-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit keycloak redirect urls #491
Conversation
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
templates/keycloak_provision
Outdated
@@ -20,7 +20,7 @@ if [ $? -eq 0 ]; then echo "Realm exists"; exit 0; fi \ | |||
-s clientId=$keycloakClientId \ | |||
-s id=$keycloakClientId \ | |||
-s 'webOrigins=["http://$cheHost", "https://$cheHost"]' \ | |||
-s 'redirectUris=["http://$cheHost/*", "https://$cheHost/*"]' \ | |||
-s 'redirectUris=["http://$cheHost/dashboard/", "https://$cheHost/dashboard/", "http://$cheHost/workspace-loader/", "https://$cheHost/workspace-loader/", "http://$cheHost/_app/loader.html", "https://$cheHost/_app/loader.html"]' \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about an ability to get token from localhost? I kept in mind running local dashboard/workspace-loader instance without modifying redirects uris manually on each new cluster, but I assume it could also help chectl server:login
do login through web interface, as https://github.com/int128/kubelogin is able to do.
I assume it should be safe to do since it's allowed on OpenShift.io oauth.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure that it is secure, who can confirm that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ibuziuk Could you help to discover the answer here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems _app/oauth.html
needs to be added here as well https://github.com/eclipse/che/blob/master/assembly/assembly-root-war/src/main/webapp/_app/oauth.html.
What if we even add _app/*
since we are sure that _app
is an application hosted by Che Server and we don't really need to list them one by one. @skabashnyuk WDYT?
/retest |
@@ -20,7 +20,7 @@ if [ $? -eq 0 ]; then echo "Realm exists"; exit 0; fi \ | |||
-s clientId=$keycloakClientId \ | |||
-s id=$keycloakClientId \ | |||
-s 'webOrigins=["http://$cheHost", "https://$cheHost"]' \ | |||
-s 'redirectUris=["http://$cheHost/*", "https://$cheHost/*"]' \ | |||
-s 'redirectUris=["http://$cheHost/dashboard/*", "https://$cheHost/dashboard/*", "http://$cheHost/workspace-loader/*", "https://$cheHost/workspace-loader/*", "http://$cheHost/_app/*", "https://$cheHost/_app/*"]' \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really related to the current PR but can we instead of duplication http and https redirects just provide the right protocol via parameter as we provide $cheHost? It would help us be more secure and make sure token if not send through http when https is configured
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving since http/https issue is already in the code but it can be solved separately
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sleshchenko, tolusha The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Anatolii Bazko abazko@redhat.com
Reference issue
eclipse-che/che#17902