OIDC User Login flow #55514
OIDC User Login flow #55514
Conversation
Adding full github.com/coreos/go-oidc and github.com/skratchdot/open-golang to vendor pkgs, for "kubectl alpha login" to perform OIDC user login flow. A minor fix is needed in hack/update-godep-licenses.sh where max_depth should be 2 for finding license files as 1 is not enough for packages like gopkg.in/square/go-jose.v2
kubectl alpha login will open browser to login users and save tokens back to kubeconfig file The AuthProvider defined in k8s.io/client-go/rest/plugin.go has a method called "Login" however it's not used anywhere in the code. It's a good place the implement the interactive login flow. So this proposal changes the definition of the method a little to make it for interactive flow. Only OIDC provider implements the interactive login flow in this commit.
k8s-ci-robot
added
release-note
|
Hi @easeway. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: easeway Assign the PR to them by writing Associated issue: 54201 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
Thank you for doing this @easeway ! |
|
@kubernetes/sig-cli-pr-reviews |
k8s-ci-robot
added
the
sig/cli
|
@tamalsaha: Reiterating the mentions to trigger a notification: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| http.Error(w, "failed to exchange token: "+err.Error(), http.StatusInternalServerError) | ||
| return | ||
| } | ||
| idToken, ok := token.Extra("id_token").(string) |
There was a problem hiding this comment.
I would like to say that OIDC should not be required for this. Since kubectl can work with --token, this should work for any OAuth2 provider (not just the ones who also send id token).
- If an
id_token, then it can behave like a OIDC auth provider. - Otherwise, kubectl just sends the auth token to kube api server. How the auth token gets associated with an identity should be up to the
webhook authN server.
There was a problem hiding this comment.
Yes. I agree the implementation will be mostly the same. My implementation goes in the OIDC auth plugin in kubectl, so that will be OIDC specific. Regarding OAuth2, it's a different route performed by kubectl. And currently there's no specific design for an interactive flow. I feel we need more discussion on that before we can consolidate the implementation for both flows.
|
@kubernetes/sig-cli-proposals @kubernetes/sig-auth-proposals |
k8s-ci-robot
added
kind/design
|
cc @mikedanese |
| @@ -2997,6 +3013,21 @@ | |||
| "Rev": "20b71e5b60d756d3d2f80def009790325acc2b23" | |||
| }, | |||
| { | |||
| "ImportPath": "gopkg.in/square/go-jose.v2", | |||
There was a problem hiding this comment.
go-jose is already vendored at github.com/square/go-jose. Can you just update that?
There was a problem hiding this comment.
We import gopkg.in/square/go-jose.v2 in go-oidc which I think is the recommended import. https://github.com/square/go-jose#versions
Maybe we can switch the import in k8s.io/kubernetes ?
There was a problem hiding this comment.
Ya, my preference would be to update existing code to use gopkg.in... and avoid vendoring two of the same library.
There was a problem hiding this comment.
Gotcha! I can check the places using go-jose.
| @@ -30,8 +30,8 @@ type AuthProvider interface { | |||
| // WrapTransport allows the plugin to create a modified RoundTripper that | |||
| // attaches authorization headers (or other info) to requests. | |||
| WrapTransport(http.RoundTripper) http.RoundTripper | |||
| // Login allows the plugin to initialize its configuration. It must not | |||
| // require direct user interaction. | |||
| // Login allows the plugin to initialize its configuration. It may involve | |||
There was a problem hiding this comment.
This is a major change that hasn't been discussed.
There was a problem hiding this comment.
Other auth providers already require user interaction. e.g. the azure auth-n plugin can prompt you.
There was a problem hiding this comment.
So is the comment on the interface wrong or the azure implementation wrong?
There was a problem hiding this comment.
The Login command has never been implemented, the Azure transport wrapper does this, so I'd call the comment is outdated.
Conversation about interactive prompts here #43987 (comment)
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
|
cc @monopole |
|
@easeway Thanks for your contribution. Have you read the SIG cli contributing guide? |
|
Beyond the sig-cli concerns I have a couple comments:
Going to add this to tomorrow's SIG auth meeting so we can discuss this. |
|
@pwittrock I will submit a design proposal soon. The issue already exists #54201 |
|
There was some discussion of this in sig-auth today. https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/view#heading=h.8jbewrjpj9jq Biggest concerns are:
Basically, before we start committing to an OpenID Connect login, we probably want to do some planning around client auth providers in general. I'd like to take on some of this planning over the 1.10 release cycle. |
|
@easeway PR needs rebase |
k8s-github-robot
added
the
needs-rebase
Automatic merge from submit-queue (batch tested with PRs 56161, 56324, 55685, 56409, 55296). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. bootstrap: use gopkg.in import for square/go-jose xref #55514 For 1.10. Ignore while 1.9 code freeze is in effect. ```release-note NONE ```
|
/unassign |
|
Can people interested in this PR take a look at my proposal for external kubectl auth providers? Specifically the "Login" section? |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/stale
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
@easeway let's please close this. please reopen if necessary /close |
What this PR does / why we need it:
Add a new login command to kubectl:
kubectl alpha loginwhich orchestrates interactive user login flow with a local web browser. It provides a convenient way without figuring out id-token and refresh-token with some other mechanisms and copies the values into kubeconfig manually.Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #54201
Special notes for your reviewer:
This PR is submitted initially as a proposal. Please provide feedback, and I will help to follow up.
Release note: