Announcements

OpenUnison 1.0.33

March 28, 2023

by

Marc Boorshtein

This post is a bit overdue, but in the last few weeks we released OpenUnison 1.0.33. For most, the new update was pretty transparent. In addition to updating our libraries and making sure everything still worked as expected we added a few interesting features.

Easier Kubernetes Session Management

In previous releases of OpenUnison your kubectl session was tied to your web session. This made it very easy to terminate your sessions, but could hamper usability. First, there's a well known issue with the Kubernetes client-go SDK where if multiple processes are working off the same kubectl configuration file then a refresh can be attempted by multiple processes and generate a failure to be able to keep your session refreshed. With OpenUnison, you could reproduce this by using kubectl while also using a local dashboard like Lens or Octant. To make this easier to manage, we built in new session management capabilities:

  1. Running the oulogin plugin or using the tokens screen in OpenUnison generates a new id_token and refresh_token on each display, making it easier to maintain a different file for each tool
  2. OpenUnison introduced a "grace period" for refresh_tokens so that if there is an overlapped client refresh in a short amount of time the session won't be lost

It's still pretty easy to kill all of a user's sessions at once. First, identity the user you wish to delete and get their user_dn attribute. For instance from :

apiVersion: openunison.tremolo.io/v1
kind: OidcSession
metadata:
  creationTimestamp: "2023-03-28T12:24:20Z"
  generation: 1
  labels:
    tremolo.io/user-dn: 73f11ca4dbea22b1c5a7e5497e62250cb8ae6fa6
  name: x1eaa35ca-8b9b-433a-8af2-9d4a3f4e6397x
  namespace: openunison
  resourceVersion: "94965035"
  uid: c1a59bf6-1a6a-4baf-8ff2-9da1b6d6da24
spec:
  client_id: kubernetes
  encrypted_access_token: ...
  encrypted_id_token: ...
  expires: "2023-03-28T12:39:20.332Z"
  refresh_token: ...
  session_id: 1eaa35ca-8b9b-433a-8af2-9d4a3f4e6397
  user_dn: uid=mboorshtein,ou=shadow,o=Tremolo

My user_dn is uid=mboorshtein,ou=shadow,o=Tremolo.  Now I just need a sha1 hash:

$ echo -n 'uid=mboorshtein,ou=shadow,o=Tremolo' | sha1sum
73f11ca4dbea22b1c5a7e5497e62250cb8ae6fa6  -

Finally, delete all the sessions:

$ k delete oidc-sessions -l tremolo.io/user-dn=73f11ca4dbea22b1c5a7e5497e62250cb8ae6fa6 -n openunison
oidcsession.openunison.tremolo.io "x1eaa35ca-8b9b-433a-8af2-9d4a3f4e6397x" deleted
oidcsession.openunison.tremolo.io "x67f9cbe2-6c4a-4d06-bc57-c93ad7023430x" deleted
oidcsession.openunison.tremolo.io "x95f03785-8a8f-4f9d-8272-6d8578b569f3x" deleted
oidcsession.openunison.tremolo.io "xcbc17771-2d60-45e7-bd9f-8587b24fb111x" deleted

Now, in a minute, my session will fail to refresh and I'll need to log back in!

In addition to these features, we added a doc to OpenUnison's website for details.

OpenID Connect PKCE Support

The Proof Key for Code Exchange (PKCE) was an addition to OpenID Connect that was created to add security for single-page-applications that couldn't use a client secret to protect the login process. It has since been recommended to use this standard even with a client secret, as it adds some additional entropy into the openid connect protocol and makes it harder to use replay attacks. OpenUnison added support for both relying parties that integrate with OpenUnison and when OpenUnison is a relying party. For instance, if you're using OpenUnison with Okta and OpenID Connect you'll be able to use this feature without making any changes. For some reason, AzureAD doesn't include PKCE support in their OIDC discover document. We'll be adding an option to force PKCE use in those cases. Otherwise, if your identity provider or your applications already support PKCE then there's nothing you need to do to enable this new feature!

More GitLab Support

OpenUnison has had GitLab integration for Namespace as a Service since Kubernetes: An Enterprise Guide was published to show how you can automate a GitOps platform (exciting things to come on the book front, so stay tuned!). After co-presenting a lab with my friends from ChainGuard on supply chain security that used OpenUnison to automate the buildout of a secure build environment in GitHub, I was asked if the lab could also work with GitLab. We needed to add a few features to bring it to parity and those are now available. Stay tuned for more details here.

What's Next?

If you're already an OpenUnison user, running upgrades will get you the latest version.

The next couple of releases will focus on paying off some technical debt we've accrued. There are some major library upgrades that are required that won't impact users but that need to happen (we're not on any EOLd libraries, and we want to keep it that way!). We're also going to be working on our publishing process to get to better container versioning and signed builds. It might not be terribly sexy, but we understand the importance of supply chain security!

You can get started with OpenUnison by going to OpenUnison's doc site or you can reach out to talk about a paid support contract!