Support external OIDC providers #3084
Comments
christian-posta
added
the
enhancement
|
Hi, @christian-posta We can remove the requirement of the OIDC integration in Kube API, but RBAC capabilities will be lost. All users logging into Kiali will share the same privileges, because the OpenID users will be unknown to the API server. Another approach is to add support for API proxies (like What would be your expectation? Do you need RBAC, or are you OK with the shared privileges? |
|
Supporting cloud customers who cannot modify kube api with #3042 sounds interesting! |
|
Hi, @israel-hdez |
|
And related to this would be our use case: |
|
Hi @israel-hdez, In our setup we have an AKS cluster with AAD integration enabled. Our idea was to let people use their AAD credentials to access Kiali. Either using code flow or implicit flow (and generating an otherwise valid JWT) does not seem to work. I would be happy to provide more details |
|
@xFayre perhaps, can you open new github issue with your details? I would be interested in knowing what's the error that Kiali is outputting. |
go-jose is an implementation of the JOSE standards: JWE, JWS, JWT. This library is going to be used to verify tokens issued by OpenId providers when Kiali is under a no-RBAC configuration. Related to kiali#3084
The function is doing all checks that are needed to ensure we can accept the id_token. All checks in this function are delegated to the Kubernetes API when the environment is setup with OIDC integration on all parties (both Kiali and Kubernetes) Related to kiali#3084
By default, `disable_rbac` is "off" assuming users usually want RBAC. If users don't want RBAC this is forcing to explicitly turn off RBAC. Basically, we want people to be aware that users logging into Kiali will all share the same privileges. Related to kiali/kiali#3084
This is for using singleflight.Group which helps into reducing the number of requests to the OpenId Server if several threads are wanting to fetch the discovery data of the server and/or the JSON Web Key Set data. Related to kiali#3084
Multi-thread safety is added to: * GetJwkFromKeySet (the new one in kiali#3084) * GetOpenIdMetadata (an existent one) It's unlikely that an error will happen without this, but it's better to be safe. The main variables thay may lead to race condition issues are `cachedOpenIdMetadata` and `cachedOpenIdKeySet`. If multiple threads want to read these variables and find that no data is cached, then multiple requests will be dispatched to fetch the missing data and also all threads will want to store the fetched data. These changes are to ensure that only one request will be dispatched to fetch the data even if multiple threads find that there is no cached data. The same fetched data will be returned/shared across all threads that found no cached data and are wanting to retrieve it from the OpenId Server. Related to kiali#3084
Adding documentation to configure Kiali with OpenID authentication and RBAC disabled. Related kiali/kiali#3084
|
Implementation: |
…be possible) (#3310) * Add go-jose dependency. * go-jose is an implementation of the JOSE standards: JWE, JWS, JWT. * This library is going to be used to verify tokens issued by OpenId providers when Kiali is under a no-RBAC configuration. * Add function to fetch the JWKS document from the IdP * Add function to deeply verify the OpenId token * The function is doing all checks that are needed to ensure we can accept the id_token. All checks in this function are delegated to the Kubernetes API when the environment is setup with OIDC integration on all parties (both Kiali and Kubernetes) * Add configuration to turn on/off RBAC on openid strategy * Add "golang.org/x/sync" dependency * This is for using singleflight.Group which helps into reducing the number of requests to the OpenId Server if several threads are wanting to fetch the discovery data of the server and/or the JSON Web Key Set data. * Add multi-thread safety to OpenId functions * Multi-thread safety is added to: GetJwkFromKeySet (the new one in #3084); GetOpenIdMetadata (an existent one) * It's unlikely that an error will happen without this, but it's better to be safe. The main variables thay may lead to race condition issues are `cachedOpenIdMetadata` and `cachedOpenIdKeySet`. If multiple threads want to read these variables and find that no data is cached, then multiple requests will be dispatched to fetch the missing data and also all threads will want to store the fetched data. * These changes are to ensure that only one request will be dispatched to fetch the data even if multiple threads find that there is no cached data. The same fetched data will be returned/shared across all threads that found no cached data and are wanting to retrieve it from the OpenId Server.
|
This was finished in Sprint #47 and Kiali v1.26 is covering this case. Closing as done. |
Right now to use OIDC you have to tie it into the Kube API. On cloud-hosted k8s, it's not easy (or is impossible) to alter the kube api startup config.
Can we support a standalone (Auth0, Keycloak, Dex, etc) OIDC provider?
The text was updated successfully, but these errors were encountered: