Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Adding support for OpenID-Connect #251

Merged
merged 6 commits into from
Jun 26, 2018
Merged

Adding support for OpenID-Connect #251

merged 6 commits into from
Jun 26, 2018

Conversation

abellotti
Copy link
Member

Adding support for OpenID-Connect

  • auth-type: openid-connect
  • new auth config parameters:
    o HTTPD_AUTH_OIDC_PROVIDER_METADATA_URL oidc-provider-metadata-url
    o HTTPD_AUTH_OIDC_CLIENT_ID oidc-client-id
    o HTTPD_AUTH_OIDC_CLIENT_SECRET oidc-client-secret

@miq-bot miq-bot added the wip label Nov 30, 2017
@abellotti
Copy link
Member Author

abellotti commented Nov 30, 2017
edited
Loading

marking as WIP.

  • needs testing
  • need to also verify running with older auth-config maps without the new oidc entries
    • was an issue but resolved with optional: true
  • README.md update to reflect new oidc parameters

@abellotti
Copy link
Member Author

/cc @jvlcek

@abellotti
Copy link
Member Author

Requires: ManageIQ/container-httpd#33

abellotti
abellotti commented Dec 1, 2017
View reviewed changes
templates/miq-template-ext-db.yaml Outdated
OIDCClientID ${HTTPD_AUTH_OIDC_CLIENT_ID}
OIDCClientSecret ${HTTPD_AUTH_OIDC_CLIENT_SECRET}

OIDCRedirectURI https://%{REQUEST_HOST}/oidc_login/redirect_uri
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is problematic, REQUEST_HOST is not defined at apache config file load time. investigating alternative.

@abellotti
Copy link
Member Author

Ran test with an auth configmap without the new parameters and the Pod fails to start

Error: Couldn't find key auth-oidc-provider-metadata-url in ConfigMap ext-auth/httpd-auth-configs

Hopefully there's a way to handle this in the template and if not possible document the update/migration of auth configmaps to newer pods.

@abellotti
Copy link
Member Author

looks like adding:

optional: true

might work for us.

@abellotti abellotti force-pushed the support_openid_connect branch from 991937f to e380b76 Compare April 27, 2018 13:56
jvlcek
jvlcek reviewed Jun 5, 2018
View reviewed changes
Copy link
Member

@jvlcek jvlcek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Near line 51 we need to add the RewriteCond for openid-connect

manageiq-redirects-ui:RewriteCond %{REQUEST_URI} !^/openid-connect

abellotti added 5 commits June 5, 2018 15:41
@abellotti
Adding support for OpenID-Connect
fdd60b0 
- auth-type: openid-connect
- new auth config parameters:
  o HTTPD_AUTH_OIDC_PROVIDER_METADATA_URL   oidc-provider-metadata-url
  o HTTPD_AUTH_OIDC_CLIENT_ID               oidc-client-id
  o HTTPD_AUTH_OIDC_CLIENT_SECRET           oidc-client-secret
@abellotti
Needed to leverage the APPLICATION_DOMAIN for defining
c4b8ff8 
the RedirectURI for OpenID-Connect.
@abellotti
Updated miq-template.yaml and miq-template-ext-db.yaml
858e62d 
so that the OIDCRedirectURI is quoted, otherwise the
${APPLICATION_DOMAIN} portion is substituted when
viewing/editing the configmap.
@abellotti
Making the HTTPD_AUTH_OIDC_* environment variables
03d6944 
optional so older httpd auth-configmaps will still
work with the newer pods supporting OpenID-Connect.
@abellotti
For OpenID-Connect /openid-connect is only served by mod_auth_openidc,
85fa9de 
do not send to back-end pods.
@abellotti abellotti force-pushed the support_openid_connect branch from e380b76 to 85fa9de Compare June 5, 2018 19:48
@abellotti abellotti changed the title [WIP] Adding support for OpenID-Connect Adding support for OpenID-Connect Jun 11, 2018
@miq-bot miq-bot removed the wip label Jun 11, 2018
@jvlcek
Copy link
Member

jvlcek commented Jun 13, 2018

LGTM 👍 Thank you @abellotti

@jvlcek jvlcek mentioned this pull request Jun 15, 2018
Closed
@jvlcek
Copy link
Member

jvlcek commented Jun 18, 2018
edited
Loading

@abellotti The updates to the README can be pulled from my closed PR
https://github.com/ManageIQ/manageiq-pods/pull/296/files#diff-04c6e90faac2675aa89e2176d2eec7d8

@jvlcek jvlcek mentioned this pull request Jun 22, 2018
Merged
@miq-bot
Copy link
Member

miq-bot commented Jun 22, 2018

Checked commits abellotti/manageiq-pods@fdd60b0~...109fa75 with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0
2 files checked, 1 offense detected

**

  • 💣 💥 🔥 🚒 - Linter/Yaml - missing config files

@carbonin
Copy link
Member

This looks good to me. @jvlcek Merging this before ManageIQ/httpd_configmap_generator#33 won't cause any issues right?

@jvlcek
Copy link
Member

jvlcek commented Jun 26, 2018

Thank you @carbonin and correct, merging this before ManageIQ/httpd_configmap_generator#33 won't cause any issues.

@carbonin carbonin self-assigned this Jun 26, 2018
@carbonin carbonin merged commit 72dfee6 into ManageIQ:master Jun 26, 2018
@carbonin carbonin added this to the Sprint 89 Ending Jul 2, 2018 milestone Jun 26, 2018
simaishi pushed a commit that referenced this pull request Jun 27, 2018
@carbonin @simaishi
Merge pull request #251 from abellotti/support_openid_connect
8ad3851 
Adding support for OpenID-Connect
(cherry picked from commit 72dfee6)
@simaishi
Copy link
Contributor

Hammer backport details:

$ git log -1
commit 8ad38519a4bf5b0aeeb1ad79040788229ae3328a
Author: Nick Carboni <ncarboni@redhat.com>
Date:   Tue Jun 26 10:15:38 2018 -0400

    Merge pull request #251 from abellotti/support_openid_connect
    
    Adding support for OpenID-Connect
    (cherry picked from commit 72dfee62cc3f9111baa1a776eea1c5f8bff13888)

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@jvlcek jvlcek jvlcek left review comments

@carbonin carbonin carbonin approved these changes

Assignees

@carbonin carbonin

Labels
enhancement hammer/backported template
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@abellotti @jvlcek @miq-bot @carbonin @simaishi