Reduced OpenShift scopes and enhanced documentation
This commit is contained in:
parent
5afa02644a
commit
296659cb50
@ -6,9 +6,37 @@ Dex can make use of users and groups defined within OpenShift by querying the pl
|
|||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
Create a new OAuth Client by following the steps described in the documentation for [Registering Additional OAuth Clients](https://docs.openshift.com/container-platform/latest/authentication/configuring-internal-oauth.html#oauth-register-additional-client_configuring-internal-oauth)
|
|
||||||
|
|
||||||
This involves creating a resource similar the following
|
### Creating an OAuth Client
|
||||||
|
|
||||||
|
Two forms of OAuth Clients can be utilized:
|
||||||
|
|
||||||
|
* [Using a Service Account as an OAuth Client](https://docs.openshift.com/container-platform/latest/authentication/using-service-accounts-as-oauth-client.html) (Recommended)
|
||||||
|
* [Registering An Additional OAuth Client](https://docs.openshift.com/container-platform/latest/authentication/configuring-internal-oauth.html#oauth-register-additional-client_configuring-internal-oauth)
|
||||||
|
|
||||||
|
#### Using a Service Account as an OAuth Client
|
||||||
|
|
||||||
|
OpenShift Service Accounts can be used as a constrained form of OAuth client. Making use of a Service Account to represent an OAuth Client is the recommended option as it does not require elevated privileged within the OpenShift cluster. Create a new Service Account or make use of an existing Service Account.
|
||||||
|
|
||||||
|
Patch the Service Account to add an annotation for location of the Redirect URI
|
||||||
|
|
||||||
|
```
|
||||||
|
oc patch serviceaccount <name> --type='json' -p='[{"op": "add", "path": "/metadata/annotations/serviceaccounts.openshift.io~1oauth-redirecturi.dex", "value":"https:///<dex_url>/callback"}]'
|
||||||
|
```
|
||||||
|
|
||||||
|
The Client ID for a Service Account representing an OAuth Client takes the form `
|
||||||
|
|
||||||
|
The Client Secret for a Service Account representing an OAuth Client is the long lived OAuth Token that is configued for the Service Account. Execute the following command to retrieve the OAuth Token.
|
||||||
|
|
||||||
|
```
|
||||||
|
oc serviceaccounts get-token <name>
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Registering An Additional OAuth Client
|
||||||
|
|
||||||
|
Instead of using a constrained form of Service Account to represent an OAuth Client, an additional OAuthClient resource can be created.
|
||||||
|
|
||||||
|
Create a new OAuthClient resource similar to the following:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
kind: OAuthClient
|
kind: OAuthClient
|
||||||
@ -23,6 +51,8 @@ redirectURIs:
|
|||||||
grantMethod: prompt
|
grantMethod: prompt
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Dex Configuration
|
||||||
|
|
||||||
The following is an example of a configuration for `examples/config-dev.yaml`:
|
The following is an example of a configuration for `examples/config-dev.yaml`:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
@ -46,5 +76,4 @@ connectors:
|
|||||||
# Optional list of required groups a user mmust be a member of
|
# Optional list of required groups a user mmust be a member of
|
||||||
groups:
|
groups:
|
||||||
- users
|
- users
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -109,7 +109,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
|
|||||||
Endpoint: oauth2.Endpoint{
|
Endpoint: oauth2.Endpoint{
|
||||||
AuthURL: metadata.Auth, TokenURL: metadata.Token,
|
AuthURL: metadata.Auth, TokenURL: metadata.Token,
|
||||||
},
|
},
|
||||||
Scopes: []string{"user:info", "user:check-access", "user:full"},
|
Scopes: []string{"user:info"},
|
||||||
RedirectURL: c.RedirectURI,
|
RedirectURL: c.RedirectURI,
|
||||||
}
|
}
|
||||||
return &openshiftConnector, nil
|
return &openshiftConnector, nil
|
||||||
@ -168,7 +168,7 @@ func (c *openshiftConnector) HandleCallback(s connector.Scopes, r *http.Request)
|
|||||||
validGroups := validateRequiredGroups(user.Groups, c.groups)
|
validGroups := validateRequiredGroups(user.Groups, c.groups)
|
||||||
|
|
||||||
if !validGroups {
|
if !validGroups {
|
||||||
return identity, fmt.Errorf("openshift: user %q is not in any of the required teams", user.Name)
|
return identity, fmt.Errorf("openshift: user %q is not in any of the required groups", user.Name)
|
||||||
}
|
}
|
||||||
|
|
||||||
identity = connector.Identity{
|
identity = connector.Identity{
|
||||||
|
Reference in New Issue
Block a user