Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move oidc auth into a token manager #382

Closed
wants to merge 6 commits into from
Closed

Move oidc auth into a token manager #382

wants to merge 6 commits into from

Conversation

butonic
Copy link
Contributor

@butonic butonic commented Nov 20, 2019
edited
Loading

This hurts ... but the oidc auth manager does not make sense. I used to store the claims in the context, but with the gateway this was removed. Now, the oidc user manager has no way of resolving the claims, other than trying to do a userinfo lookup ... which the auth manager already did. Furthermore, oidc already uses a token. We should treat it as such.

This PR

  • adds a token strategy: bearer that reads the token from thea authorization header and strips the bearer part
  • moves the oidc auth logic into a new oidc token manager
  • adds a noop token writer. Only the idp writes tokens

This makes a lot more sense and reduces the number of requests significantly if the token is a jwt.

We may want to replace the oidc token with a custom jwt token to convert opaque access tokens to jwt ones. We also need to reflect this in the documentation. In a subsequest PR or commit ....

@butonic butonic requested a review from labkode as a code owner November 20, 2019 15:27
@butonic butonic changed the title Oidc configurable signing algs Mole oidc auth into a token manager Nov 20, 2019
@butonic butonic changed the title Mole oidc auth into a token manager Move oidc auth into a token manager Nov 20, 2019
@butonic butonic mentioned this pull request Nov 20, 2019
Closed
3 tasks
@butonic
Copy link
Contributor Author

butonic commented Nov 21, 2019
edited
Loading

this is a wrong approach. the idea was to use the gateway as a central authentication step. it will convert whatever cretentials into a jwt token we use inside and pass on to other reva services. the right way is to return a user when authenticating credentials, not only the id.

@butonic butonic closed this Nov 21, 2019
@butonic butonic mentioned this pull request Nov 21, 2019
Closed
@butonic butonic deleted the oidc-configurable-signing-algs branch November 21, 2019 14:19
@butonic butonic mentioned this pull request Nov 22, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@labkode labkode Awaiting requested review from labkode

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@butonic