Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configuring "oauth2" based authentication for "devops" access does not allow to use a different OpenID connect provider #1946

Closed
thjaeckle opened this issue May 27, 2024 · 0 comments · Fixed by #1948
Closed

Configuring "oauth2" based authentication for "devops" access does not allow to use a different OpenID connect provider #1946

thjaeckle opened this issue May 27, 2024 · 0 comments · Fixed by #1948
Assignees
@thjaeckle
Labels
bug
Milestone
3.5.7

Comments

@thjaeckle
Copy link
Member

When configuring to secure access to DevOps commands and to connections using oauth2 via Helm:

ditto/deployment/helm/ditto/values.yaml

Lines 1533 to 1546 in 5239859

# one of: "basic" | "oauth2"
authMethod: "basic"
# oauth contains the OAuth2.0 / OpenID Connect related configuration applied when "authMethod" above is "oauth2"
oauth:
# allowedClockSkew configures the amount of clock skew in seconds to tolerate when verifying the local time against the exp and nbf claims
allowedClockSkew: 20s
# openidConnectIssuers holds a map of issuer-prefixes as key (e.g. "example")
# and OAuth "issuer" and "authSubjects" list containing which claims to extract from a JWT issued by the issuer
openidConnectIssuers:
# example-ops:
# issuer: "example.com"
# authSubjects:
# - "{{ jwt:sub }}"
# - "{{ jwt:groups }}"

It is currently not possible to choose in the openidConnectIssuers a different OpenID connect provider than already defined in the "normal" oauth2 configuration at:

ditto/deployment/helm/ditto/values.yaml

Lines 1515 to 1525 in 5239859

oauth:
# allowedClockSkew configures the amount of clock skew in seconds to tolerate when verifying the local time against the exp and nbf claims
allowedClockSkew: 20s
# openidConnectIssuers holds a map of issuer-prefixes as key (e.g. "example")
# and OAuth "issuer" and "authSubjects" list containing which claims to extract from a JWT issued by the issuer
openidConnectIssuers:
# example:
# issuer: "example.com"
# authSubjects:
# - "{{ jwt:sub }}"
# - "{{ jwt:groups }}"

E.g. with a -ops suffix as in the comments .. Or even a completely different "issuer" endpoint.

The reason seems to be that this is loaded as "Extension" in Ditto (so basically a Singleton) and that only the first configuration is applied (which is the "normal" oauth2 config).

So e.g. having admin users in a separated OpenID connect provider is not possible.

I also figured that this is currently not at all documented at DevOps commands - so adding some documentation about the option to use oauth for securing admin access would also be good as part of the bugfix.
@thjaeckle thjaeckle added the bug label May 27, 2024
@thjaeckle thjaeckle self-assigned this May 27, 2024
@thjaeckle thjaeckle added this to the 3.5.7 milestone May 27, 2024
@thjaeckle thjaeckle moved this to In Progress in Ditto Planning May 29, 2024
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue May 29, 2024
@thjaeckle
eclipse-ditto#1946 fix that alternative OIDC provider for "devops" au…
3b071d2 
…thorization could not be configured

* improved logging correlationId also for devops auth in gateway as well

Signed-off-by: Thomas Jäckle <[email protected]>
@thjaeckle thjaeckle mentioned this issue May 29, 2024
Merged
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue May 29, 2024
@thjaeckle
eclipse-ditto#1946 fix that alternative OIDC provider for "devops" au…
8636401 
…thorization could not be configured

* improved logging correlationId also for devops auth in gateway as well

Signed-off-by: Thomas Jäckle <[email protected]>
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue May 29, 2024
@thjaeckle
eclipse-ditto#1946 fix devops oauth subjects not being configured cor…
6c4b3ca 
…rectly with environment variable

Signed-off-by: Thomas Jäckle <[email protected]>
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue May 29, 2024
@thjaeckle
eclipse-ditto#1946 fix devops oauth subjects not being configured cor…
5358f8e 
…rectly with environment variable

Signed-off-by: Thomas Jäckle <[email protected]>
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue May 29, 2024
@thjaeckle
eclipse-ditto#1946 fix devops oauth subjects not being configured cor…
7749a80 
…rectly with environment variable

Signed-off-by: Thomas Jäckle <[email protected]>
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue May 29, 2024
@thjaeckle
eclipse-ditto#1946 fix devops oauth subjects not being configured cor…
06aab37 
…rectly with environment variable

Signed-off-by: Thomas Jäckle <[email protected]>
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue May 30, 2024
@thjaeckle
eclipse-ditto#1946 fix devops oauth subjects not being configured cor…
606f5c4 
…rectly with environment variable

Signed-off-by: Thomas Jäckle <[email protected]>
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue May 31, 2024
@thjaeckle
eclipse-ditto#1946 fix devops oauth subjects not being configured cor…
7fee1f7 
…rectly with environment variable

Signed-off-by: Thomas Jäckle <[email protected]>
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue May 31, 2024
@thjaeckle
eclipse-ditto#1946 fix devops oauth subjects not being configured cor…
c428576 
…rectly with environment variable

Signed-off-by: Thomas Jäckle <[email protected]>
thjaeckle added a commit to beyonnex-io/ditto that referenced this issue May 31, 2024
@thjaeckle
eclipse-ditto#1946 fix devops oauth subjects not being configured cor…
4f07007 
…rectly with environment variable

Signed-off-by: Thomas Jäckle <[email protected]>
thjaeckle added a commit that referenced this issue Jun 10, 2024
@thjaeckle
Merge pull request #1948 from beyonnex-io/fix-ditto-devops-oauth-subj…
7bee1a5 
…ects-config

#1946 fix that alternative OIDC provider for "devops" authorization could not be configured
@github-project-automation github-project-automation bot moved this from In Progress to Done in Ditto Planning Jun 10, 2024
thjaeckle added a commit that referenced this issue Jun 10, 2024
@thjaeckle
#1946 fix that alternative OIDC provider for "devops" authorization c…
ccc4074 
…ould not be configured

* improved logging correlationId also for devops auth in gateway as well

Signed-off-by: Thomas Jäckle <[email protected]>
thjaeckle added a commit that referenced this issue Jun 10, 2024
@thjaeckle
#1946 fix devops oauth subjects not being configured correctly with e…
bd4e92d 
…nvironment variable

Signed-off-by: Thomas Jäckle <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thjaeckle thjaeckle

Labels
bug
Projects
Ditto Planning
Status: Done
Milestone
3.5.7
1 participant
@thjaeckle