make an SA an oauthclient

[deads2k]

Still sorting out how to find the correct redirect URIs and figuring out how I can test it, but I'd like feedback on some API changes and the UPSTREAM patch I need to handle tokens.

Only some SA tokens are valid as client secrets, so users have to opt-in and they can still share SA tokens in general for other systems and purposes without exposing themselves to impersonation like this.

[deads2k]

@openshift/api-review AdditionalSecrets allows us to rotate secrets and allows us to accept multiple SA tokens as valid client secrets.

[deads2k]

Any suggestions for how to write an automated test to check these flows?

[deads2k]

@sgallagher this flow works. Tested using an app from @stevekuznetsov

https://nodejs.org/en/download/package-manager/#enterprise-linux-and-fedora (use the v6 one)
git clone git@github.com:stevekuznetsov/oauth-echo.git
npm install
edit config.js
node index.js

[stevekuznetsov]

I'm not exactly sure what needs to be done to test, but in terms of the app if it's useful, we should:

• test the app on Node 0.10
• S2I it into an image
• write an extended test that deploys it as a pod

Although it would seem like a CLI OAuth client would be better.

[deads2k]

@soltysh unit tests to confirm the safety of what we return, if not the complete working flow.

[deads2k]

@smarterclayton API change here.

[soltysh]

LGTM (including tests). Thanks @deads2k !!!

[smarterclayton]

Oops

On Wed, May 18, 2016 at 3:35 PM, OpenShift Bot notifications@github.com
wrote:

continuous-integration/openshift-jenkins/merge FAILURE (
https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/5941/
)

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#8878 (comment)

[deads2k]

Oops

Indeed. I think I just thought of a problem I want to solve anyway. SA clients should never get grants automatically given to them. Removing the tag until I get that sorted.

[smarterclayton]

Yeah...

On Wed, May 18, 2016 at 4:04 PM, David Eads notifications@github.com
wrote:

Oops

Indeed. I think I just thought of a problem I want to solve anyway. SA
clients should never get grants automatically given to them. Removing the
tag until I get that sorted.

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#8878 (comment)

[liggitt]

@stevekuznetsov had a pull open to let the grant method be per client. Probably need that now

[deads2k]

@stevekuznetsov had a pull open to let the grant method be per client. Probably need that now

Setting up a switch just for SAs makes this mergeable. Allowing configuration per oauth client later would be good, but being able to say prompt or deny now on SAs is safe.

[deads2k]

@soltysh @openshift/api-review take a look at the last commit. It provides a cluster-admin with a switch to control the grant options for SA oauth clients. I think its required for this pull.

[deads2k]

[test]

[soltysh]

Maybe use the OpenShiftApprovePrefix constant here, instead of hardcoding the /oauth/approve endpoint.

[deads2k]

Maybe use the OpenShiftApprovePrefix constant here, instead of hardcoding the /oauth/approve endpoint.

done

[soltysh]

The last commit, LGTM, just a small nit 😉

[deads2k]

[merge]

[openshift-bot]

continuous-integration/openshift-jenkins/test Running (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/3927/)

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/5949/) (Image: devenv-rhel7_4239)

[openshift-bot]

Evaluated for origin test up to e99d31e

[openshift-bot]

Evaluated for origin merge up to 026ba1f