-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth examples #153
OAuth examples #153
Conversation
3scale setup | ||
------------ | ||
|
||
To get this working with a 3scale instance |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the end of the phrase is missing...
Also, it would be good to mention here that:
- Self-managed deployment type and OAuth authentication method should be selected
- Login URL on the Integration page need to be configured, for the current example I guess it would be http://localhost:3000/auth/login
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, please complete the sentence Pili
Tested and it works 👍 One other point to include to the documentation is that "Request access token locally" should be set in Postman in order to make a successful /oauth/token call. |
0d85fdb
to
732b581
Compare
@@ -86,6 +86,7 @@ location = /_threescale/oauth_store_token { | |||
internal; | |||
proxy_set_header X-Real-IP $remote_addr; | |||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |||
proxy_set_header Host "$backend_host"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pili, can you tell us what the purpose of adding the header is please?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't tried without, but I think it wasn't working.
All other calls to the backend do already have this header.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Authorization against backend fails when this header is missing
3scale setup | ||
------------ | ||
|
||
To get this working with a 3scale instance |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, please complete the sentence Pili
@@ -0,0 +1,20 @@ | |||
# URI to fetch gateway configuration from. Expected format is: https?://[password@]hostname |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is .env-sample the best name or being inside an example .env is fine?
Where is the code that loads this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't want to commit my .env since it would be specific to my environment, so I added a sample of what a .env file could look like. Could also be removed since this is documented in the README
@@ -0,0 +1,3 @@ | |||
.git | |||
.dockerignore | |||
Gemfile.lock |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure you don't want this to lock the versions of the gems that your bundle install installs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can remove
|
||
# Set an environment variable to store where the app is installed to inside | ||
# of the Docker image. | ||
ENV INSTALL_PATH /auth-server |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we follow the (emerging) convention of ours to install in /opt/app?
|
||
# Copy in the application code from your work station at the current directory | ||
# over to the working directory. | ||
COPY . . |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will copy Gemfile, which is already copied above. Remove above copy?
@@ -0,0 +1,126 @@ | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't this be a better example if it used the config.json downloaded from the config API, for the user account doing the example. That would make it flexible to whatever the user has configured in 3scale Admin Portal, would avoid having to redact secrets (making sample non-functional), and supply service IDs, shared secrets etc.
The only data data needed would the service_id and token that is already needed by apicast, to get the config from the config API.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is here as an example config to show the data that is necessary, the example would work with any config.json downloaded from the admin portal as long as they are using oauth authentication mode AND they have filled in the login url/Authorization endpoint in the Integration screen.
"services": [ | ||
{ | ||
"id": 2555417736402, | ||
"account_id": 2445581608319, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lots of data here, tied to your test account
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is just as an example, I could also remove this config from the example
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd suggest we try and create an example that isn't tied to your single test account, so that user can modify their API config and we avoid exposing ids, secrets etc.
Further comment: Can we please separate out the fixes for OAuth into one PR....for including in RC1.... and continue the discussion and polishing of the examples, via a separate PR... The ".... and ....." in the commit title is a givaway, it's adding two things in one commit/PR. thanks. |
@@ -10,7 +12,7 @@ local function extract_params() | |||
params.authorization = {} | |||
|
|||
if header_params['Authorization'] then | |||
params.authorization = ngx.decode_base64(header_params['Authorization']:split(" ")[2]):split(":") | |||
params.authorization = split(ngx.decode_base64(split(header_params['Authorization']," ")[2]),":") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a functional change, or just syntax?
We're trying to understand the changes that fix the broken OAuth....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a functional change which fixes the bug.
There used to be a global function function string:split
, which didn't make it to APIcast, so strvariable:split
is not a valid syntax.
@mpguerra Now that you submitted the fixes in a separate PR, you should modify this one to remove them and only add the examples. You should rebase on v2 branch first to get latest changes to readme etc.... |
b54799b
to
27332b9
Compare
Rebased on top of |
27332b9
to
b21f87b
Compare
version: '2' | ||
services: | ||
gateway: | ||
image: apicast-test:latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't this point to quay.io/3scale/apicast:v2
? people will not have apicst-test
unless they built it locally
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, makes sense. I guess it was like that before because there were some fixes for the apicast needed for this to work properly. Not relevant now, as the fixes are already in master.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
think about whether you want to point to a (potentially, constantly changing) "latest", or a known numbered version that you know worked when you wrote the example...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As this example is using a default APIcast functionality, it should work for the later versions, unless some breaking changes are introduced.
In case of breaking changes I think we need to go through the examples to verify they still work.so, I guess quay.io/3scale/apicast:v2
should work...
require 'sinatra' | ||
|
||
set :bind, '0.0.0.0' | ||
nginx_redirect_uri = "http://localhost:8080/callback?" #nginx callback |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this example will only work when the Public Base URL is "localhost". Or it should be probably mentioned somewhere in README that this url needs to be adjusted to coincide with the API public base URL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably just add this to the README for now.
I'm going to add some of these comments to my list of things to improve for a second iteration of this example, e.g for the nginx callback, this would ideally be a parameter that is provided to the auth server on startup. However, I'm getting concerned that the comments on this PR are deviating from what was the intended purpose of this example which was something that "just works" for anyone that wants to try it out to see how to set up an example, run it, go through the token request process and see how it would work, the PR as it is does the trick when using docker-compose. Otherwise it becomes an example that doesn't really run unless you have the correct variables plugged in which in a way defeats the purpose of having something anyone can run :) |
@mpguerra if this is supposed to "just work"™️ it has to change the image in docker compose file to released apicast. Otherwise you'd have to build it locally first. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have to replace apicast-test:latest
in the docker compose with the normal release image. Otherwise people would have to build it locally for the example to work.
@@ -1,27 +0,0 @@ | |||
# URI to fetch gateway configuration from. Expected format is: https?://[password@]hostname | |||
THREESCALE_PORTAL_ENDPOINT=http://127.0.0.1.xip.io:8090/config/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this was not intentional?
… Authorization server for testing remove sample env as it's already documented in README Update README Keep Gemfile.lock to lock gem versions Remove example config.json Docker fixes: remove Gemfile.lock from .dockerignore, copy application into /opt/app, remove redundant COPY from Dockerfile and move bundle install after Gemfile is copied
Change image to point to quay.io/3scale/apicast:v2
8379c61
to
2827990
Compare
2827990
to
551fb7f
Compare
Tested with the provided client, and it works. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like there is some dead code in the html layouts.
|
||
<!-- HTML5 shim, for IE6-8 support of HTML5 elements --> | ||
<!--[if lt IE 9]> | ||
<script src="/js/html5shiv.js"></script> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not in the repo so it should not be in the code either.
|
||
<!-- HTML5 shim, for IE6-8 support of HTML5 elements --> | ||
<!--[if lt IE 9]> | ||
<script src="/js/html5shiv.js"></script> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has no value for the example and should not be here.
|
||
get("/") do | ||
if params[:action] == "get_token" | ||
get_token(params[:code]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can't work. This is not defined anywhere.
* cleanup docker-compose * fix ports * fix uuid generation * cleanup dockerignore files * use bundler
I did major cleanup to the docker setup and ruby dependencies. Would be good to get some 👍 and we can merge it. Also if someone feels like providing steps in a form of a bash script we can run it as part of the test suite. |
- "3001:3001" | ||
volumes: | ||
- ./client:/opt/app/client | ||
- "3001:3000" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why? should still be 3001:3001
, no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. Both dockers expose port 3000. It just maps 3000 in docker to 3001 on local machine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I see. I was confused by this line I guess it's not needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep. Not needed. Will remove it.
set :bind, '0.0.0.0' | ||
enable :sessions | ||
set :session_secret, '*&(^B234' | ||
set :port, 3001 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be removed. Also the bind is not necessary.
Replaces #145 and closes #150