New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AUTH-355: Add OAuth2 Authorization Code Grant Flow for login #1402
Conversation
@liouk: This pull request references AUTH-355 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@stlaz: with |
@stlaz: would we need a timeout while waiting for the authentication/authorization to happen via the browser? |
@stlaz: would it be a good idea to print the browser URL on the console when |
I believe this should be fine - two users would not generally share the same cookie cache.
The wait should be on the client side so I think we can just keep the localhost server running as long as necessary.
definitely |
/retest-required |
/hold PR commits need squashing before merging |
Changed to WIP in order to incorporate AUTH-376. |
@liouk: This pull request references AUTH-355 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Marked as WIP due to #1402 (comment) |
/hold |
/retest-required |
/lgtm |
@@ -83,6 +87,8 @@ func NewCmdLogin(f kcmdutil.Factory, streams genericclioptions.IOStreams) *cobra | |||
cmds.Flags().StringVarP(&o.Username, "username", "u", o.Username, "Username for server") | |||
cmds.Flags().StringVarP(&o.Password, "password", "p", o.Password, "Password for server") | |||
|
|||
cmds.Flags().BoolVarP(&o.WebLogin, "web", "w", o.WebLogin, "Login with web browser") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As being asked by @atiratree, what is the expected behavior of this flag against 4.13 server?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ardaguclu @atiratree this flag needs the server to have a specific default OAuth client (openshift-cli-client
) and also the oauth server to have the latest OSIN library; i.e., it needs this code, which will only exist on 4.14 onwards:
- AUTH-356: Add openshift-cli-client OAuth Client cluster-authentication-operator#606
- AUTH-357: update osin to latest version oauth-server#121
- OCPBUGS-5233: update osin to latest version oauth-server#128
Any attempt to invoke oc login --web
against a pre 4.14 server will result on an error on the browser, as the server won't have the necessary oauth client with which this flow proceeds:
{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed."}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would not block the PR merge on this, but I think it would be better from UX perspective if the user got a preemptive error in the CLI that the web authentication is not possible. It could use the same mechanism as we use in
https://github.com/openshift/oc/blob/master/pkg/cli/login/loginoptions.go#L292
/hold cancel |
This change adds a new flag called `--web` which launches the system browser with the authorization endpoint as the target. The user can then authenticate and is redirected back to a server which is listening on the loopback address on a random port. The callback receives the authorization code which it can exchange for a token and configure the client.
Nice feature! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ardaguclu, liouk, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
9b8d0f8
into
openshift:master
This PR reopens #1031 to add OAuth2 Authorization Code Grant Flow for
oc login
, adding minor improvements to the original PR. This can be invoked withoc login --web
.Requires