Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow using OAuth2 for destinations #5047

Closed
ctron opened this issue Mar 10, 2021 · 13 comments
Closed

Allow using OAuth2 for destinations #5047

ctron opened this issue Mar 10, 2021 · 13 comments
Assignees
@creydr
Labels
area/security kind/feature-request priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. triage/accepted Issues which should be fixed (post-triage)

Comments

@ctron
Copy link

ctron commented Mar 10, 2021

Problem

Using a uri or ref as a destination (e.g. in a Sequence) the receiving endpoint might be secured and require credentials to allow access.

Using uri it is currently possible to provide "username/password" credentials. However, OAuth2 is a reasonable choice for authentication as well.

KNative eventing should allow to use OAuth2 for authenticating towards a receiving service.

Not being an expert on OAuth2, I guess it would make sense to allow:

See for other flows:

In general it should be possible to provide credentials (like client ID and secret) using Kubernetes Secrets, like using a SecretsKeySelector (https://pkg.go.dev/k8s.io/api/core/v1#SecretKeySelector).

Persona:

Event consumer

Exit Criteria

  • Validate that the event sender can authenticate against an OAuth2 enabled endoint
  • Ensure that refreshing of tokens works

Time Estimate (optional):

Additional context (optional)
@lberk
Copy link
Member

lberk commented Mar 15, 2021

@ctron is this related to #5046 as well?
@julz @evankanderson would you be willing to take a look at this?

@lberk lberk added the priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. label Mar 15, 2021
@lberk lberk added this to the Backlog milestone Mar 15, 2021
@ctron
Copy link
Author

ctron commented Mar 15, 2021

To some degree related. The alternative to my use case in Eclipse Ditto is to use "oauth". Both ways are not supported by Knative.

However, using OAuth2 in my use case might have downsides, as the "pre-authenticated" mode might allow to identify an internal user more easily. Also it might be more efficient to have a static header, compared to an oauth2 flow.

So both use cases are valid IMHO. Having one of them supported should be good enough in our case.

@lberk lberk added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. labels Mar 29, 2021
@github-actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 28, 2021
@lionelvillard
Copy link
Member

/reopen
/remove-lifecycle stale

@lionelvillard lionelvillard added the triage/accepted Issues which should be fixed (post-triage) label Oct 5, 2022
@lionelvillard lionelvillard reopened this Oct 5, 2022
@lionelvillard lionelvillard removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 5, 2022
@knative-prow
Copy link

knative-prow bot commented Oct 5, 2022

@lionelvillard: Reopened this issue.

In response to this:

/reopen
/remove-lifecycle stale

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@gokr
Copy link

gokr commented Oct 6, 2022

Just showing my support! IMHO any options are better than none. Often the destination has "their own ways" so... Knative should probably be relatively flexible ;) Of course, for us the oauth2 client credential flow would be awesome.

@prakrit55
Copy link
Contributor

hello there, I am interested in the project for gsoc 2023, can anyone guide me how to get started and what essentials required to know ? will be happy to be a part of the community.

@github-project-automation github-project-automation bot moved this to Ready To Work in Eventing WG Roadmap Feb 3, 2023
@pierDipi pierDipi moved this from Ready To Work to Icebox / Wishlist in Eventing WG Roadmap Feb 3, 2023
@allgandalf
Copy link

Hey @evankanderson , I was going through the project ideas and this project caught my attention. I would love to contribute to this project during this summer :) I am currently going through the documentation to get an in-depth knowledge of the concepts required. Shall I continue this discussion on the slack community channel ?

@evankanderson
Copy link
Member

Hi @RohanSasne. I believe @matzew is also looking at this based on the comment here:

https://docs.google.com/document/d/1H-x_oji8LqkCyd7tlsSyclmUe7FAmEJPgRxOU_0pkn8/edit?resourcekey=0-lzDIPJsZOP3G17QE_g1lHw&pli=1&disco=AAAAjtJiE3k

You two may want to coordinate.

@allgandalf
Copy link

allgandalf commented Feb 28, 2023
edited
Loading

Yeah absolutely, thanks for the resource though !
I will try to get more involved with the community in coming weeks :)

@pierDipi pierDipi mentioned this issue Mar 9, 2023
Closed
@pierDipi pierDipi moved this from Icebox / Wishlist to In Design in Eventing WG Roadmap Apr 4, 2023
@pierDipi pierDipi removed this from the Backlog milestone Apr 4, 2023
@pierDipi
Copy link
Member

pierDipi commented May 2, 2023

/assign @creydr

@PiyushRaj927
Copy link

Hi @pierDipi, will this project be under LFX Mentorship Term 02 - 2023 June - August ?

@pierDipi pierDipi moved this from In Design to In Progress in Eventing WG Roadmap Nov 23, 2023
@creydr
Copy link
Member

creydr commented Feb 22, 2024

The basic functionality for this is included in eventing core since the 1.13 release when the authentication-oidc feature flag is set to enabled. See the docs at https://knative.dev/docs/eventing/experimental-features/sender-identity.
Eventing-Kafka-Broker will support it with the next release (1.14 - implementation done, waiting for the release).
Please try it and give us feedback.

@creydr creydr closed this as completed Feb 22, 2024
@rgolangh rgolangh mentioned this issue Sep 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@creydr creydr

Labels
area/security kind/feature-request priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. triage/accepted Issues which should be fixed (post-triage)
Projects
Eventing Sender Identity
Status: ✅ Done
Milestone
No milestone
Development

No branches or pull requests
10 participants
@gokr @ctron @lberk @lionelvillard @evankanderson @creydr @pierDipi @PiyushRaj927 @prakrit55 @allgandalf