Closed szh closed 2 years ago
@szh, it came to light this morning that we need to make state
and likely nonce
dynamically generated per authentication request. For the UI, this is fairly straight forward as we can take advantage of sessions. I'm concerned what this might look like in the CLI.
Beyond this question, I'm wondering:
code
and state
values from the redirect?Could you please include a workflow diagram that shows how the data will move between the CLI, browser, CLI, and Conjur?
@jvanderhoof I'll work on a diagram. In the meantime, the answer to these questions:
How will the CLI handle the browser redirect after successful authentication? How does the CLI get the code and state values from the redirect?
is through the ad-hoc HTTP server that will be launched on localhost. See this code example for an illustration.
Regarding the state
and nonce
being generated dynamically, are they generated by the client? If so, we may be able to store it in the .conjurrc file even if it's only valid for a single "session". Unfortunately the .netrc spec doesn't support storing arbitrary extra values.
Edit: Here's a draft diagram
Desired Outcome
OIDC support was recently added to the Conjur UI. See the supporting documentation (Confluence) for this effort for more details. The goal of this effort will be to add OIDC support to the new (Python) Conjur CLI such that a user can login to Conjur through Okta.
The AWS CLI allows OIDC / MFA authentication by popping open the system's browser. We should explore this approach during design but also keep in mind that this won't work on systems without a GUI (i.e. when running on a Docker container).
In the future, we will also want to support Microsoft ADFS and CyberArk Identity (in addition to Okta) so we should try to design Okta support in a flexible enough way to support additional vendors. Since they all use the OIDC standard this should hopefully be fairly straightforward.
Implemented Changes
Created Solution Design document and Jira stories.
Connected Issue/Story
CyberArk internal issue link: ONYX-24839