From 296659cb504d365fa47c4104c0d229b5008ea570 Mon Sep 17 00:00:00 2001 From: Andrew Block Date: Thu, 26 Dec 2019 03:14:20 -0600 Subject: [PATCH] Reduced OpenShift scopes and enhanced documentation --- Documentation/connectors/openshift.md | 35 ++++++++++++++++++++++++--- connector/openshift/openshift.go | 4 +-- 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/Documentation/connectors/openshift.md b/Documentation/connectors/openshift.md index c9650846..bd3df40d 100644 --- a/Documentation/connectors/openshift.md +++ b/Documentation/connectors/openshift.md @@ -6,9 +6,37 @@ Dex can make use of users and groups defined within OpenShift by querying the pl ## Configuration -Create a new OAuth Client by following the steps described in the documentation for [Registering Additional OAuth Clients](https://docs.openshift.com/container-platform/latest/authentication/configuring-internal-oauth.html#oauth-register-additional-client_configuring-internal-oauth) -This involves creating a resource similar the following +### Creating an OAuth Client + +Two forms of OAuth Clients can be utilized: + +* [Using a Service Account as an OAuth Client](https://docs.openshift.com/container-platform/latest/authentication/using-service-accounts-as-oauth-client.html) (Recommended) +* [Registering An Additional OAuth Client](https://docs.openshift.com/container-platform/latest/authentication/configuring-internal-oauth.html#oauth-register-additional-client_configuring-internal-oauth) + +#### Using a Service Account as an OAuth Client + +OpenShift Service Accounts can be used as a constrained form of OAuth client. Making use of a Service Account to represent an OAuth Client is the recommended option as it does not require elevated privileged within the OpenShift cluster. Create a new Service Account or make use of an existing Service Account. + +Patch the Service Account to add an annotation for location of the Redirect URI + +``` +oc patch serviceaccount --type='json' -p='[{"op": "add", "path": "/metadata/annotations/serviceaccounts.openshift.io~1oauth-redirecturi.dex", "value":"https:////callback"}]' +``` + +The Client ID for a Service Account representing an OAuth Client takes the form ` + +The Client Secret for a Service Account representing an OAuth Client is the long lived OAuth Token that is configued for the Service Account. Execute the following command to retrieve the OAuth Token. + +``` +oc serviceaccounts get-token +``` + +#### Registering An Additional OAuth Client + +Instead of using a constrained form of Service Account to represent an OAuth Client, an additional OAuthClient resource can be created. + +Create a new OAuthClient resource similar to the following: ```yaml kind: OAuthClient @@ -23,6 +51,8 @@ redirectURIs: grantMethod: prompt ``` +### Dex Configuration + The following is an example of a configuration for `examples/config-dev.yaml`: ```yaml @@ -46,5 +76,4 @@ connectors: # Optional list of required groups a user mmust be a member of groups: - users - ``` diff --git a/connector/openshift/openshift.go b/connector/openshift/openshift.go index f3eb53dc..e1974694 100644 --- a/connector/openshift/openshift.go +++ b/connector/openshift/openshift.go @@ -109,7 +109,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e Endpoint: oauth2.Endpoint{ AuthURL: metadata.Auth, TokenURL: metadata.Token, }, - Scopes: []string{"user:info", "user:check-access", "user:full"}, + Scopes: []string{"user:info"}, RedirectURL: c.RedirectURI, } return &openshiftConnector, nil @@ -168,7 +168,7 @@ func (c *openshiftConnector) HandleCallback(s connector.Scopes, r *http.Request) validGroups := validateRequiredGroups(user.Groups, c.groups) if !validGroups { - return identity, fmt.Errorf("openshift: user %q is not in any of the required teams", user.Name) + return identity, fmt.Errorf("openshift: user %q is not in any of the required groups", user.Name) } identity = connector.Identity{