Announcements

OpenUnison 1.0.33

March 28, 2023

by

Marc Boorshtein

This post is a bit overdue, but in the last few weeks we released OpenUnison 1.0.33. For most, the new update was pretty transparent. In addition to updating our libraries and making sure everything still worked as expected we added a few interesting features.

Easier Kubernetes Session Management

In previous releases of OpenUnison your kubectl session was tied to your web session. This made it very easy to terminate your sessions, but could hamper usability. First, there's a well known issue with the Kubernetes client-go SDK where if multiple processes are working off the same kubectl configuration file then a refresh can be attempted by multiple processes and generate a failure to be able to keep your session refreshed. With OpenUnison, you could reproduce this by using kubectl while also using a local dashboard like Lens or Octant. To make this easier to manage, we built in new session management capabilities:

  1. Running the oulogin plugin or using the tokens screen in OpenUnison generates a new id_token and refresh_token on each display, making it easier to maintain a different file for each tool
  2. OpenUnison introduced a "grace period" for refresh_tokens so that if there is an overlapped client refresh in a short amount of time the session won't be lost

It's still pretty easy to kill all of a user's sessions at once. First, identity the user you wish to delete and get their user_dn attribute. For instance from :

apiVersion: openunison.tremolo.io/v1
kind: OidcSession
metadata:
  creationTimestamp: "2023-03-28T12:24:20Z"
  generation: 1
  labels:
    tremolo.io/user-dn: 73f11ca4dbea22b1c5a7e5497e62250cb8ae6fa6
  name: x1eaa35ca-8b9b-433a-8af2-9d4a3f4e6397x
  namespace: openunison
  resourceVersion: "94965035"
  uid: c1a59bf6-1a6a-4baf-8ff2-9da1b6d6da24
spec:
  client_id: kubernetes
  encrypted_access_token: ...
  encrypted_id_token: ...
  expires: "2023-03-28T12:39:20.332Z"
  refresh_token: ...
  session_id: 1eaa35ca-8b9b-433a-8af2-9d4a3f4e6397
  user_dn: uid=mboorshtein,ou=shadow,o=Tremolo

My user_dn is uid=mboorshtein,ou=shadow,o=Tremolo.  Now I just need a sha1 hash:

$ echo -n 'uid=mboorshtein,ou=shadow,o=Tremolo' | sha1sum
73f11ca4dbea22b1c5a7e5497e62250cb8ae6fa6  -

Finally, delete all the sessions:

$ k delete oidc-sessions -l tremolo.io/user-dn=73f11ca4dbea22b1c5a7e5497e62250cb8ae6fa6 -n openunison
oidcsession.openunison.tremolo.io "x1eaa35ca-8b9b-433a-8af2-9d4a3f4e6397x" deleted
oidcsession.openunison.tremolo.io "x67f9cbe2-6c4a-4d06-bc57-c93ad7023430x" deleted
oidcsession.openunison.tremolo.io "x95f03785-8a8f-4f9d-8272-6d8578b569f3x" deleted
oidcsession.openunison.tremolo.io "xcbc17771-2d60-45e7-bd9f-8587b24fb111x" deleted

Now, in a minute, my session will fail to refresh and I'll need to log back in!

In addition to these features, we added a doc to OpenUnison's website for details.

OpenID Connect PKCE Support

The Proof Key for Code Exchange (PKCE) was an addition to OpenID Connect that was created to add security for single-page-applications that couldn't use a client secret to protect the login process. It has since been recommended to use this standard even with a client secret, as it adds some additional entropy into the openid connect protocol and makes it harder to use replay attacks. OpenUnison added support for both relying parties that integrate with OpenUnison and when OpenUnison is a relying party. For instance, if you're using OpenUnison with Okta and OpenID Connect you'll be able to use this feature without making any changes. For some reason, AzureAD doesn't include PKCE support in their OIDC discover document. We'll be adding an option to force PKCE use in those cases. Otherwise, if your identity provider or your applications already support PKCE then there's nothing you need to do to enable this new feature!

More GitLab Support

OpenUnison has had GitLab integration for Namespace as a Service since Kubernetes: An Enterprise Guide was published to show how you can automate a GitOps platform (exciting things to come on the book front, so stay tuned!). After co-presenting a lab with my friends from ChainGuard on supply chain security that used OpenUnison to automate the buildout of a secure build environment in GitHub, I was asked if the lab could also work with GitLab. We needed to add a few features to bring it to parity and those are now available. Stay tuned for more details here.

What's Next?

If you're already an OpenUnison user, running upgrades will get you the latest version.

The next couple of releases will focus on paying off some technical debt we've accrued. There are some major library upgrades that are required that won't impact users but that need to happen (we're not on any EOLd libraries, and we want to keep it that way!). We're also going to be working on our publishing process to get to better container versioning and signed builds. It might not be terribly sexy, but we understand the importance of supply chain security!

You can get started with OpenUnison by going to OpenUnison's doc site or you can reach out to talk about a paid support contract!

Related Posts

August 8, 2023
Commitment To Supply Chain Security
Tremolo Security is now publishing images to GitHub and signing them.
Announcements
March 28, 2023
OpenUnison 1.0.33
Release of OpenUnison 1.0.33 with better kubernetes session management, PKCE support, and more GitLab support.
Announcements
January 3, 2022
Updating kube-oidc-proxy
Simplify security in managed clusters with Tremolo Security's updates to kube-oidc-proxy. Updated libraries and dependencies, kubectl --as support, better logging.
Announcements
March 23, 2021
Multi Cluster Management and GitOps in OpenUnison 1.0.21
New features in 1.0.21: TokenRequest, GitOps, and Multi Cluster Management
Announcements
March 30, 2021
JetStack OIDC Proxy Integrated into OpenUnison
Turn-key integration with JetStack's OIDC Proxy to support impersonation with kubectl exec, cp, and port-forward
Announcements
June 1, 2021
Securing Cluster Applications with OpenUnison 1.0.23
OpenUnison 1.0.23 brings Istio support and dynamic application configuration. See how by adding Kiali SSO directly to your OpenUnison portal.
Announcements
November 9, 2021
OpenUnison 1.0.24 - Going Cloud Native
OpenUnison goes cloud native with easier configuration, a new consolidated documentation site, namespace as a service, and more!
Announcements
June 22, 2022
Simplify Kubernetes Authentication for Single Clusters and Multi-Cluster Environments
Simplify Kubernetes authentication and sso using the ouctl utility to quickly deploy OpenUnison, integrate it with your identity provider, and onboard satellite clusters for multi-cluster SSO.
Announcements
view all
solutions For
PRODUCTS
resources
company
contact
Enterprise Applications
OpenUnison
Blog
About Us
Contact Us
Customer Identity Access Management
Orchestra
Client Portal
Leadership
Receive Email Updates
free demo
OpenShift
Downloads
MyVirtualDirectory
Infrastructure & DevOps
Documentation
Content
Kubernetes
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

CALL

Phone. +1 703 844 2727

CONNECT

Drop us a line

ADDRESS

5810 Kingstowne Center Dr
STE #120-427
Alexandria, VA 22315

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form
(c) 2020 Tremolo Security, Inc. All rights reserved.
|
|
Connect with US
(c) 2020 Tremolo Security, Inc. All rights reserved.
Privacy
terms & conditions
Sign up for Tremolo emails and  content updates
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.