-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Idp specific default flows #123
Idp specific default flows #123
Conversation
open a specific Idp web flow for user - skipping the main select idp page Signed-off-by: houdini91 <mdstrauss91@gmail.com>
This is an interesting idea, but hard-codes the current deployment state of the public service into the (hopefully) more generic codebase, which I'd generally like to avoid. If we were to switch to a different provider (e.g. keycloak), this would require code changes to adapt. I think you can append |
@bobcallaway Or maybe you meant application using Sigstore library will implement there own |
Signed-off-by: houdini91 <mdstrauss91@gmail.com>
066d9d3
to
af42948
Compare
Signed-off-by: houdini91 <mdstrauss91@gmail.com>
c69de4d
to
2aae07a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm good with the additions to the InteractiveTokenGetter
struct (minus the nit about the field name). Are you thinking we should leave in the changes in pkg/oauthflow/flow.go
or were they there just as an example?
Signed-off-by: houdini91 <mdstrauss91@gmail.com>
@bobcallaway |
Signed-off-by: houdini91 <mdstrauss91@gmail.com>
Signed-off-by: houdini91 <mdstrauss91@gmail.com>
@bobcallaway |
Turns out #sigstore/fulcio#204 broke the connector_id argument. |
the connector IDs did change, but I think this patch is still valid if we update them to match... |
@bobcallaway |
@bobcallaway I can use the new connector_ids values to choose between idps.
After the change do the Default(privider)IDTokenGetter make more sense as part of the code base? |
I think its fine if you want to put them in. |
Signed-off-by: houdini91 <mdstrauss91@gmail.com>
@@ -36,6 +37,11 @@ const htmlPage = `<html> | |||
</html> | |||
` | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps we should add some comments to these (as well as updating the names) to denote that they are only meant to be used with oauth2.sigstore.dev
; otherwise this LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated a bit of names and comments
Did you mean renaming the Default[provider]IDTokenGetter as well?
Is there any specific naming prefix you would rather?
PublicInstance, SigstoreDev, .. ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with PublicInstance
as you propose here. I think with renaming the IDTokenGetters we'd be ready to merge this. Thanks for the persistence on getting this to the finish line :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problem, its my pleasure thanks for the review.
Its my first contribution slowly i hope to have help out.
If you like you can take a look at other PR's i have open on cosign and go-securesystemslib.
Signed-off-by: houdini91 <mdstrauss91@gmail.com>
Signed-off-by: houdini91 <mdstrauss91@gmail.com>
f7578d2
to
9b3cf7f
Compare
…#123) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.26.0 to 0.27.1. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/master/CHANGELOG.md) - [Commits](open-policy-agent/opa@v0.26.0...v0.27.1) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Suggestion:
Adding interactive flows for each specific identity provider, allowing users to skip the main idp selection page.
I think one less click can improve the UX a bit.
Further UX improvement is gained when browser uses a default idp account the user does may not need to interactively intervene at all.
Such psodo-auto flow may also be valuable in automation uses cases, for example a git hook signing SLSA provenance.
Hope this helps .
mikey strauss