Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move API OpenID-Connect support to Apache configuration #20131

Merged
merged 1 commit into from
May 8, 2020
Merged

Move API OpenID-Connect support to Apache configuration #20131

merged 1 commit into from
May 8, 2020

Conversation

jvlcek
Copy link
Member

@jvlcek jvlcek commented May 6, 2020
edited
Loading

Fixes #19866

This PR, combined with others in other github repos, will move the support for the ManageIQ API out of code and into the Apache configuration.

Dependent PRs
ManageIQ/manageiq-appliance#282
ManageIQ/manageiq-api#828
ManageIQ/manageiq-appliance_console#117

To test:

Follow the ManageIQ OpenID-Connect documentation, found here, to configure an ManageIQ appliance for OpenID-Connect authentication and
confirm the API can be user with:

  1. Basic auth using admin/
  2. A JWT acquired from the OpenID-Connect Identity Provider then pass the JWT in the header to make a request to the ManageIQ API
  3. An API Auth token

Examples of each of the above 3:

  1. Basic auth using admin/

curl -L -vvv -k --user admin:smartvm -X GET -H "Accept: application/json" https://${OID_CLIENT_HOST}/api/users

  1. A JWT acquired from the OpenID-Connect Identity Provider then pass the JWT in the header to make a request to the ManageIQ API
TOKEN_ENDPOINT="https://${KEYCLOAK_SERVER}:8443/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token"

RES=`curl -k -L --user ${USER}:${PASSWORD} -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password" \
   -d "client_id=${KEYCLOAK_CLIENT_ID}" \
   -d "client_secret=${OID_CLIENT_SECRET}" \
  -d "username=$USER" \
  -d "password=$PASSWORD" \
  $TOKEN_ENDPOINT`

ACCESS_TOKEN=`echo $RES | jq -r '.access_token'`

curl -L -vvv -k -X GET -H "Authorization: Bearer ${ACCESS_TOKEN}" https://${OID_CLIENT_HOST}/api/users | jq
  1. An API Auth token
TOKEN_ENDPOINT="https://${KEYCLOAK_SERVER}:8443/auth/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token"

RES=`curl -k -L --user ${USER}:${PASSWORD} -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password" \
  -d "client_id=${KEYCLOAK_CLIENT_ID}" \
  -d "client_secret=${OID_CLIENT_SECRET}" \
  -d "username=$USER" \
  -d "password=$PASSWORD" \
  $TOKEN_ENDPOINT`
ACCESS_TOKEN=`echo $RES | jq -r '.access_token'`

RES=`curl -L -vvv -k -X GET -H "Authorization: Bearer ${ACCESS_TOKEN}" https://${OID_CLIENT_HOST}/api/auth`
API_AUTH_TOKEN=`echo $RES | jq -r '.auth_token'`

curl -L -vvv -k -X GET  -H "Accept: application/json" -H "X-Auth-Token: ${API_AUTH_TOKEN}" https://${OID_CLIENT_HOST}/api/users | jq

@jvlcek
Copy link
Member Author

jvlcek commented May 6, 2020

@miq-bot add_label wip
Setting wip label until more testing is done.

@jvlcek jvlcek changed the title Move API OpenID-Connect support to Apache configuration [WIP] Move API OpenID-Connect support to Apache configuration May 6, 2020
@miq-bot miq-bot added the wip label May 6, 2020
This was referenced May 6, 2020
Merged
Merged
@miq-bot
Copy link
Member

miq-bot commented May 6, 2020

Checked commit jvlcek@a6feb2c with ruby 2.5.7, rubocop 0.69.0, haml-lint 0.28.0, and yamllint
1 file checked, 0 offenses detected
Everything looks fine. 🍰

@Fryguy
Copy link
Member

Fryguy commented May 6, 2020

cc @carbonin

@abellotti
Copy link
Member

LGTM!!
image

Let Apache do the ✨

@jvlcek jvlcek mentioned this pull request May 7, 2020
Closed
3 tasks
@jvlcek
Copy link
Member Author

jvlcek commented May 8, 2020

@bdunne FYI

@jvlcek jvlcek mentioned this pull request May 8, 2020
Merged
@jvlcek
Copy link
Member Author

jvlcek commented May 8, 2020

@miq-bot remove_label wip

@miq-bot miq-bot changed the title [WIP] Move API OpenID-Connect support to Apache configuration Move API OpenID-Connect support to Apache configuration May 8, 2020
@miq-bot miq-bot removed the wip label May 8, 2020
@Fryguy Fryguy merged commit 70f97e6 into ManageIQ:master May 8, 2020
simaishi pushed a commit that referenced this pull request May 12, 2020
@Fryguy @simaishi
Merge pull request #20131 from jvlcek/oidc_to_httpd_config_issue_19866
d6b8005 
Move API OpenID-Connect support to Apache configuration

(cherry picked from commit 70f97e6)
@simaishi
Copy link
Contributor

Jansa backport details:

$ git log -1
commit d6b8005acc510ea1700ac35f055b8f5eaf1cbd4c
Author: Jason Frey <fryguy9@gmail.com>
Date:   Fri May 8 16:33:03 2020 -0400

    Merge pull request #20131 from jvlcek/oidc_to_httpd_config_issue_19866

    Move API OpenID-Connect support to Apache configuration

    (cherry picked from commit 70f97e6688eef3c48d498b12e3af4d06016f35aa)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@abellotti abellotti

Labels
core/authentication enhancement jansa/backported
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Research moving API OpenID-Connect/OAuth2 support into Apache configuration
6 participants
@jvlcek @miq-bot @Fryguy @abellotti @simaishi @gtanzillo