Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend rhoas login by supporting SSO client id an secret #1579

Open
apodhrad opened this issue May 23, 2022 · 7 comments
Open

Extend rhoas login by supporting SSO client id an secret #1579

apodhrad opened this issue May 23, 2022 · 7 comments
Labels
enhancement New feature or request

Comments

@apodhrad
Copy link

Feature or problem description

Some teams use SSO service accounts which can be authenticated against sso.redhat.com but cannot be used for any "web page" loging and cannot obtain a token (pls correct me if I'm wrong).
Such service accounts are used for logging to OCM as follows

ocm login --client-id "${CLIENT_ID}" --client-secret "${CLIENT_SECRET}"

Could we have something similar for rhoas, please?
@apodhrad apodhrad added the enhancement New feature or request label May 23, 2022
@wtrocki
Copy link
Collaborator

wtrocki commented May 23, 2022
edited
Loading

While request can be done on the RHOAS CLI side. I'm not sure if we will support two types of login:

--token (offline token)
--client-id=... (service accounts)

Moving to client-id is quite simple and natural choice but it it kinda exceeded scope of RHOAS CLI. This is more or less RHOAS SDKs/RHOAS ecosystem question. How we want to login for automation purposes etc.

@akoserwal Do you think we can we use service accounts to obtain AccessToken that will work with all fleet managers we have?

@wtrocki
Copy link
Collaborator

wtrocki commented May 23, 2022

FYI @gowriswarupk

@akoserwal
Copy link
Contributor

@apodhrad You can use the sso service account with ocm client for the requests to the control plane api. But it requires some claim configuration for your service account (sso mapper). I can help with getting it configured.

In the near future, rhosak will support the new sso service account api (self service)

@wtrocki
Copy link
Collaborator

wtrocki commented May 24, 2022

Worth to mention that current solution is to use offline refresh token (and CLI supports it already by rhoas login --token option`

@apodhrad
Copy link
Author

Hi @akoserwal @wtrocki thanks for your quick response.

Today I have found out that rhoas doesn't necessary require any OCM org or OCM user defined in ocm-resources.
But it requires redhat orgs and users defined at access.redhat.com so that rhoas can properly work with objects within an org, e.g. clusters from org A cannot be seen from org B.

Thus, using an sso service account would require an org mapping - is that the mapping you have mentioned?

@apodhrad
Copy link
Author

After discussion with @akoserwal we agreed that this request makes sense once we deal with the mas-sso.

I'm ok with that as we can use the token approach.

Please add proper labels according to your workflow.

@wtrocki
Copy link
Collaborator

wtrocki commented May 25, 2022

Yes. All you need is https://cloud.redhat.com/openshift/token

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wtrocki @akoserwal @apodhrad @app-services-ci