New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pinniped Auth Provider #19846
Pinniped Auth Provider #19846
Conversation
Changed Packages
|
@jamieklassen would appreciate anymore feedback. Thought i would open this up to see if there were any other places that might need addressing for this auth provider. |
plugins/auth-backend-module-pinniped-provider/src/module.test.ts
Dismissed
Show dismissed
Hide dismissed
plugins/auth-backend-module-pinniped-provider/src/module.test.ts
Dismissed
Show dismissed
Hide dismissed
Uffizzi Preview |
81990b5
to
5099cd4
Compare
plugins/auth-backend-module-pinniped-provider/src/authenticator.test.ts
Outdated
Show resolved
Hide resolved
plugins/auth-backend-module-pinniped-provider/src/authenticator.ts
Outdated
Show resolved
Hide resolved
plugins/auth-backend-module-pinniped-provider/src/authenticator.ts
Outdated
Show resolved
Hide resolved
Worth mentioning that this relates to #14011 -- it is also strictly an integration with the pinniped supervisor, forming only an incomplete part of an overall pinniped integration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I scanned and made a bunch of "single comments" and didn't gather them into a review so I'm formally "requesting changes" here. Can we also update plugins/auth-backend/config.d.ts
with the schema for this new provider? It's a good place to start documenting the fields like federationDomain
, clientId
, and clientSecret
. At a first glance, it might not be obvious that those config values are required.
Sure thing this all makes sense i will get to working on those changes. I have to take a closer look at those dependencies in my package.json, if i recall correctly the linter was screaming about not having certain dependencies installed and i used the provided cli calls to rectify the issue. Probably in all the refactoring those libraries/dependencies arent even used anymore which makes things look a bit funky. |
2b0648e
to
4951646
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thought of one more improvement before I forget, and requested some additional input from @cfryanr who works on Pinniped
plugins/auth-backend-module-pinniped-provider/src/authenticator.ts
Outdated
Show resolved
Hide resolved
4951646
to
8f45ee8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this also need a rebase; some conflicts to resolve
3d55d8e
to
77414c0
Compare
Just driving with the test at this point, hitting some trouble with express-session/cookies but I have an idea for an approach when I return to it: Hopefully it will be enough to enable all the right middlewares in our express app under test and then use `request.agent` from supertest as in https://github.com/ladjs/supertest/blob/25920e7a1d246b590123417bfce33221db88e947/README.md?plain=1#L244-L256 which can make an initial request to the `/start` endpoint and persist cookies to the next request (the interesting one under test) to `/handler/frame`. Signed-off-by: Jamie Klassen <jklassen@vmware.com>
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
Removed all the code that wasn't impacting a failing test, and removed the "ID token" test -- we'll start with access tokens since they are more important for our token-exchange use case. Signed-off-by: Jamie Klassen <jklassen@vmware.com> Co-authored-by: Ruben Vallejo <rvallejo@vmware.com>
Now the unit tests for the start method should render the '#start' describe in index.test.ts redundant. Signed-off-by: Jamie Klassen <jklassen@vmware.com> Co-authored-by: Ruben Vallejo <rvallejo@vmware.com>
Some thoughts at this point: * it would be nice to gather all the fakePinnipedSupervisor setup together in the beforeEach rather than spreading it throughout the test body * we need a real JWK/JWKS endpoint for token signing Signed-off-by: Jamie Klassen <jklassen@vmware.com> Co-authored-by: Ruben Vallejo <rvallejo@vmware.com>
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
…it tests Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
… state, fix integration tests Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
and remove tokenSignedAlg option from pinniped, since it's not actually configurable by end users. This means that all the tests use ID tokens signed with a real JWK. Signed-off-by: Jamie Klassen <jklassen@vmware.com>
… #start refactor complete Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com> Co-authored-by: Jamie Klassen <jklassen@vmware.com>
5a96ebf
to
f79adc0
Compare
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
f79adc0
to
2f172ba
Compare
Thank you for contributing to Backstage! The changes in this pull request will be part of the |
Hey, I just made a Pull Request!
Enable the auth-backend plugin to get cluster-scoped ID tokens via an RFC 8693 token exchange using a newly introduced Pinniped Auth Provider
Relates to issue #14011 --strictly an integration with the pinniped supervisor, forming only an incomplete part of an overall pinniped integration.
✔️ Checklist
Signed-off-by
line in the message. (more info)