feat: add support for google oidc authentication (#189)

This change adds support for using Google OIDC authentication.
GoogleContainerTools · Nov 1, 2022 · d16a535 · d16a535
1 parent 3fd56ba
commit d16a535
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 3 deletions.
diff --git a/plugins/cad-backend/README.md b/plugins/cad-backend/README.md
@@ -85,7 +85,7 @@ Valid values:
 | Values | Description |
 | ------ | ----------- |
 | current-context | Authenticate to the cluster with the user in the kubeconfig current context |
-| google | Authenticate to the cluster using the user's authentication token from the [Google auth plugin](https://backstage.io/docs/auth/) |
+| google | Authenticate to the cluster using the user's access token token from the [Google auth provider](https://backstage.io/docs/auth/google/provider) |
 | oidc | Authenticate to the cluster using OIDC (OpenID Connect) |
 | service-account | Authenticate to the cluster using a Kubernetes service account token |
 
@@ -95,7 +95,8 @@ use to authenticate to the cluster with. This field is required with the `oidc`
 Valid values:
 | Values | Description |
 | ------ | ----------- |
-| okta | Authenticate to the cluster with the [Okta Backstage auth provider](https://backstage.io/docs/auth/okta/provider) |
+| google | Authenticate to the cluster with the [Google auth provider](https://backstage.io/docs/auth/google/provider) |
+| okta | Authenticate to the cluster with the [Okta auth provider](https://backstage.io/docs/auth/okta/provider) |
 
 `clusterLocatorMethod.serviceAccountToken` defines the service account token to be used with the `service-account` auth provider. You can get the service account token with the following command:
 

diff --git a/plugins/cad-backend/src/service/config.ts b/plugins/cad-backend/src/service/config.ts
@@ -30,6 +30,7 @@ export enum ClusterLocatorAuthProvider {
 
 export enum OIDCTokenProvider {
   NONE = 'none',
+  GOOGLE = 'google',
   OKTA = 'okta',
 }
 

diff --git a/plugins/cad-backend/src/service/router.ts b/plugins/cad-backend/src/service/router.ts
@@ -45,6 +45,9 @@ const getClientAuthentication = (
 
     case ClusterLocatorAuthProvider.OIDC:
       switch (oidcTokenProvider) {
+        case OIDCTokenProvider.GOOGLE:
+          return 'oidc.google';
+
         case OIDCTokenProvider.OKTA:
           return 'oidc.okta';
 

diff --git a/plugins/cad/src/apis/PorchRestApi.ts b/plugins/cad/src/apis/PorchRestApi.ts
@@ -81,7 +81,7 @@ export class PorchRestAPI implements ConfigAsDataApi {
   constructor(
     private discovery: DiscoveryApi,
     private fetchApi: FetchApi,
-    private googleAuthApi: OAuthApi,
+    private googleAuthApi: OAuthApi & OpenIdConnectApi,
     private oktaAuthApi: OpenIdConnectApi,
   ) {}
 
@@ -96,6 +96,12 @@ export class PorchRestAPI implements ConfigAsDataApi {
       return `Bearer ${googleAccessToken}`;
     }
 
+    if (authProvider === 'oidc.google') {
+      const googleIdToken = await this.googleAuthApi.getIdToken();
+
+      return `Bearer ${googleIdToken}`;
+    }
+
     if (authProvider === 'oidc.okta') {
       const oktaIdToken = await this.oktaAuthApi.getIdToken();