WRKLDS-875: Add oc login external OIDC issuer integration enhancement #1596
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@ardaguclu: This pull request references WRKLDS-875 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
ardaguclu
force-pushed
the
oc-login-external-oidc
branch
2 times, most recently
from
2991f31
to
5c34ae6
Compare
ardaguclu
force-pushed
the
oc-login-external-oidc
branch
from
eca5a7d
to
00a3e4c
Compare
| | | Authorization Code<br/>(public/confidential) | Authorization Code + PKCE<br/>(public/confidential) | Implicit Flow<br/>(public) | Client Credentials<br/>(confidential) | Refresh Token<br/>(public/confidential) | Device Code<br/>(public) | Password Grant<br/>(confidential) | | ||
| |-----------|---------------------------------------------------------------------|---------------------------------------------------------------------|----------------------------|--------------------------------------------------------------------------|-----------------------------------------|--------------------------|-----------------------------------| | ||
| | Supported | Yes | Yes | No | No | Yes | No | No | | ||
| | Comment | Can be used for confidential clients<br/>by passing --client-secret | Can be used for confidential clients<br/>by passing --client-secret | Deprecated | Mostly used in CI systems that <br/>client-secret can be stored securely | If provider supports it | | Deprecated | |
There was a problem hiding this comment.
for the "can be used for confidential clients" cases, is the confidentiality (or not) controlled by the external OIDC provider configuration? if so, let's add a * and explicitly explain that. It's also worth a look for whether say Entra and Keycloak support both public and confidential clients.
I'd also like to see a row for "it just works from the console copy command".
|
|
||
| Supportability (in terms of authentication flows) matrix of this feature is outlined below; | ||
|
|
||
| | | Authorization Code<br/>(public/confidential) | Authorization Code + PKCE<br/>(public/confidential) | Implicit Flow<br/>(public) | Client Credentials<br/>(confidential) | Refresh Token<br/>(public/confidential) | Device Code<br/>(public) | Password Grant<br/>(confidential) | |
There was a problem hiding this comment.
If the "it just works for the console" row will vary based on public or confidential (I bet it will), let's separate the public/confidential into two differnet columns.
There was a problem hiding this comment.
Yes, it will vary based on public or confidential. Separated.
| Moreover, `oc login` command triggers authentication process by sending a request to Project API's whoami endpoint automatically so that | ||
| client-go talks to `oc get-token` command to obtain id token (and also refresh token, if provider supports it). |
There was a problem hiding this comment.
Not sure I fully understand. Project API doesn't have a whoami endpoint?
Are you trying to say that as a part of the login process with oc login, a request is being sent already to the Project API, which in turn triggers the exec credential plugin?
There was a problem hiding this comment.
Are you trying to say that as a part of the login process with oc login, a request is being sent already to the Project API, which in turn triggers the exec credential plugin?
yes
| client-go talks to `oc get-token` command to obtain id token (and also refresh token, if provider supports it). | ||
|
|
||
| There are currently 7 authentication flows grouped around public and confidential clients. Due to the nature of `oc` that is being used widely on local, | ||
| we have decided to support authentication flows only for public clients for now but if there is any different use case in the future, this command can support confidential clients too. |
There was a problem hiding this comment.
Why do we expose the --client-secret flag above, then?
There was a problem hiding this comment.
In case cluster (or system) administrator may want to use Auth Code with client-secret.
There was a problem hiding this comment.
But that's going against the claim here
we have decided to support authentication flows only for public clients for now
There was a problem hiding this comment.
ah, good point, you are right, let me change it
There was a problem hiding this comment.
Removed that "only supports public clients" statements altogether because it is not correct.
| | | Authorization Code<br/>(public) | Authorization Code<br/>(confidential) | Authorization Code + PKCE<br/>(public) | Authorization Code + PKCE<br/>(confidential) | Implicit Flow<br/>(public) | Client Credentials<br/>(confidential) | Refresh Token<br/>(public/confidential) | Device Code<br/>(public) | Password Grant<br/>(confidential) | | ||
| |-----------|----------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|----------------------------|--------------------------------------------------------------------------|-----------------------------------------|--------------------------|-----------------------------------| | ||
| | Supported | Yes | Yes | Yes | Yes | No | No | Yes | No | No | | ||
| | Comment | | Only if provider supports this[1] | | Only if provider supports this[1] | Deprecated[3] | Mostly used in CI systems that <br/>client-secret can be stored securely | If provider supports it | | Deprecated[4] | |
There was a problem hiding this comment.
let's use this row to break down each cell with
- keycloak - [default|not-default], [configurable|not-configurable]
- entra - [default|not-default], [configurable|not-configurable]
| | | Authorization Code<br/>(public) | Authorization Code<br/>(confidential) | Authorization Code + PKCE<br/>(public) | Authorization Code + PKCE<br/>(confidential) | Implicit Flow<br/>(public) | Client Credentials<br/>(confidential) | Device Code<br/>(public) | Password Grant<br/>(confidential) | | ||
| |------------------|----------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|----------------------------|-----------------------------------------------------------|-----------------------------------------------------------|-----------------------------------| | ||
| | Supported | Yes | Yes | Yes | Yes | No | No | No | No | | ||
| | Comment | Keycloak - [configurable] Azure Entra ID - [configurable] | Keycloak - [not-configurable] Azure Entra ID - [configurable] | Keycloak - [configurable] Azure Entra ID - [configurable] | Keycloak - [not-configurable] Azure Entra ID - [configurable] | Deprecated[1] | Keycloak - [configurable] Azure Entra ID - [configurable] | Keycloak - [configurable] Azure Entra ID - [configurable] | Deprecated[2] | |
There was a problem hiding this comment.
followup required with keycloak to determine if it's really impossible to configure a confidential client for authorization flows. I'd be extremely suprrised.
|
/label tide-merge-method-squash |
|
@ardaguclu: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/label tide/merge-method-squash |
openshift-ci
bot
added
the
tide/merge-method-squash
|
cell rendering still doesn't show newline on github, but I'm ok dealing with that later /approve will leave lgtm with standa. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/lgtm |
|
/retest |
|
@ardaguclu: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This PR reflects the work has been done to enable oc login supporting external OIDC issuers.
Main motivation behind this PR is to store the historical context of analysis about the changes and
elaborate the reasons for future readers.
PRs have merged in oc;