Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AUTH-355: Add OAuth2 Authorization Code Grant Flow for login #1402

Merged
merged 2 commits into from Jul 5, 2023
Merged

AUTH-355: Add OAuth2 Authorization Code Grant Flow for login #1402

merged 2 commits into from Jul 5, 2023

Conversation

liouk
Copy link
Member

@liouk liouk commented Apr 11, 2023
edited

This PR reopens #1031 to add OAuth2 Authorization Code Grant Flow for oc login, adding minor improvements to the original PR. This can be invoked with oc login --web.

Requires

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Apr 11, 2023
@openshift-ci-robot
Copy link

openshift-ci-robot commented Apr 11, 2023
edited by openshift-ci bot

@liouk: This pull request references AUTH-355 which is a valid jira issue.

In response to this:

This PR reopens #1031 to add OAuth2 Authorization Code Grant Flow for oc login, adding minor improvements to the original PR. This can be invoked with oc login --web.

Requires

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 11, 2023
@openshift-ci openshift-ci bot requested review from deads2k and soltysh April 11, 2023 14:37
@liouk
Copy link
Member Author

liouk commented Apr 11, 2023

@stlaz: with oc login --web the user logs in the openshift console on the browser and thus authorizes the code grant; this also means that as long as the user is logged in the openshift console, there won't be a prompt for login, so subsequent invocations of oc login --web will result in automatic grants. If one needs to login with a different user, they would first need to logout from the openshift console -- is this desired/acceptable?

@liouk
Copy link
Member Author

liouk commented Apr 11, 2023

@stlaz: would we need a timeout while waiting for the authentication/authorization to happen via the browser?

@liouk
Copy link
Member Author

liouk commented Apr 11, 2023

@stlaz: would it be a good idea to print the browser URL on the console when oc login --web is invoked, in case the user needs to manually open it? (e.g. automatically opening it didn't work, user accidentally closed tab)

@stlaz
Copy link
Member

stlaz commented Apr 24, 2023

oc login --web the user logs in the openshift console on the browser and thus authorizes the code grant; this also means that as long as the user is logged in the openshift console, there won't be a prompt for login, so subsequent invocations of oc login --web will result in automatic grants. If one needs to login with a different user, they would first need to logout from the openshift console -- is this desired/acceptable?

I believe this should be fine - two users would not generally share the same cookie cache.

would we need a timeout while waiting for the authentication/authorization to happen via the browser?

The wait should be on the client side so I think we can just keep the localhost server running as long as necessary.

would it be a good idea to print the browser URL on the console when oc login --web is invoked, in case the user needs to manually open it? (e.g. automatically opening it didn't work, user accidentally closed tab)

definitely

@liouk
Copy link
Member Author

liouk commented Apr 24, 2023

/retest-required

@liouk liouk changed the title [WIP]: AUTH-355: Add OAuth2 Authorization Code Grant Flow for login AUTH-355: Add OAuth2 Authorization Code Grant Flow for login Apr 25, 2023
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 25, 2023
@liouk liouk changed the title AUTH-355: Add OAuth2 Authorization Code Grant Flow for login [WIP]: AUTH-355: Add OAuth2 Authorization Code Grant Flow for login Apr 25, 2023
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 25, 2023
@liouk liouk changed the title [WIP]: AUTH-355: Add OAuth2 Authorization Code Grant Flow for login AUTH-355: Add OAuth2 Authorization Code Grant Flow for login May 4, 2023
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 4, 2023
@liouk
Copy link
Member Author

liouk commented May 4, 2023

/hold

PR commits need squashing before merging

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 4, 2023
@liouk liouk changed the title AUTH-355: Add OAuth2 Authorization Code Grant Flow for login [WIP] AUTH-355: Add OAuth2 Authorization Code Grant Flow for login May 10, 2023
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 10, 2023
@liouk
Copy link
Member Author

liouk commented May 10, 2023
edited

Changed to WIP in order to incorporate AUTH-376.

@openshift-ci-robot
Copy link

openshift-ci-robot commented May 10, 2023
edited by openshift-ci bot

@liouk: This pull request references AUTH-355 which is a valid jira issue.

In response to this:

This PR reopens #1031 to add OAuth2 Authorization Code Grant Flow for oc login, adding minor improvements to the original PR. This can be invoked with oc login --web.

Requires

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@liouk liouk changed the title [WIP] AUTH-355: Add OAuth2 Authorization Code Grant Flow for login AUTH-355: Add OAuth2 Authorization Code Grant Flow for login May 10, 2023
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 10, 2023
@liouk liouk mentioned this pull request May 17, 2023
Merged
@liouk
Copy link
Member Author

liouk commented May 17, 2023
edited

Rebase requires

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 17, 2023
@liouk liouk changed the title AUTH-355: Add OAuth2 Authorization Code Grant Flow for login WIP: AUTH-355: Add OAuth2 Authorization Code Grant Flow for login May 30, 2023
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 30, 2023
@liouk
Copy link
Member Author

liouk commented May 30, 2023

Marked as WIP due to #1402 (comment)

@liouk liouk changed the title WIP: AUTH-355: Add OAuth2 Authorization Code Grant Flow for login AUTH-355: Add OAuth2 Authorization Code Grant Flow for login Jun 21, 2023
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 21, 2023
@liouk
Copy link
Member Author

liouk commented Jun 21, 2023
edited

/hold
should merge only after the following dependencies (as discussed with workloads team):

@liouk
Copy link
Member Author

liouk commented Jun 22, 2023

/retest-required
infrastructure issues

@stlaz
Copy link
Member

stlaz commented Jul 3, 2023

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 3, 2023
ardaguclu
ardaguclu reviewed Jul 4, 2023
View reviewed changes
pkg/cli/login/login.go
@@ -83,6 +87,8 @@ func NewCmdLogin(f kcmdutil.Factory, streams genericclioptions.IOStreams) *cobra
cmds.Flags().StringVarP(&o.Username, "username", "u", o.Username, "Username for server")
cmds.Flags().StringVarP(&o.Password, "password", "p", o.Password, "Password for server")

cmds.Flags().BoolVarP(&o.WebLogin, "web", "w", o.WebLogin, "Login with web browser")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As being asked by @atiratree, what is the expected behavior of this flag against 4.13 server?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ardaguclu @atiratree this flag needs the server to have a specific default OAuth client (openshift-cli-client) and also the oauth server to have the latest OSIN library; i.e., it needs this code, which will only exist on 4.14 onwards:

Any attempt to invoke oc login --web against a pre 4.14 server will result on an error on the browser, as the server won't have the necessary oauth client with which this flow proceeds:

{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed."}

Copy link
Member

@atiratree atiratree Jul 4, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would not block the PR merge on this, but I think it would be better from UX perspective if the user got a preemptive error in the CLI that the web authentication is not possible. It could use the same mechanism as we use in

https://github.com/openshift/oc/blob/master/pkg/cli/login/loginoptions.go#L292

@atiratree
Copy link
Member

@liouk opened a rebase of the dependent PR to pull in the library-go changes: #1495

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 4, 2023
@ardaguclu ardaguclu mentioned this pull request Jul 5, 2023
Merged
@ardaguclu
Copy link
Member

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 5, 2023
liouk added 2 commits July 5, 2023 10:59
@liouk
add github.com/pkg/browser to go.mod and vendor
b6d3b0d
@liouk
add login flow using a browser
23ffd2d 
This change adds a new flag called `--web` which launches the system
browser with the authorization endpoint as the target. The user can then
authenticate and is redirected back to a server which is listening on
the loopback address on a random port. The callback receives the
authorization code which it can exchange for a token and configure the
client.
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 5, 2023
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 5, 2023
@ardaguclu
Copy link
Member

Nice feature!
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 5, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jul 5, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu, liouk, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 5, 2023
@openshift-merge-robot openshift-merge-robot merged commit 9b8d0f8 into openshift:master Jul 5, 2023
11 of 12 checks passed
@liouk liouk mentioned this pull request Nov 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stlaz stlaz stlaz left review comments

@atiratree atiratree atiratree left review comments

@ardaguclu ardaguclu ardaguclu left review comments

@deads2k deads2k Awaiting requested review from deads2k

@soltysh soltysh Awaiting requested review from soltysh

Assignees

@stlaz stlaz

@ardaguclu ardaguclu

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@liouk @openshift-ci-robot @stlaz @atiratree @ardaguclu @openshift-merge-robot