Make OAuth provider discoverable from within a Pod

[enj]

Implementation of https://tools.ietf.org/html/draft-ietf-oauth-discovery-04

From within a pod:

root@test:/# curl -k https://openshift.default.svc/.well-known/oauth-authorization-server
{
  "issuer": "https://10.13.129.56:8443",
  "authorization_endpoint": "https://10.13.129.56:8443/oauth/authorize",
  "token_endpoint": "https://10.13.129.56:8443/oauth/token",
  "scopes_supported": [
    "user:full",
    "user:info",
    "user:check-access",
    "user:list-scoped-projects",
    "user:list-projects"
  ],
  "response_types_supported": [
    "code",
    "token"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ]
}

cc @gabemontero @bparees

Trello ref:
https://trello.com/c/7uYQSTdR

[liggitt]

only include "authorization_code" for now. the others are included in the osin config, but the impl given to actually validate the other types (client-credentials, assertion, etc) just denies

[enj]

[test] since I changed existing code.

[enj]

re[test] AWS error

[liggitt]

Let's keep the redirect uri stuff in a separate PR. The discovery bits are useful on their own

[liggitt]

why did you make this fatal?

[liggitt]

@deads2k I'm wondering how this will fit with the oauth server split stuff we discussed

[enj]

re[test] flake on #10080

[deads2k]

@deads2k I'm wondering how this will fit with the oauth server split stuff we discussed

You really want to build it like this? Even if you decide to do it like this, you should version this API.

[enj]

@deads2k I am not sure if I would call this an API since you can't really perform any actions with it. That being said, the draft has no concept of versioning. Granted I suppose they could just make a new well known URI if they ever needed to make a backwards incompatible change. The data returned by this endpoint is essentially never supposed to change structure.

[deads2k]

@deads2k I am not sure if I would call this an API since you can't really perform any actions with it.

You call it externally and rely on its output to behave consistently for the purposes of deserialization so that a client can semantically interpret it. API.

The data returned by this endpoint is essentially never supposed to change structure.

That rarely works out.

[liggitt]

the URL and output are dictated by the rfc. curious how you would version that

[deads2k]

Didn't realize it was for a spec. Your link to the spec is dead.

[deads2k]

@enj Consider a world where the oauth server lives in a process that is separate from the API server. Because other authentication techniques exist, it could actually be in a pod. This has several repercussions:

1. other than this endpoint, the api server doesn't have to know where the oauth server lives
2. you won't be able to derive this information through self-inspection
3. callers of this API will sometimes want externally routable URLs (when redirecting clients) and sometimes want internally routable URLs (when exchanging codes for tokens)

Items 1 and 2 suggest that you could try to find this information via API inspection (magic config map or magic service/route come to mind).

Item 3 could probably be punted on if we expect overall internal traffic to be low.

[soltysh]

Only two questions, the code itself looks good. As for @deads2k suggestion I'm opposed to versioning that endpoint.

[soltysh]

What about the remaining metadata attributes? Why only those?

[enj]

I focused on the REQUIRED and RECOMMENDED metadata. A lot of the OPTIONAL ones are not supported by OpenShift (for example, jwks_uri and token_endpoint_auth_signing_alg_values_supported). Since @liggitt just added PKCE support, I could add code_challenge_methods_supported (but that may be out of scope and could certainly be added later). token_endpoint_auth_methods_supported, service_documentation, ui_locales_supported, op_policy_uri, op_tos_uri, protected_resources, etc may all be valid now or in the future, but are probably out of scope as well.

[soltysh]

Why these scopes and not others?

[enj]

I didn't see an easy way for me to get any other scopes. I welcome suggestions for making this list more complete.

[soltysh]

Right, the remaining role scope is varying, since it contains actual role name and namespace. Well, we're complaint with the spec, since it allows not to advertise all. Thanks for the info

[soltysh]

LGTM

[soltysh]

Right, the remaining role scope is varying, since it contains actual role name and namespace. Well, we're complaint with the spec, since it allows not to advertise all. Thanks for the info

[deads2k]

@deads2k mentioned that this should return a different URL based on if the request comes from inside or outside the cluster. @openshift/api-review @jwforres @gabemontero

I'm not sure its that simple. Sometimes you want to discover externally routable names and sometimes you want to discover internally routable names. Assuming that internal components can hit externally routable names (like this does) gets us a long way.

[smarterclayton]

Expectation is author set the route name to a resolvable one. Def add to
docs for this (and godoc)

On Oct 5, 2016, at 7:58 AM, David Eads [email protected] wrote:

@deads2k https://github.com/deads2k mentioned that this should return a
different URL based on if the request comes from inside or outside the
cluster. @openshift/api-review
https://github.com/orgs/openshift/teams/api-review @jwforres
https://github.com/jwforres @gabemontero https://github.com/gabemontero

I'm not sure its that simple. Sometimes you want to discover externally
routable names and sometimes you want to discover internally routable
names. Assuming that internal components can hit externally routable names
(like this does) gets us a long way.

—
You are receiving this because you are on a team that was mentioned.
Reply to this email directly, view it on GitHub
#10845 (comment),
or mute
the thread
https://github.com/notifications/unsubscribe-auth/ABG_p_A8DLW21-wvXEDmK_F0nB4du3u5ks5qw5DhgaJpZM4J3grZ
.

[enj]

re[test] flake #11114

[liggitt]

we also support implicit

[smarterclayton]

API is approved

[liggitt]

"implicit", not "__implicit"

[liggitt]

fix the implicit grant type, then LGTM

[openshift-bot]

Evaluated for origin test up to fda7222

API Approved by Clayton

[enj]

@mfojtik Ready for merge.

[mfojtik]

[merge]

[openshift-bot]

continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/10108/) (Base Commit: 2142bdb)

[enj]

Flake on #11381
@mfojtik Please re-merge as that flake is fixed now.

[mfojtik]

[merge]

[mfojtik]

flake #11240

[merge]

[openshift-bot]

Evaluated for origin merge up to fda7222

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/10327/) (Base Commit: 9ef2b7f) (Image: devenv-rhel7_5210)

[gabemontero]

I pulled down the latest origin containing this merged PR and was able to successfully access .well-known/oauth-authorization-server from the jenkins oauth plugin !!