Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: keelconfig auth configuration #1296

Merged
merged 4 commits into from
Nov 13, 2023
Merged

feat: keelconfig auth configuration #1296

merged 4 commits into from
Nov 13, 2023

Conversation

davenewza
Copy link
Contributor

@davenewza davenewza commented Nov 13, 2023
edited
Loading

Auth configuration in keelconfig.yaml

The following can be configured:

  • Access and refresh token expiries
  • Built-in providers (google supported in this PR)
  • Custom oidc providers for ID token and OAuth authentication
  • Custom oauth providers for OAuth authentication only

Each type has it's own set of requirements, but all require a name and a clientId

auth:
  tokens:
    # In seconds
    accessTokenExpiry: 3600
    refreshTokenExpiry: 604800
    
  providers:
    # Built-in Google provider
    - type: google
      name: GoogleClient1
      clientId: jjshflsis2ss23

    # Built-in Google provider
    - type: google
      name: GoogleAdmin
      clientId: 23f223twefgwfw

    # Custom OIDC
    - type: oidc
      name: Auth0
      issuerUrl: 'https://dev-skhlutl45lbqkvhv.us.auth0.com'
      clientId: 'kasj28fnq09ak'

    # Custom OAuth
    - type: oauth
      name: Github
      clientId: hfjuw983h1hfsdf
      authorizationUrl: https://github.com/auth
      tokenUrl: https://github.com/token

Telemetry

If a issuer is not registered, then the client will get the standard 401:

{
    "error": "invalid_client",
    "error_description": "possible causes may be that the id token is invalid, has expired, or has insufficient claims"
}

But the tracing will capture the underlying reason properly:

image

Outstanding

  • Per environment/slug configuration
  • Disable refresh token rotation by config item
  • How we do the client secret thing for OAuth providers

@davenewza davenewza requested a review from a team November 13, 2023 11:34
jonbretman
jonbretman reviewed Nov 13, 2023
View reviewed changes
config/config.go
})
}

missingProviderNames := findAuthProviderMissingName(config.Auth.Providers)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like we could do all this validation using a JSON schema. Not for this PR but something to consider.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Totally agree. I should have done that from the start

jonbretman
jonbretman approved these changes Nov 13, 2023
View reviewed changes
Copy link
Member

@jonbretman jonbretman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@davenewza davenewza merged commit e75a27c into main Nov 13, 2023
10 checks passed
@davenewza davenewza deleted the ke-1240-move-auth-config-to-keelconfig branch November 13, 2023 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonbretman jonbretman jonbretman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@davenewza @jonbretman