Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: CF API client can successfully request an oauth token #1294

Closed
acosta11 opened this issue Jun 30, 2022 · 2 comments
Closed

[Feature]: CF API client can successfully request an oauth token #1294

acosta11 opened this issue Jun 30, 2022 · 2 comments
Assignees
@matt-royal @julian-hj @akrishna90
Labels
Basic app logs

Comments

@acosta11
Copy link
Member

acosta11 commented Jun 30, 2022
edited by Birdrock
Loading

Background

The CF CLI logs command makes multiple requests on behalf of the user to logging read endpoint until cancelled. To facilitate the continued streaming of logs, the cli spawns a separate goroutine to also update the oauth token used to authenticate those requests. But when configured for K8s, the log cache client does not authenticate using the oauth token, instead it uses the auth information stored in the user’s kubeconfig file. Ideally, this would also imply that the token refresh is skipped, but this does not appear to be the case. In the absence of that conditional logic, we can stub out a token response under the assumption that it won't be used.

As a CF CLI user
I want the CF CLI to be able to request an oauth token
So that I can use cf logs, which tries to keep an oauth token refreshed while streaming

Also in the future, perhaps we could enhance the auth capabilities of the cli and api to facilitate rotation of the user cert used for identity should the installation include something like pinniped for identity management.

Acceptance Criteria

GIVEN an installation of Korifi API
WHEN I I make an authenticated request of the form

POST /oauth/token HTTP/1.1
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]

THEN I get a successful response of the form

HTTP/1.1 200 OK
Content-Type: application/json
{
  "token_type": "Bearer",
  "access_token": "dXNlcm5hbWVfbG9va3VwX2NsaWVudF9uYW1lOnVzZXJuYW1lX2xvb2t1cF9zZWNyZXQ="
}

where the content of the token needs to be valid but is arbitrary.

WHEN I I am not authenticated and make a request of the form

POST /oauth/token HTTP/1.1
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]

THEN I get a 401 Unauthorized response (we should get this for free from our authn middleware)

Dev Notes

The token contents may need to be a valid jwt for the cli to parse the response, but should not be materially used beyond that point. It looks like the expiration time determines when the cli will next try to refresh if anything.
This was referenced Jun 30, 2022
Closed
Closed
Closed
julian-hj added a commit that referenced this issue Jul 14, 2022
@akrishna90 @matt-royal @julian-hj
Add /oauth/token dummy endpoint
6e1eca3 
- The CF CLI requires a token endpoint during log streaming
- This endpoint provides a token with a valid expiration, which allows
  the CLI to proceed. The token is not used for actual authentication so
  it only needs to be in a parsable format.
- Eventually the CLI will be updated to skip this call but for now we
  need it.

[#1294]

Co-authored-by: Matt Royal <mroyal@vmware.com>
Co-authored-by: Julian Hjortshoj <hjortshojj@vmware.com>
@julian-hj julian-hj mentioned this issue Jul 14, 2022
Merged
@julian-hj
Copy link
Member

Note:
we created an unauthenticated endpoint for /oauth/token that just gives out tokens to anybody who wants one. The reason we did that was that the CLI doesn't think it is talking to the CF API, so it doesn't send the normal authentication headers, and instead sends some OAUTH thing. Rather than trying to parse the OAUTH headers, we decided to just skip authentication.

Since the token we return isn't secure in any way, and cannot be used to get anything from our API, we figured it doesn't make any difference if we authenticate or not.

We discussed this with @acosta11 and @davewalter during implementation.

julian-hj added a commit that referenced this issue Jul 14, 2022
@julian-hj
Merge pull request #1383 from cloudfoundry/issues-1294
49e059b 
Add /oauth/token dummy endpoint

[Finishes #1294]
@acosta11
Copy link
Member Author

acosta11 commented Jul 19, 2022
edited
Loading

Acceptance:
Confirmed oauth/token response is successfully parsed by the unmodified tip of v8 branch cli for streaming logs on my korifi deployment.

$ git log
commit 3346dae7885f977f587911d908c4fbaaf2565b3f (HEAD -> v8, origin/v8)
...
$ cf version
cf version 8.4.0+3346dae78.2022-07-19
$ cf push node -p ~/workspace/cf-acceptance-tests/assets/node/
Pushing app node to org o / space s as cf-admin...
Packaging files to upload...
Uploading files...
 626 B / 626 B [=================================================================================================================================================================================================================================] 100.00% 1s

Waiting for API to complete processing files...

Staging app and tracing logs...

   Build reason(s): CONFIG
   CONFIG:
   	+ env:
...

LGTM, closing.

@gcapizzi gcapizzi moved this to ✅ Done in Korifi - Backlog Nov 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matt-royal matt-royal

@julian-hj julian-hj

@akrishna90 akrishna90

Labels
Basic app logs
Projects
Korifi - Backlog
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@matt-royal @julian-hj @acosta11 @akrishna90