New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
THREESCALE-10678 - OIDC in OpenAPI CR ignores gatewayResponse and Sec… #916
Conversation
@valerymo please add verification steps and I can review then. |
a86a34a
to
b242796
Compare
@MStokluska Thank you for reply. Test steps are defined in Validation preparation and Validation section in this PR. But test is very very similar as was in 10523 that you verified/merged. Just use OpenApiCR as provided here in Validation section (just one Test). Thank you! |
I completed the verification steps and confirmed that the Gateway Response and Security fields were correctly populated in the generated Product CR. CC: @MStokluska @valerymo |
7c7c175
to
495bf42
Compare
doc/openapi-user-guide.md
Outdated
|
||
- **One of IssuerEndpointRef or IssuerEndpoint must be defined in OIDC Spec** (both fields can be defined, see next note). | ||
- **If issuerEndpoint plain value is defined in CR - it will be used as precedence over issuerEndpointRef secret**. | ||
- The format of issuerEndpoint is determined on your OpenID Provider setup; | ||
see in 3scale portal - `Product/Integration/Settings/AUTHENTICATION SETTINGS/OpenID Connect Issuer`. | ||
- **There is no need to define the OIDC Security parameter in OpenApi CR; it will be populated in the product CR from the OpenApi CR if one or both of the PrivateAPISecretToken and PrivateAPIHostHeader parameters are defined in the OpenAPI CR**. See OpenAPISpec in [openapi reference](openapi-reference.md), OODC specification in [product-reference.md](product-reference.md). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@valerymo if for now we want to make this a documentation update only (IMO it requires code changes as well) I would try making it clear that the hostHeader and secretToken should only be set at openAPI cr .spec level instead of at the openapi.spec.OIDC level since the OIDC value is ignored.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated. Thank you for comments @MStokluska
…urity(?) attributes
495bf42
to
7af3314
Compare
Code Climate has analyzed commit 7af3314 and detected 0 issues on this pull request. View more on Code Climate. |
Thanks |
WHAT
Jira: https://issues.redhat.com/browse/THREESCALE-10678
PR provides the fix and documentation additions for issue:
GatewayResponse and Security are not populated from OpanApi CR (OIDC) to Product CR
. See "parent" task for details: https://issues.redhat.com/browse/THREESCALE-10523Validation - Preparation
Prepare cluster (could be OSD)
Install RHSSO
Create project rhsso-test
In RH User SSO web console:
petstore
In RH User SSO web console:
Client ID
: 3scale-zyncClient Settings:
3scale-zync Client setting will be as in the table below
Service Account Roles
tab -> Client Rolesrealm-management
->manage-clients
Install 3scale
please place your wildcardDomain
This is the secret that contains URL for issuerEndpoint.
The secret is referenced in OpenApi CR - field issuerEndpointRef.
Validation
Test
gatewayResponse
andsecurity
definitionsgatewayResponse
andsecurity
will be populated in Product CRThese are files below.
New Product will be created
Swagger Petstore 2
, that has OIDC Authentication flows as defined in CR.OpenApi CR
Openapi Secret
Secret contains swagger for product
Swagger Petstore 2
.SecuritySchemes is openIdConnect (OIDC)
NOTES. There is no need to define the OIDC Security parameter in OpenApi CR; it will be populated in the product CR from the OpenApi CR if one or both of the PrivateAPISecretToken and PrivateAPIHostHeader parameters are defined in the OpenAPI CR.