-
Notifications
You must be signed in to change notification settings - Fork 466
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WRKLDS-875: Add oc login external OIDC issuer integration enhancement #1596
WRKLDS-875: Add oc login external OIDC issuer integration enhancement #1596
Conversation
@ardaguclu: This pull request references WRKLDS-875 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
2991f31
to
5c34ae6
Compare
eca5a7d
to
00a3e4c
Compare
| | Authorization Code<br/>(public/confidential) | Authorization Code + PKCE<br/>(public/confidential) | Implicit Flow<br/>(public) | Client Credentials<br/>(confidential) | Refresh Token<br/>(public/confidential) | Device Code<br/>(public) | Password Grant<br/>(confidential) | | ||
|-----------|---------------------------------------------------------------------|---------------------------------------------------------------------|----------------------------|--------------------------------------------------------------------------|-----------------------------------------|--------------------------|-----------------------------------| | ||
| Supported | Yes | Yes | No | No | Yes | No | No | | ||
| Comment | Can be used for confidential clients<br/>by passing --client-secret | Can be used for confidential clients<br/>by passing --client-secret | Deprecated | Mostly used in CI systems that <br/>client-secret can be stored securely | If provider supports it | | Deprecated | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for the "can be used for confidential clients" cases, is the confidentiality (or not) controlled by the external OIDC provider configuration? if so, let's add a *
and explicitly explain that. It's also worth a look for whether say Entra and Keycloak support both public and confidential clients.
I'd also like to see a row for "it just works from the console copy command".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated.
|
||
Supportability (in terms of authentication flows) matrix of this feature is outlined below; | ||
|
||
| | Authorization Code<br/>(public/confidential) | Authorization Code + PKCE<br/>(public/confidential) | Implicit Flow<br/>(public) | Client Credentials<br/>(confidential) | Refresh Token<br/>(public/confidential) | Device Code<br/>(public) | Password Grant<br/>(confidential) | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the "it just works for the console" row will vary based on public or confidential (I bet it will), let's separate the public/confidential into two differnet columns.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it will vary based on public or confidential. Separated.
Moreover, `oc login` command triggers authentication process by sending a request to Project API's whoami endpoint automatically so that | ||
client-go talks to `oc get-token` command to obtain id token (and also refresh token, if provider supports it). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure I fully understand. Project API doesn't have a whoami endpoint?
Are you trying to say that as a part of the login process with oc login
, a request is being sent already to the Project API, which in turn triggers the exec credential plugin?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you trying to say that as a part of the login process with oc login, a request is being sent already to the Project API, which in turn triggers the exec credential plugin?
yes
client-go talks to `oc get-token` command to obtain id token (and also refresh token, if provider supports it). | ||
|
||
There are currently 7 authentication flows grouped around public and confidential clients. Due to the nature of `oc` that is being used widely on local, | ||
we have decided to support authentication flows only for public clients for now but if there is any different use case in the future, this command can support confidential clients too. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we expose the --client-secret
flag above, then?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In case cluster (or system) administrator may want to use Auth Code with client-secret.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But that's going against the claim here
we have decided to support authentication flows only for public clients for now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, good point, you are right, let me change it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed that "only supports public clients" statements altogether because it is not correct.
| | Authorization Code<br/>(public) | Authorization Code<br/>(confidential) | Authorization Code + PKCE<br/>(public) | Authorization Code + PKCE<br/>(confidential) | Implicit Flow<br/>(public) | Client Credentials<br/>(confidential) | Refresh Token<br/>(public/confidential) | Device Code<br/>(public) | Password Grant<br/>(confidential) | | ||
|-----------|----------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|----------------------------|--------------------------------------------------------------------------|-----------------------------------------|--------------------------|-----------------------------------| | ||
| Supported | Yes | Yes | Yes | Yes | No | No | Yes | No | No | | ||
| Comment | | Only if provider supports this[1] | | Only if provider supports this[1] | Deprecated[3] | Mostly used in CI systems that <br/>client-secret can be stored securely | If provider supports it | | Deprecated[4] | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's use this row to break down each cell with
- keycloak - [default|not-default], [configurable|not-configurable]
- entra - [default|not-default], [configurable|not-configurable]
| | Authorization Code<br/>(public) | Authorization Code<br/>(confidential) | Authorization Code + PKCE<br/>(public) | Authorization Code + PKCE<br/>(confidential) | Implicit Flow<br/>(public) | Client Credentials<br/>(confidential) | Device Code<br/>(public) | Password Grant<br/>(confidential) | | ||
|------------------|----------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|----------------------------|-----------------------------------------------------------|-----------------------------------------------------------|-----------------------------------| | ||
| Supported | Yes | Yes | Yes | Yes | No | No | No | No | | ||
| Comment | Keycloak - [configurable] Azure Entra ID - [configurable] | Keycloak - [not-configurable] Azure Entra ID - [configurable] | Keycloak - [configurable] Azure Entra ID - [configurable] | Keycloak - [not-configurable] Azure Entra ID - [configurable] | Deprecated[1] | Keycloak - [configurable] Azure Entra ID - [configurable] | Keycloak - [configurable] Azure Entra ID - [configurable] | Deprecated[2] | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
followup required with keycloak to determine if it's really impossible to configure a confidential client for authorization flows. I'd be extremely suprrised.
/label tide-merge-method-squash |
@ardaguclu: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/label tide/merge-method-squash |
cell rendering still doesn't show newline on github, but I'm ok dealing with that later /approve will leave lgtm with standa. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
/retest |
@ardaguclu: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This PR reflects the work has been done to enable oc login supporting external OIDC issuers.
Main motivation behind this PR is to store the historical context of analysis about the changes and
elaborate the reasons for future readers.
PRs have merged in oc;