Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for oauth2 authentication #69

Merged
merged 4 commits into from
Feb 2, 2022
Merged

Support for oauth2 authentication #69

merged 4 commits into from
Feb 2, 2022

Conversation

gicmo
Copy link
Contributor

@gicmo gicmo commented Jan 19, 2022
edited
Loading

Implement support for authentication via OAuth2 using the client credentials "Client Credentials Grant" flow (4.4 of RFC 6749). For this a new configuration section is added to the config file, where the client_id, client_secret and token_url have to be specified.

The implementation does currently not support "refresh tokens", but does support refreshing the token if an expires_in is present in the token itself.

Corresponding unit tests have been added.

@gicmo gicmo requested a review from croissanne January 19, 2022 20:55
gicmo added 4 commits January 31, 2022 11:13
@gicmo
builder: wrap http calls
0d4e2dc 
This is so that we can add retry logic when doing SSO/OAuth2.
@gicmo
builder: support for sso via oauth2
a6595a9 
Implement support for authentication via OAuth2 using the client
credentials "Client Credentials Grant" flow (4.4 of RFC 6749).
For this a new configuration section is added to the config file,
where the client_id, client_secret and token_url have to be
specified.
The impelmention does currently not support "refresh tokens", but
does support refreshing the token if an `expires_in` is present
in the token itself.
Corresponding unit tests have been added.

[1] https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
@gicmo
test: add helper script to run openid server
59726d7 
Add a new helper script to run the mock open id server that is
shipped inside the osbuild-composer-tests package.
@gicmo
test: switch to using oauth/sso
913a881 
Switch the authentication method that the koji builder plugin
uses from mTLS to SSO. Since we are using the mock openid
server from the `osbuild-composer-tests` package. Make this
package a dependency of `koji-osbuild-tests`.
@gicmo gicmo force-pushed the oauth2 branch 2 times, most recently from 29373b0 to 59dabbb Compare January 31, 2022 19:03
@gicmo
Copy link
Contributor Author

gicmo commented Jan 31, 2022

I added actual integration tests via the mock open id server provided by osbuild-composer-tests.

Open question, I called the configuration section [composer:oauth], should that be [composer:sso] or [composer:oauth2]? The : is because I wanted to group the options but ini-files don't support sub-sections.

From the logs, I am pretty sure we get a new instance of the plugin for every request so we should be fine concurrency-wise, but I might have to re-check the actual koji code.

@gicmo gicmo force-pushed the oauth2 branch 3 times, most recently from a23d647 to 913a881 Compare January 31, 2022 23:33
@gicmo gicmo marked this pull request as ready for review February 1, 2022 10:24
@croissanne croissanne self-requested a review February 1, 2022 10:55
croissanne
croissanne approved these changes Feb 2, 2022
View reviewed changes
Copy link
Member

@croissanne croissanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm :)

@gicmo gicmo merged commit c1a887a into osbuild:main Feb 2, 2022
@gicmo gicmo deleted the oauth2 branch February 2, 2022 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@croissanne croissanne croissanne approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gicmo @croissanne