search

cockpit-project / cockpit

Cockpit is a web-based graphical interface for servers.
http://www.cockpit-project.org/
GNU Lesser General Public License v2.1
11.34k stars 1.12k forks source link

Allow choosing host when OAuth / Bearer token authentication is enabled #21327

Open marvinruder opened 3 days ago

marvinruder commented 3 days ago

Page: Login

I run a cockpit-ws container on a Fedora CoreOS host, from which I occasionally connect to other hosts. With the host switcher being deprecated, I am looking into the options to connect to other hosts in different ways.

Also, I have activated authentication via OAuth and Bearer tokens. Having this setting active, when opening Cockpit, I am immediately redirected to the OAuth provider and back to the “Validating authentication token” dialog, where my custom Bearer token authentication script always receives the argument localhost as the host to connect to. Right now, I do not see an option for connecting to different hosts with OAuth enabled and the host switcher disabled.

Instead of immediately being redirected to the OAuth provider, I would like to have a button “Log in using OAuth” and the “Connect to” text field below it, so I can enter a host and then go to the OAuth provider. The Bearer token authentication script shall then receive the host input value as a command line argument.

martinpitt commented 3 days ago

Do you use the cockpit/ws container just as a "jump host" (we call that "bastion host"), i.e. log directly into a remote host from the login page using "Connect to:"? That is supported, and will always be, it's not problematic.

image

It sounds like it as your oauth setup wouldn't make much sense from within a Cockpit session -- we don't support oauth in the shell's host switcher (or at least I've never heard of it, perhaps there's a clever trick to make it work).

The "host switcher" is the top left thing in a running session:

image

marvinruder commented 3 days ago

Do you use the cockpit/ws container just as a "jump host" (we call that "bastion host"), i.e. log directly into a remote host from the login page using "Connect to:"? That is supported, and will always be, it's not problematic.

I am trying to set up my container as a bastion host, yes. I know the “Connect to:” interface from when I used password and SSH key authentication. But this input field never shows up when OAuth is enabled, it goes straight to the OAuth provider on page load and then tries to log into localhost.

It sounds like it as your oauth setup wouldn't make much sense from within a Cockpit session -- we don't support oauth in the shell's host switcher (or at least I've never heard of it, perhaps there's a clever trick to make it work).

Currently I sign in to one host preconfigured in my Bearer token authentication script, which is done using OAuth. Once I am in, I can use the host switcher to connect to other hosts, which is done using the first host’s SSH keys.

My cockpit.conf looks as follows:

[WebService]
ProtocolHeader = X-Forwarded-Proto
ForwardedForHeader = X-Forwarded-For
LoginTo = true     # appears to have no effect
RequireHost = true # appears to have no effect

[Bearer]
Command = /container/cockpit-auth-bearer

[OAuth]
URL = https://sso.<domain>/realms/<realm>/protocol/openid-connect/auth?client_id=cockpit&response_type=token

/container/cockpit-auth-bearer is a copy of /container/cockpit-auth-ssh-key, but reads the username and the password for the SSH key from the OAuth access token. It also has to define the host to connect as

host = os.environ.get("COCKPIT_OAUTH_HOST")

because the default behavior is logging into localhost, which does not make sense within a cockpit-ws container.