New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OpenID Connect Token authenticator #167

Open

puiterwijk wants to merge 1 commit into latchset:master from puiterwijk:oidcauthn

puiterwijk commented Apr 16, 2017

Signed-off-by: Patrick Uiterwijk puiterwijk@redhat.com

puiterwijk force-pushed the oidcauthn branch 2 times, most recently from cf4aabe to bdc2a78 Compare

April 16, 2017 08:57


          Add OpenID Connect Token authenticator

9c2f03d

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

puiterwijk force-pushed the oidcauthn branch from bdc2a78 to 9c2f03d Compare

April 16, 2017 09:02

codecov-io commented Apr 16, 2017

Codecov Report

Merging #167 into master will decrease coverage by 0.53%.
The diff coverage is 19.51%.

@@            Coverage Diff             @@
##           master     #167      +/-   ##
==========================================
- Coverage   60.02%   59.48%   -0.54%     
==========================================
  Files          36       36              
  Lines        3042     3083      +41     
  Branches      338      345       +7     
==========================================
+ Hits         1826     1834       +8     
- Misses       1126     1159      +33     
  Partials       90       90

Impacted Files	Coverage Δ
custodia/httpd/authenticators.py	`30.53% <19.51%> (-5.03%)`	⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d717c05...9c2f03d. Read the comment docs.

tiran requested changes

View reviewed changes

Member

tiran left a comment

Thanks Patrick, I left a couple of comments.

custodia/httpd/authenticators.py



		class OpenIDCTokenAuth(HTTPAuthenticator):
		token_info_url = PluginOption(str, None,

Member

tiran Apr 18, 2017

You can use REQUIRED to make an option mandatory

custodia/httpd/authenticators.py

+                              return False
+                      elif request.get('access_token'):
+                          self.logger.debug('Token provided in form')
+                          token = request.get('access_token')

Member

tiran Apr 18, 2017

request['access_token]

custodia/httpd/authenticators.py

+                          self.logger.debug('Missing any credentials in request')
+                          return False
+                      if not token:

Member

tiran Apr 18, 2017

Is it necessary to check token again?

custodia/httpd/authenticators.py

+                      try:
+                          tokeninfo = self._get_token_info(token)
+                      except:

Member

tiran Apr 18, 2017

Please don't use a bare except. except Exception

custodia/httpd/authenticators.py

+                  scope = PluginOption(str, 'custodia', 'OAuth2 scope to require')
+                  def _get_token_info(self, token):
+                      return requests.post(self.token_info_url,

Member

tiran Apr 18, 2017

Other plugins accept a CA cert argument to customize TLS verification. We could have global option for trusted CA cert, too.

custodia/httpd/authenticators.py

@@ @@ -131,3 +133,62 @@ def handle(self, request): @@
                       self.audit_svc_access(log.AUDIT_SVC_AUTH_FAIL,
                                             request['client_id'], dn)
                       return False
+              class OpenIDCTokenAuth(HTTPAuthenticator):

Member

tiran Apr 18, 2017

Please add a doc string with an example how to configure and use this plugin with e.g. Ipsilon.

tiran added this to the 0.6 milestone

tiran modified the milestones: future, 0.6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment