SQL-64: Create OIDC authenticator

[SangJunBak]

See commit messages for details.

Decided against using a system parameter for now to gate this feature, mainly because:

• Feature's already gated by the user having to set their authenticatorkind as Oidc
• The rigging of system parameters to authentication code is a bit unclear still
• We're going to rig up OIDC config to system parameters eventually as part of a later phase

Motivation

For an overview of what still needs to be implemented, a summary can be found on Linear (link)

To try:

1. Follow the quickstart guide to get an authentication server (Ory) running in Docker https://www.ory.com/docs/hydra/self-hosted/quickstart
2. Once running in docker, run:

bin/environmentd \
-- --oidc-issuer="http://127.0.0.1:4444" \
--listeners-config-path='src/materialized/ci/listener_configs/oidc.json'

3. In the cloned repo, run the following commands to create a client and get the access token by following the authorization code flow

code_client=$(docker compose -f quickstart.yml exec hydra \
    hydra create client \
    --endpoint http://127.0.0.1:4445 \
    --grant-type authorization_code,refresh_token \
    --response-type code,id_token \
    --format json \
    --scope openid --scope offline --scope profile --scope email\
    --access-token-strategy jwt \
    --redirect-uri http://127.0.0.1:5555/callback)

code_client_id=$(echo $code_client | jq -r '.client_id')
code_client_secret=$(echo $code_client | jq -r '.client_secret')

docker compose -f quickstart.yml exec hydra \
    hydra perform authorization-code \
    --client-id $code_client_id \
    --client-secret $code_client_secret \
    --endpoint http://127.0.0.1:4444/ \
    --port 5555 \
    --scope openid --scope offline --scope profile --scope email

4. Run `PGPASSWORD="eyJ..." psql -h localhost -p 6875 -U [email protected] materialize

demo.mov

Tips for reviewer

Some open questions I had regarding my implementation:

• Not sure if GenericOidcAuthenticator is the right word for the authenticator. Open to feedback!
• For the internal_user_metadata change, it felt cleaner to combine it with role_metadata in session.rs. However, I decided against it since it would move the source of truth of the superuser status from the Session > SessionVars > User to Session, something adapter: move user field from Session to SessionVars #17961 was trying to avoid. Furthermore, role_metadata holds information regarding not only its role, but other roles too.

Checklist

• This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).
• If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.

[alex-hunt-materialize]

We need expiration support, right?

[SangJunBak]

Yes! Same motivation for this TODO here #34690 (comment). I figured I'd batch it with the refresh token work

[alex-hunt-materialize]

Do we have tickets for the follow up work? I just don't want us to forget this stuff.

[SangJunBak]

Not github issues but I have them recorded in Linear as tasks/subtasks https://linear.app/materializeinc/project/oidc-for-self-managed-3f1f7c14cfb5/issues

[alex-hunt-materialize]

This path, while commonly used, is not part of the OIDC specification. However, .well-known/openid-configuration IS actually part of the specification, and contains a required jwks_uri field. We should use the URI from that field instead.

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

[alex-hunt-materialize]

If it isn't configurable, we should default to validating the audience.

[SangJunBak]

Added audience as an input here b59f394!

[alex-hunt-materialize]

Please always set default-features = false for all mz crates. This is needed to avoid pulling in workspace-hack into cloud.

[alex-hunt-materialize]

I'm not sure how much it matters, but there was some safety in us using the response from the authenticate call. Now that it isn't being used, there isn't anything preventing us from accidentally not calling it.

[SangJunBak]

Ah do you have more context on this? i.e. who was involved.

there isn't anything preventing us from accidentally not calling it.

What is the "it" you're referring to?

[alex-hunt-materialize]

adapter_client.authenticate

[DAlperin]

Ah yeah, there is a risk there. @SangJunBak I think alexs point is well taken, though not urgently something you need to change. His point is that before when we had to return data from the auth response, it meant we couldn't forget to call adapter_client.authenticate. You could have authenticate return some sentinel type that we need to return or we could just be very careful.

[alex-hunt-materialize]

I'd really like a sentinel type added, so we can't forget to call it. It's way to easy to get this wrong.

[SangJunBak]

sgtm!

[SangJunBak]

Should be addressed!

[DAlperin]

Yeah this is great, thank you.

[alex-hunt-materialize]

Is this just a placeholder for later? Changing this behavior later is a breaking change.

[SangJunBak]

It's a placeholder for later! More specifically, I don't plan on releasing this to customers in its current state. I wanted to get eyes on it sooner than later and I figured we're effectively gating this feature until the orchestratord changes.

[SangJunBak]

@alex-hunt-materialize Feedback should all be addressed!

[teskje]

Not through yet, releasing a first batch of comments.

[teskje]

This is for validating ID tokens, not access tokens, right?

[SangJunBak]

Ah it technically can be both, but ideally ID tokens!

[teskje]

Ah, I didn't realize access tokens are JWTs as well. They wouldn't contain OidcClaims though, right?

[SangJunBak]

Ah according to the spec, they don't need to be a JWT. And the answer is they shouldn't, but they could. i.e. there's no reason why they couldn't create a custom claim like "materialize_username", then use that claim to identify them instead of email or sub (this will be implemented in a future PR). This is similar to how we treat access tokens as ID tokens in Frontegg.

But I think spiritually, this would be equivalent to an ID token. Maybe we should just rename this to validate_token?

[teskje]

validate_token sgtm!

[teskje]

Reviewed everything!

Got a bunch of comments. My main concern is about making the audience validation optional. That seems like a potential security vulnerability and if it is we should disallow it.

Otherwise I've been thinking that calling this authentication method "OIDC" is a bit misleading, since we are not doing the full OIDC authorization flow. We only do the OIDC ID token validation part. But naming things is hard, and I can't come up with a better name either.

[teskje]

LGTM!