Use SSO to create CLI token #598
Conversation
There was a problem hiding this comment.
@yuriadams nice job.
but userid as convoxID poses a security issue. it should't be a user id. since we once someone knows the user id, they can easily login in. also its hard to change if it gets compromised since it's act as an identifier of the user in our system and all the data associated with it.
also can every user in the sso okta can configure identity provider?
@nightfury1204 thank you very much for your feedback. First question: This is a great point that I don't have the answer what's the the best way. A improvement I did this morning was add the convoxID as a token claim. So, this token will be sent to the console and the console will be responsable to check if the id is there, so the cli won't "know" the convox id because it will be in the token payload. So, your concern is more the person who's configuring the okta knows the user id? Do you have a suggestion about how can we make this link between the okta and our console? Create like a new token for the user and this token to be included in okta ui maybe? Second: |
* Add rack_name to the vars It will be used to set the rack name * Add rack name to the nanespace label * Change the rack name before it's moved to the console or locally * Fix tests about terraform * Add rack_name to all providers
* Add fix for aws gov cloud * Fix attribute not found error when terraform destroy
yuriadams
force-pushed
the
feat-1204056522119209-sso
branch
from
d551cd8
to
34b2f31
Compare
* update to k8s 1.24 * Update golang to 1.17 * Update hashicorp/kubernetes version * add eks addon dependency * Fix for do * Add dependency
…Set. (#627) * Change rack name (#589) * Add rack_name to the vars It will be used to set the rack name * Add rack name to the nanespace label * Change the rack name before it's moved to the console or locally * Fix tests about terraform * Add rack_name to all providers * fix: Add fix for aws gov cloud (#609) * Add fix for aws gov cloud * Fix attribute not found error when terraform destroy * Remove outdated code and unused lib (#611) * Set default value for rack_name on tf files * Add fix for route table and bucket acl not allowed error * Store rack install & rack install update telemetry data (#608) * Cli command to activate or desactivate cli telemetry * unit test for the cli cmd * Send telemetry params on rack install and rack params set * CLI docs * Changing approach: The telemetry data will be send by the terraform after all infra will be provisioned * Add resource telemetry on all providers * Extract telemetry for a different module * add telemetry param * Fix unit test * Define a k8s configmap with the values on vars.json. * Get params from configmap and sync with metrics app * Anonymize params * Redact rack_name * refactoring to improve quality on the function to create sync cm * set telemetry var as true as default * Fix deepsource terraform warnings * Fix unit tests * Fix deepsource go warnings * Change telemetry type to boolean * create the configmap just if the settings dir is set (#622) * Try to restrict settings variable to only new releases * Fix minor version check for telemetry support * remove prints * rollback go syntax: init toSync map * rollback release version check * Fix deepsource report * Fix unit tests * Remove diff strategy * rack_params as a prefix * Put telemetry off as default for next release * fix unit tests * Fix deepsource * not necessary update sync configmap anymore * Put the right minor version supported * refactoring check if release is supported * try a patch release --------- Co-authored-by: Taynan <Twsouza@users.noreply.github.com> Co-authored-by: Md. Nure Alam Nahid <knightnahid@gmail.com> Co-authored-by: Taynan Souza <taynan.tws@gmail.com>
* Add spot and on_demand instance count in telemetry * Put the login in seperate funtion
* Azure fix * Fix build security context bug * Update buildkit version
|
@yuriadams is this good to review? |
nightfury1204
force-pushed
the
staging
branch
2 times, most recently
from
3341718
to
6df011a
Compare
nightfury1204
force-pushed
the
staging
branch
2 times, most recently
from
9961ed6
to
1f3f912
Compare
nightfury1204
force-pushed
the
staging
branch
from
eb5223f
to
9541383
Compare
What is the feature/fix?
Docs:
configure
Configure necessary fields to make the authentication using
logincommand.Fields:
okta.Usage
or
or we can add following environment variables:
Examples
convox sso configure SSO Provider: SSO Client ID: SSO Client Secret: SSO Issuer: SSO Callback URL: OKlogin
Authenticate your CLI using a identity provider.
Usage
You will be redirected to the browser to your fill the credentials in your identity provider.
Requirements
Is necessary to configure the identity provider to add the
convoxIDthat refers with the user id in the console. Also, is required to add this field in the token claim.Also, configure the callback endpoint in the customer application, for example,
http://localhost:8090/authorization-code/callback. Port and the path can be customized by the customer.Does it has a breaking change?
No
Video Record
https://convox602-my.sharepoint.com/:u:/r/personal/yuri_adams_convox_com/Documents/Convox%20-%20SSO%20Demo.zip?csf=1&web=1&e=Qqro5W
Checklist