Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AUTH-440: expand options for the OIDC authenticator #13276

Merged
merged 10 commits into from Jan 16, 2024
Merged

AUTH-440: expand options for the OIDC authenticator #13276

merged 10 commits into from Jan 16, 2024

Conversation

stlaz
Copy link
Member

@stlaz stlaz commented Oct 24, 2023
edited

This PR:

  • allow setting scopes different from openid via options
  • add the extra scopes and issuer to the config struct
  • unify both OIDC provider and the OpenShift provider in how the OIDC discovery is queried (continuously in time compared to just during OIDC provider creation)

TODO:

  • - don't rely on username claims in the token
    - if necessary, consume the username from the Self-Subject Review API

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 24, 2023
@openshift-ci openshift-ci bot added the component/backend Related to backend label Oct 24, 2023
@stlaz stlaz changed the title WIP: expand options in the OIDC authenticator WIP: expand options for the OIDC authenticator Oct 25, 2023
@stlaz stlaz force-pushed the direct_oidc_config branch 6 times, most recently from 8baa022 to 73f883e Compare November 7, 2023 10:25
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 8, 2023
@openshift-ci openshift-ci bot added the component/core Related to console core functionality label Nov 8, 2023
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 8, 2023
@stlaz stlaz force-pushed the direct_oidc_config branch 3 times, most recently from c1598c0 to 8591c45 Compare November 22, 2023 10:13
@stlaz stlaz changed the title WIP: expand options for the OIDC authenticator AUTH-440: WIP: expand options for the OIDC authenticator Nov 30, 2023
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Nov 30, 2023
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 30, 2023
edited by openshift-ci bot

@stlaz: This pull request references AUTH-440 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.15.0" version, but no target version was set.

In response to this:

This PR:

  • allow setting scopes different from openid via options
  • add the extra scopes and issuer to the config struct
  • unify both OIDC provider and the OpenShift provider in how the OIDC discovery is queried (continuously in time compared to just during OIDC provider creation)

TODO:

  • - don't rely on username claims in the token
    - if necessary, consume the username from the Self-Subject Review API

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 30, 2023
@stlaz stlaz changed the title AUTH-440: WIP: expand options for the OIDC authenticator AUTH-440: expand options for the OIDC authenticator Dec 13, 2023
@stlaz
Copy link
Member Author

stlaz commented Jan 2, 2024

/cherry-pick release-4.15

@openshift-cherrypick-robot
Copy link

@stlaz: once the present PR merges, I will cherry-pick it on top of release-4.15 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.15

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

jhadvig
jhadvig reviewed Jan 3, 2024
View reviewed changes
Copy link
Member

@jhadvig jhadvig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding couple of comments. Otherwise the PR looks good 👍
Awesome job @stlaz !!!

pkg/auth/auth.go
return nil, err
}

authConfig := &oidcConfig{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The oidcConfig will be a common config for both auth types, openshift and oidc...right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

exactly

pkg/auth/auth.go Outdated Show resolved Hide resolved
pkg/server/server.go
@@ -285,6 +285,7 @@ func (s *Server) HTTPHandler() http.Handler {
handleFunc(authLogoutEndpoint, allowMethod(http.MethodPost, s.handleLogout))
handleFunc(AuthLoginCallbackEndpoint, s.Authenticator.CallbackFunc(fn))
handle(requestTokenEndpoint, authHandler(s.handleClusterTokenURL))
// TODO: only add the following in case the auth type is openshift?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes 👍

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

doesn't the external OIDC have an endpoint for invalidating tokens?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC logout URLs exist but are optional

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 10, 2024
edited by openshift-ci bot

@stlaz: This pull request references AUTH-440 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

This PR:

  • allow setting scopes different from openid via options
  • add the extra scopes and issuer to the config struct
  • unify both OIDC provider and the OpenShift provider in how the OIDC discovery is queried (continuously in time compared to just during OIDC provider creation)

TODO:

  • - don't rely on username claims in the token
    - if necessary, consume the username from the Self-Subject Review API

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@stlaz
Copy link
Member Author

stlaz commented Jan 10, 2024

/test e2e-gcp-console

TheRealJon
TheRealJon approved these changes Jan 11, 2024
View reviewed changes
Copy link
Member

@TheRealJon TheRealJon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 11, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 11, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: stlaz, TheRealJon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 11, 2024
@jhadvig
Copy link
Member

jhadvig commented Jan 11, 2024

QE Approver:
/assign @yapei
Docs Approver:
/assign @opayne1
PX Approver:
/assign @RickJWagner

@opayne1
Copy link
Contributor

opayne1 commented Jan 11, 2024

/label docs-approved

@openshift-ci openshift-ci bot added the docs-approved Signifies that Docs has signed off on this PR label Jan 11, 2024
@yanpzhan
Copy link
Contributor

@stlaz Hi, I go through the pr code, but not sure about the test steps though I launched a cluster against the pr. What should I do exactly against the cluster to test the code? Preparing an usable external OIDC ?

@yapei
Copy link
Contributor

yapei commented Jan 12, 2024

@yanpzhan is working on this PR

@stlaz
Copy link
Member Author

stlaz commented Jan 12, 2024
edited

Hi, I go through the pr code, but not sure about the test steps though I launched a cluster against the pr. What should I do exactly against the cluster to test the code? Preparing an usable external OIDC ?

@yanpzhan for now just make sure that the OpenShift authentication is working as it should. We can test the OIDC part along with openshift/console-operator#811 or whenever we're able to get OIDC environment.

I'll start a slack discussion with you on getting it. For now, if OpenShift authentication works I think the PR should be fine to merge.

@yanpzhan
Copy link
Contributor

@stlaz Thanks, the test about normal authentication on cluster launched against the pr passed, and covered existing idps cases. I will approve the pr.
/label qe-approved

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Jan 15, 2024
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 15, 2024
edited by openshift-ci bot

@stlaz: This pull request references AUTH-440 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

This PR:

  • allow setting scopes different from openid via options
  • add the extra scopes and issuer to the config struct
  • unify both OIDC provider and the OpenShift provider in how the OIDC discovery is queried (continuously in time compared to just during OIDC provider creation)

TODO:

  • - don't rely on username claims in the token
    - if necessary, consume the username from the Self-Subject Review API

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@RickJWagner
Copy link

/label px-approved

@openshift-ci openshift-ci bot added the px-approved Signifies that Product Support has signed off on this PR label Jan 15, 2024
@stlaz
Copy link
Member Author

stlaz commented Jan 15, 2024

/test all

@stlaz
Copy link
Member Author

stlaz commented Jan 15, 2024

/test frontend

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 16, 2024

@stlaz: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot bot merged commit 8bde63c into openshift:master Jan 16, 2024
6 checks passed
@openshift-cherrypick-robot
Copy link

@stlaz: new pull request created: #13509

In response to this:

/cherry-pick release-4.15

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Jan 16, 2024
Merged
@openshift-bot
Copy link
Contributor

[ART PR BUILD NOTIFIER]

This PR has been included in build openshift-enterprise-console-container-v4.16.0-202401160407.p0.g8bde63c.assembly.stream for distgit openshift-enterprise-console.
All builds following this will include this PR.

@openshift-ci-robot openshift-ci-robot mentioned this pull request Feb 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jhadvig jhadvig jhadvig left review comments

@TheRealJon TheRealJon TheRealJon approved these changes

@florkbr florkbr Awaiting requested review from florkbr

@jeff-phillips-18 jeff-phillips-18 Awaiting requested review from jeff-phillips-18

Assignees

@TheRealJon TheRealJon

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. component/backend Related to backend component/core Related to console core functionality docs-approved Signifies that Docs has signed off on this PR jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. px-approved Signifies that Product Support has signed off on this PR qe-approved Signifies that QE has signed off on this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet