-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub oauth #3
Comments
You need openid currently but I intend to look into pure oauth shortly. Another option would be to run keycloak with GitHub as an identity provider. I'm working on making the scope of the project a generic external auth service (I haven't committed the changes yet) but with the changes I've made supporting additional services will be much easier and plugin based (I've already implemented ldap in the new code). Given how closely related oauth and openid are I don't think it will require much to get it going. |
That sounds great. My usecase are just a bunch of home or dev clusters which should not have any stateful software like keycloak... |
Ok, note that this project stores data in memory or redis so there's a stateful component to even this. Also note, the authorization code flow (primary focus of this and similar projects) doesn't work so great with SPAs (single page apps) so depending on what you're running it may or may not be useful. Works great for traditional server-side apps though :) |
Yes but even if you clear the redis data or memory you will just loose the active sessions. In case of keycloak you will loose all users which are stored in postgres. I just want to secure applications like Prometheus and other internal tools. |
True. And even if the session goes away typically you would still be authenticated at the provider so it wouldn't require a full login per se. Prometheus (or presumably grafana) is a SPA and I can try it out for ya to see how well it works. Basically this project would work fine for those use cases as well if you turn off some of the validity checks (ie: expired tokens) and enable cookie expiration. I can give further explanation if you'd like. |
What especially would not work with SPA sites? I think of these applications:
|
Ok, just landed a massive commit which implements pure To answer your question, unless the token/session does not expire it's not great for SPA. In the case of If not, I've now implemented a pipeline process so you could service the request with |
@runningman84 as an FYI I'm implementing some infrastructure to support fetching user info with provider specific configuration using the |
Additionaly it would be great to have support for GitHub organizations and corresponding teams. |
This is the corresponding oauth proxy config: |
Done and done. |
@runningman84 looking for a little feedback here if you think this will help your use-case. Basically my approach with
Subsequently, in the
Does this make sense? I'm basically taking the approach of let you assert on whatever field(s) you want with various Does it fulfill the need? |
That sounds good. Can you already give me a full example config how to use traefik with your auth provider and GitHub integration? |
@runningman84 yeah of course. Can you share the assertion(s) you like to use on the user/orgs/teams? I'll build those in. |
I have these use cases:
|
@runningman84 got it. Do you want the sessions to ever expire? Independent of that, how frequently would you like the |
In a perfect world both values can be configured. Session expire never and refresh one hour sounds like good defaults. |
Btw. maybe sometimes you want to allow multiple teams or multiple individual users. |
@runningman84 both are configurable yes. And I do have queued up assertion methods of Multiple individual users is already supported. Depending on what you mean by multiple teams it should be covered by one of the above. |
@runningman84 are you using kubernetes or some other environment? Just getting ready to draft up a doc.. |
I am using kubernetes |
@runningman84 OK, I've written a howto using github as the example. It should be right in the direction you need. I omitted including custom assertions in the example Thanks for the feedback and willingness to try it out! |
That sounds great I will test that next week and provide you with feedback |
@travisghansen the auth server seems to work. But I do not really understand how to configure the assertions. Your default config looks like
Where do I store the custom config as described here? exp: true is not really documented... Maybe you can improve your example to contain a simple username matching? |
@runningman84 good timing, I just landed expanded support for assertions (slightly updated syntax).
The documentation definitely needs some help :) Just letting the dust settle a bit before going too wild with it. |
I forgot to mention, make sure to pull that latest code/image to use the above syntax. |
I had a little bug in the version I mentioned to pull in the last comment. It's been cleaned up FYI and I'm very close to tagging a release finally. |
I just changed the config to include the userinfo like this:
But now every protected service throws a 500 http error. Maybe my container is too old? I also do not understand your helm chart, you are using a imagePullPolicy config but this is commented out in the values.yaml. |
@runningman84 can you send over the logs to review? It could be an older image yes. The Kubernetes' logic is:
So if you deployed with the chart and left that value alone, then simply |
I just deleted the pod... but the error is still the same. my logs are quite limited:
traefik does not have any log at this timeframe.... |
If the request is erroring 500 you should see some error spit out on the container logs. Unless the traefik server is failing before it ever makes it there. Can you try to revert the config token back to what it was and tell me if it starts working again? |
I reverted some sites back to the old config but the error is still there. Does the external auth server provider some debug logs? |
Can you try with a private/incognito browser? I experienced something similar while developing where all the cookies data combined was quite large (cookie data from other services etc all combined) and it silently failed. Wondering if you've hit the same issue.. Related, I originally designed the server to store all session data (ie: stateless server side) in the cookie but quickly hit browser limits which is why I changed the design to store the sessions server side (redis/memory) and make the cookie simply be a session ID. |
incognito mode does not change anything :/ |
Must not be that then. If you deployed with the chart then you can set the
I mean, you should see some data logging already if the server is receiving requests etc. Are you seeing anything in the logs at all? Might be good to setup a screenshare/conference to see if that's helpful at all.. Can you send the full response you're getting at the browser? |
Ok I have fixed the problem. My traefik service got a new loadbalancer ip and my fritzbox was still forwarding the packets to the old ip. How does the communication work? Does traefik only internally talk to the ingress.kubernetes.io/auth-url? Or is the ingress.kubernetes.io/auth-url also accessed by the client browser? |
@runningman84 For the Does that make sense? |
Did you get the assertions to work? |
I guess yes but you can do the final test. Just check your mails. |
Do you have an example for these use cases?
|
@runningman84 this is a bit nuanced depending on what you really want. But here are a couple examples using team/org IDs (I'd recommend that over names). For your first use-case there are a couple ways:
For the second use-case (I'm assuming team IDs are globally unique):
If you want to allow to be part of a list of teams/orgs change the method to If fetching
Lastly, remember that all the assertions added are LOGICAL AND, meaning ALL of them must pass assertion or the result is a failure. |
Any luck with these? |
I suppose they will work but I cannot really test it because the browser complains about a too long url. |
Can you give me more detail? Something I can look into? |
Github throws this error:
The url looks like this: |
That's pretty strange by itself. Even more so that adding assertions would impact it at all. Do you only get that with the added assertions or does it do that generally to you now? |
I haven't had time to reproduce it myself. A team member tried it. Do you have an ETA for the server side configuration? |
It's the next big item for me. Wrapping up some header work and then on to that. Mostly struggling how to configure that and keep it flexible. Store them in redis? SQL based storage? Or something else altogether...like hitting some other url and let it be completely managed externally? Any feedback is welcome on that front :) |
I would like to store the config in a configmap using helm. I would rather have the auth server without any persistent storage. Imagine there is some kind of storage problem and you cannot access some admin services because their auth relies on storage too. |
Wise words! |
I'm very close to landing server-side token support. I dreamed up a structure I really like that I think will be flexible and sane. I'm guessing I'll have it landed in the Guessing
|
Just landed server-side tokens among other things. See |
Anything else you need on this issue? |
@travisghansen I got this error while using your github org example:
My config looks like this:
Do you have any idea how to fix this issue? (12345678 is our redacted github org id) |
I spend some time debugging this issue. It looks like the organizations is empty for my users. Funny enough my users have an team array which also contain an organisation id. This is from the debug logs:
|
Interesting, I don't know enough about the GitHub API to say one way or another but glad you got it worked out! If you need further help I can dig a little deeper just reopen and let me know. |
Do you really need a full openid provider or would a GitHub oauth application also work?
The text was updated successfully, but these errors were encountered: