New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AUTH-440: expand options for the OIDC authenticator #13276
AUTH-440: expand options for the OIDC authenticator #13276
Conversation
61a3e8b
to
cde9819
Compare
8baa022
to
73f883e
Compare
496c7a8
to
a96ce97
Compare
a96ce97
to
0b0ea5b
Compare
c1598c0
to
8591c45
Compare
@stlaz: This pull request references AUTH-440 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.15.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
8591c45
to
da00eaa
Compare
/cherry-pick release-4.15 |
@stlaz: once the present PR merges, I will cherry-pick it on top of release-4.15 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding couple of comments. Otherwise the PR looks good 👍
Awesome job @stlaz !!!
return nil, err | ||
} | ||
|
||
authConfig := &oidcConfig{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The oidcConfig
will be a common config for both auth types, openshift and oidc...right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exactly
@@ -285,6 +285,7 @@ func (s *Server) HTTPHandler() http.Handler { | |||
handleFunc(authLogoutEndpoint, allowMethod(http.MethodPost, s.handleLogout)) | |||
handleFunc(AuthLoginCallbackEndpoint, s.Authenticator.CallbackFunc(fn)) | |||
handle(requestTokenEndpoint, authHandler(s.handleClusterTokenURL)) | |||
// TODO: only add the following in case the auth type is openshift? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
doesn't the external OIDC have an endpoint for invalidating tokens?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIRC logout URLs exist but are optional
6ca44f3
to
32227f8
Compare
32227f8
to
4f41023
Compare
@stlaz: This pull request references AUTH-440 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/test e2e-gcp-console |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: stlaz, TheRealJon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
QE Approver: |
/label docs-approved |
@stlaz Hi, I go through the pr code, but not sure about the test steps though I launched a cluster against the pr. What should I do exactly against the cluster to test the code? Preparing an usable external OIDC ? |
@yanpzhan is working on this PR |
@yanpzhan for now just make sure that the OpenShift authentication is working as it should. We can test the OIDC part along with openshift/console-operator#811 or whenever we're able to get OIDC environment. I'll start a slack discussion with you on getting it. For now, if OpenShift authentication works I think the PR should be fine to merge. |
@stlaz Thanks, the test about normal authentication on cluster launched against the pr passed, and covered existing idps cases. I will approve the pr. |
@stlaz: This pull request references AUTH-440 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/label px-approved |
/test all |
/test frontend |
@stlaz: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@stlaz: new pull request created: #13509 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[ART PR BUILD NOTIFIER] This PR has been included in build openshift-enterprise-console-container-v4.16.0-202401160407.p0.g8bde63c.assembly.stream for distgit openshift-enterprise-console. |
This PR:
openid
via optionsTODO:
- if necessary, consume the username from the Self-Subject Review API