jvanderhoof
commented
2 years ago @szh, it came to light this morning that we need to make state and likely nonce dynamically generated per authentication request. For the UI, this is fairly straight forward as we can take advantage of sessions. I'm concerned what this might look like in the CLI.
Beyond this question, I'm wondering:
- How will the CLI handle the browser redirect after successful authentication?
- How does the CLI get the
codeandstatevalues from the redirect?
Could you please include a workflow diagram that shows how the data will move between the CLI, browser, CLI, and Conjur?
szh
Desired Outcome
OIDC support was recently added to the Conjur UI. See the supporting documentation (Confluence) for this effort for more details. The goal of this effort will be to add OIDC support to the new (Python) Conjur CLI such that a user can login to Conjur through Okta.
The AWS CLI allows OIDC / MFA authentication by popping open the system's browser. We should explore this approach during design but also keep in mind that this won't work on systems without a GUI (i.e. when running on a Docker container).
In the future, we will also want to support Microsoft ADFS and CyberArk Identity (in addition to Okta) so we should try to design Okta support in a flexible enough way to support additional vendors. Since they all use the OIDC standard this should hopefully be fairly straightforward.
Implemented Changes
Created Solution Design document and Jira stories.
Connected Issue/Story
CyberArk internal issue link: ONYX-24839