctx context.Context,
+	clientID, clientSecret, redirectURI, issuerURL string,
+	tlsConfig *tls.Config,
+) (*OIDCServiceProvider, error) {
+	// Create a custom HTTP client that trusts the TLS config
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: tlsConfig,
+		},
+	}
+
+	// Create context with the custom client
+	ctxWithClient := oidc.ClientContext(ctx, client)
+
+	provider, err := oidc.NewProvider(ctxWithClient, issuerURL)
+	if err != nil {
+		return nil, err
+	}
+
+	return &OIDCServiceProvider{
+		clientID:     clientID,
+		clientSecret: clientSecret,
+		redirectURI:  redirectURI,
+		issuerURL:    issuerURL,
+		provider:     provider,
+		verifier:     provider.Verifier(&oidc.Config{ClientID: clientID}),
+		tlsConfig:    tlsConfig,
 	}, nil
 }
 
 func (o *OIDCServiceProvider) OIDCProviderConfig(scopes []string) *oauth2.Config {
-	return &oauth2.Config{
+	config := &oauth2.Config{
 		ClientID:     o.clientID,
 		ClientSecret: o.clientSecret,
 		Endpoint:     o.provider.Endpoint(),
 		RedirectURL:  o.redirectURI,
 		Scopes:       scopes,
 	}
+
+	return config
+}
+
+func (o *OIDCServiceProvider) GetTLSConfig() *tls.Config {
+	return o.tlsConfig
 }

backend/http/handler.go

@@ -34,6 +34,7 @@ import (
 	"github.com/kube-bind/kube-bind/backend/auth"
 	"github.com/kube-bind/kube-bind/backend/client"
 	"github.com/kube-bind/kube-bind/backend/kubernetes"
+	"github.com/kube-bind/kube-bind/backend/oidc"
 	"github.com/kube-bind/kube-bind/backend/spaserver"
 	bindversion "github.com/kube-bind/kube-bind/pkg/version"
 	kubebindv1alpha2 "github.com/kube-bind/kube-bind/sdk/apis/kubebind/v1alpha2"
@@ -48,8 +49,8 @@ var noCacheHeaders = map[string]string{
 }
 
 type handler struct {
-	oidc           *auth.OIDCServiceProvider
-	authHandler    *auth.AuthHandler
+	oidcProvider   auth.OIDCProvider
+	authHandler    auth.AuthHandlerInterface
 	authMiddleware *auth.AuthMiddleware
 
 	scope              kubebindv1alpha2.InformerScope
@@ -64,12 +65,14 @@ type handler struct {
 
 	client      *http.Client
 	kubeManager *kubernetes.Manager
+	oidcServer  *oidc.Server
 
 	frontend string
 }
 
 func NewHandler(
-	provider *auth.OIDCServiceProvider,
+	oidcProvider auth.OIDCProvider,
+	oidcServer *oidc.Server,
 	oidcAuthorizeURL, backendCallbackURL, providerPrettyName, testingAutoSelect string,
 	cookieSigningKey, cookieEncryptionKey []byte,
 	schemaSource string,
@@ -83,14 +86,14 @@ func NewHandler(
 		return nil, fmt.Errorf("failed to create JWT service: %w", err)
 	}
 
-	// Create auth handler for generic authentication flows
-	authHandler := auth.NewAuthHandler(provider, jwtService, cookieSigningKey, cookieEncryptionKey)
+	// Create auth handler with OIDC provider
+	authHandler := auth.NewAuthHandler(oidcProvider, jwtService, cookieSigningKey, cookieEncryptionKey)
 
 	// Create auth middleware for request authentication
 	authMiddleware := auth.NewAuthMiddleware(jwtService, cookieSigningKey, cookieEncryptionKey)
 
 	return &handler{
-		oidc:                provider,
+		oidcProvider:        oidcProvider,
 		authHandler:         authHandler,
 		authMiddleware:      authMiddleware,
 		oidcAuthorizeURL:    oidcAuthorizeURL,
@@ -104,6 +107,7 @@ func NewHandler(
 		kubeManager:         mgr,
 		cookieSigningKey:    cookieSigningKey,
 		cookieEncryptionKey: cookieEncryptionKey,
+		oidcServer:          oidcServer,
 	}, nil
 }
 
@@ -129,6 +133,10 @@ func (h *handler) AddRoutes(mux *mux.Router) error {
 	apiRouter.Handle("/bind", auth.RequireAuth(http.HandlerFunc(h.handleBind))).Methods(http.MethodPost)
 	apiRouter.Handle("/ping", auth.RequireAuth(http.HandlerFunc(h.handlePing))).Methods(http.MethodGet)
 
+	if h.oidcServer != nil {
+		h.oidcServer.AddRoutes(mux)
+	}
+
 	switch {
 	// Development mode: proxy to frontend dev server
 	case strings.HasPrefix(h.frontend, "http://"):

backend/http/server.go

@@ -21,7 +21,6 @@ import (
 	"log"
 	"net"
 	"net/http"
-	"strconv"
 	"time"
 
 	"github.com/gorilla/mux"
@@ -37,22 +36,9 @@ type Server struct {
 
 func NewServer(options *options.Serve) (*Server, error) {
 	server := &Server{
-		options: options,
-		Router:  mux.NewRouter(),
-	}
-
-	if options.Listener == nil {
-		var err error
-		addr := options.ListenAddress
-		if options.ListenIP != "" {
-			addr = net.JoinHostPort(options.ListenIP, strconv.Itoa(options.ListenPort))
-		}
-		server.listener, err = net.Listen("tcp", addr)
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		server.listener = options.Listener
+		options:  options,
+		Router:   mux.NewRouter(),
+		listener: options.Listener,
 	}
 
 	return server, nil

backend/oidc/oidc.go

@@ -0,0 +1,129 @@
+/*
+Copyright 2025 The Kube Bind Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package oidc
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"net"
+	"os"
+	"path"
+	"time"
+
+	"github.com/gorilla/mux"
+	"github.com/xrstf/mockoidc"
+)
+
+type Server struct {
+	server    *mockoidc.MockOIDC
+	tlsConfig *tls.Config
+}
+
+func New(caBundleFile string, listener net.Listener) (*Server, error) {
+	// Add offline_access to supported scopes for refresh token support
+	ensureOfflineAccessScope()
+	var tlsConfig *tls.Config
+	s := &Server{}
+	if caBundleFile != "" {
+		var err error
+		tlsConfig, err = LoadTLSConfig(caBundleFile)
+		if err != nil {
+			return nil, fmt.Errorf("failed to load CA bundle file: %w", err)
+		}
+		s.tlsConfig = tlsConfig
+	}
+
+	server, err := mockoidc.NewServer(&mockoidc.ServerConfig{
+		TLSConfig: tlsConfig,
+		Listener:  listener,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create mock OIDC server: %w", err)
+	}
+	s.server = server
+	return s, nil
+}
+
+// Config gives the configuration for clients to connect to the embedded OIDC server.
+type Config struct {
+	ClientID     string
+	ClientSecret string
+	Issuer       string
+
+	AccessTTL  time.Duration
+	RefreshTTL time.Duration
+
+	CodeChallengeMethodsSupported []string
+
+	// CallbackURL is kube-bind specific and must match API server endpoints.
+	CallbackURL string
+}
+
+var ErrServerNotRunning = fmt.Errorf("embedded OIDC server is not running")
+
+func (s *Server) TLSConfig() *tls.Config {
+	return s.tlsConfig
+}
+
+func (s *Server) AddRoutes(mux *mux.Router) {
+	s.server.AddRoutes(mux)
+}
+
+// URL returns the base URL of the embedded OIDC server.
+func (s *Server) Config() (*Config, error) {
+	return &Config{
+		ClientID:     s.server.Config().ClientID,
+		ClientSecret: s.server.Config().ClientSecret,
+		Issuer:       s.server.Config().Issuer,
+
+		AccessTTL:  s.server.Config().AccessTTL,
+		RefreshTTL: s.server.Config().RefreshTTL,
+
+		CodeChallengeMethodsSupported: s.server.Config().CodeChallengeMethodsSupported,
+		CallbackURL:                   path.Join(s.server.Addr(), "api/callback"),
+	}, nil
+}
+
+func LoadTLSConfig(caFile string) (*tls.Config, error) {
+	caCertPool := x509.NewCertPool()
+	caCert, err := os.ReadFile(caFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read CA file: %w", err)
+	}
+	if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
+		return nil, fmt.Errorf("failed to append CA certs from PEM")
+	}
+	return &tls.Config{
+		RootCAs: caCertPool,
+	}, nil
+}
+
+// ensureOfflineAccessScope adds "offline_access" to mockoidc's supported scopes if not already present
+func ensureOfflineAccessScope() {
+	offlineAccess := "offline_access"
+
+	// Check if offline_access is already in the supported scopes
+	for _, scope := range mockoidc.ScopesSupported {
+		if scope == offlineAccess {
+			return // Already present
+		}
+	}
+
+	// Add offline_access to the supported scopes
+	mockoidc.ScopesSupported = append(mockoidc.ScopesSupported, offlineAccess)
+}