Adding support for OpenID-Connect/OAuth2 in the API #737
Conversation
Leverages the current OpenIDC configuration of the applicance for fetching client id, secret and OpenID Metadata URL and info for getting to the token authentication and token introspection endpoints of the IDP. Supports: - Authenticating with the API using a user Access Token coming in as the Authorization Bearer JWT. - Authenticating with Basic Auth where the username and password specified is authenticated against the OpenID-Connect IDP and a JWT is fetched for the user.
the user from the Authenticated JWT token info (all the user claim data coming back from KeyCloak). We define the external auth headers as if they were coming in from Apache so we leverage the current httpd auth type for user management.
|
Checked commits abellotti/manageiq-api@7061eb1~...eb2017a with ruby 2.5.5, rubocop 0.69.0, haml-lint 0.20.0, and yamllint 1.10.0 |
|
/cc @gtanzillo @Fryguy @jvlcek @chessbyte - as promised. /cc @clearnight79 |
|
Marking as [WIP] - Actual implementation would move a lot of this code to https://github.com/ManageIQ/manageiq/blob/master/app/models/authenticator/httpd.rb |
|
@abellotti "Actual implementation" mean the alternative Apache configuration solution? |
|
@abellotti if I want to patch my current CF 5.0, is this the file I need to replace? |
|
Sorry, I meant non-prototype :)
If we wanted to go ahead and go with this implementation, some logic to move to ManageIQ authenticator and of course would need some specs here.
Alberto
…Sent from my iPhone
On Feb 5, 2020, at 8:58 PM, clearnight79 ***@***.***> wrote:
@abellotti "Actual implementation" mean the alternative Apache configuration solution?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
@clearnight79 that looks about right. running |
|
Running this on the appliance will return the path where the API code is installed:
|
|
I tried to enable UI OIDC following https://www.manageiq.org/docs/reference/latest/auth/openid_connect |
|
Seems @clearnight79 had some success. So, I'm going to merge this as is, and we can iterate on cleanup, as I'd like to get this into a potential build for further testing. I think moving forward we should... a) Make a PR to "clean up" the code by moving this into the httpd authenticator (@jvlcek Can you take this on?) |
|
@Fryguy ManageIQ/manageiq#19858 for the optional scope parameter. /cc @jvlcek |
|
@clearnight79 did this PR work as is for you or did you need to modify any of the OOTB configuration files
And the related code here ? |
Adding support for OpenID-Connect/OAuth2 in the API (cherry picked from commit 95e86ab) Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1805914
|
Ivanchuk backport details: |
|
FYI: I've created the following issues to track the above mentioned follow on work to this PR |
|
Part of ManageIQ/manageiq#19867 |
This Enhancement enables OpenID-Connect authentication (OAuth2) on the API. Current support for OpenID-Connect is only for the web interface and the API is not enabled as such. The only enablement needed is to configure the ManageIQ Appliance for OpenID-Connect as per:
This enhancement leverages the appliance configuration and enables the following:
First Use Case:
The API performs the necessary Token introspection to validate the token and obtain the user details from the OpenID Client Claim definitions.
The API then performs the proper mapping of the OpenID Claim data to the currently supported headers as per the OIDC Assertions in the document referenced above for external authentication to work as it does today.
Second Use Case:
Authenticating via Basic Auth.
Here the standard basic authentication username and password is passed along to the API. However, when the appliance is configured for OpenID-Connect authentication, the API will request a token generation for the user from the IDP. If successful, It then follows the same authentication logic as the Bearer/JWT authentication mentioned above.
NOTE:
While this approach works fine and leverages the appliance configuration as is with no change, an alternate approach where the Apache configuration could be configured to protect the /api endpoint behind OpenID-Connect may be preferred.
Similar to how external authentication (Kerberos) is defined and wired for the API, see https://github.com/ManageIQ/manageiq-appliance/blob/236641d25b8b5d8a864893191955c8c19af1f275/TEMPLATE/etc/httpd/conf.d/manageiq-external-auth.conf.erb#L37 for the details there.
Though for OpenID-Connect/OAuth2, we would need to modify the https://github.com/ManageIQ/manageiq-appliance/blob/master/TEMPLATE/etc/httpd/conf.d/manageiq-external-auth-openidc.conf.erb file and define/protect the /api as documented here: https://github.com/zmartzone/mod_auth_openidc
This would also allow us to have the single Apache container communicating with the IDP and having the API/WS containers only handle the trusted Apache headers coming in internally, as was done with https://github.com/ManageIQ/httpd_configmap_generator for the ManageIQ httpd container for the podified ManageIQ.
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1805279