Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delegate OAuth authentication to keycloak #5943

Closed
skabashnyuk opened this issue Aug 8, 2017 · 4 comments
Closed

Delegate OAuth authentication to keycloak #5943

skabashnyuk opened this issue Aug 8, 2017 · 4 comments
Assignees
@skabashnyuk
Labels
kind/task Internal things, technical debt, and to-do tasks to be performed.

Comments

@skabashnyuk
Copy link
Contributor

  1. We want to manage Identity Providers like github or google on keyclaok
  2. We want to be able to use github or other IP tokens from plugins.
  3. We would like to have the same api for Che SDK and multiuser che.
    3.1
    @GET
    @Path("authenticate")
    public Response authenticate(@Required @QueryParam("oauth_provider") String oauthProvider,
                                 @QueryParam("scope") List<String> scopes)throws ForbiddenException,
                                                                                 BadRequestException,
                                                                                 OAuthAuthenticationException {

to initiate authentification on IP.
3.2

   @GET
   @Path("token")
   @Produces(MediaType.APPLICATION_JSON)
   public OAuthToken token(@Required @QueryParam("oauth_provider") String oauthProvider)

To get stored token for IP.

See more
https://wjw465150.gitbooks.io/keycloak-documentation/server_admin/topics/identity-broker/tokens.html
@skabashnyuk skabashnyuk added the kind/task Internal things, technical debt, and to-do tasks to be performed. label Aug 8, 2017
@skabashnyuk skabashnyuk mentioned this issue Aug 8, 2017
Closed
@skabashnyuk skabashnyuk mentioned this issue Aug 18, 2017
Closed
25 tasks
@l0rd l0rd mentioned this issue Aug 25, 2017
Closed
@l0rd
Copy link
Contributor

l0rd commented Aug 25, 2017

@skabashnyuk do you expect us (che-osio team) to work on that issue or are you going to implement it?
cc @ibuziuk @davidfestal @sunix

@skabashnyuk skabashnyuk self-assigned this Aug 28, 2017
@skabashnyuk skabashnyuk added sprint/next status/open-for-dev An issue has had its specification reviewed and confirmed. Waiting for an engineer to take it. labels Aug 28, 2017
@skabashnyuk
Copy link
Contributor Author

@l0rd Yes. I'm planning to work on it during next sprint

@skabashnyuk skabashnyuk mentioned this issue Aug 28, 2017
Closed
@skabashnyuk skabashnyuk added status/in-progress This issue has been taken by an engineer and is under active development. and removed sprint/next labels Sep 6, 2017
@skabashnyuk
Copy link
Contributor Author

skabashnyuk commented Sep 15, 2017
edited
Loading

Notes from meeting with @l0rd and @davidfestal

End user goal:
Use Keyclaok account linking feature for two purposes.

  1. Identity Brokering. Keycloak can delegate authentication to a parent IDP for login. A typical example of this is the case where you want users to be able to login through a social provider like Facebook or Google. Keycloak also allows you to link existing accounts to a brokered IDP. http://www.keycloak.org/docs/3.3/server_development/topics/identity-brokering.html
  2. Retrieving External IDP Tokens. For github operation for example. http://www.keycloak.org/docs/3.3/server_development/topics/identity-brokering/tokens.html

During development, I've met a couple of issues.
A. Client Initiated Account Linking http://www.keycloak.org/docs/3.3/server_development/topics/identity-brokering/account-linking.html
Have to be started in a separate frame. (Because some IP do not allow to use iframe like Google). The problem here is there is no
way to send Keycloak token as a header.
B. During some operation on ws-agent server side, we need to request oauth tokens from the master. To be able to authenticate
agent on master we use machine tokens (per user per workspace token). I didn't find a way how properly(easily) transform machine token to keycloak token.
Keycloak tokens are short live tokens, it has to be refreshed all the time. Hurd to handle refresh errors.
C. We probably may have problems with Oauth scopes because 1 and [2](IP operation) may have different scopes. For example login with github and upload ssh keys.

Decided.
A. Use query parameter to send keycloak token. We decided the same for javadocs. Use OAuth subsystem as it is now. #6300
B.C. Since it might require some time for investigation and(or) refactoring. We decided to remove this a requirement for the first release.

@skabashnyuk skabashnyuk added status/open-for-dev An issue has had its specification reviewed and confirmed. Waiting for an engineer to take it. and removed status/in-progress This issue has been taken by an engineer and is under active development. status/open-for-dev An issue has had its specification reviewed and confirmed. Waiting for an engineer to take it. labels Sep 15, 2017
@l0rd l0rd mentioned this issue Oct 10, 2017
Closed
@mshaposhnik
Copy link
Contributor

Adding screenshots of KK OAuth & permissions configuration:
kk_oauth3
kk_oauth2
kk_oauth1

@mshaposhnik mshaposhnik mentioned this issue Dec 7, 2017
Merged
@skabashnyuk skabashnyuk mentioned this issue Dec 11, 2017
Closed
This was referenced Dec 11, 2017
Closed
Closed
Closed
@mshaposhnik mshaposhnik removed the status/open-for-dev An issue has had its specification reviewed and confirmed. Waiting for an engineer to take it. label Dec 21, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skabashnyuk skabashnyuk

Labels
kind/task Internal things, technical debt, and to-do tasks to be performed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@l0rd @skabashnyuk @mshaposhnik