First login to harbor with oidc-auth and api/curl

dm0610 commented 2 years ago

Hello everyone. Tell me, is there a real opportunity to make the first login to Harbor via oidс not through GUI, but through api? I easily get the id_token from the keycloak, but I can't log in with it to harbor. I know the official documentation recommends going through a browser. But this is not convenient for technical accounting (( And Harbor cannot create a local copy of the oidc-account via api((

We are trying to automate getting of cli-tokens for technical accounts. here i get token private static String auth(script, String credentialsId){ script.withCredentials([script.usernamePassword(credentialsId: credentialsId, usernameVariable: 'USER', passwordVariable: 'PASS'), script.usernamePassword(credentialsId: 'admin_user_id', usernameVariable: 'USER2', passwordVariable: 'PASS2')]) { def out = script.sh script: "curl -s --location --request POST 'https://sso.mycompany.com/auth/realms/my_company/protocol/openid-connect/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=password' \ --data-urlencode 'client_id=$script.USER2' \ --data-urlencode 'client_secret=$script.PASS2' \ --data-urlencode 'scope=openid' \ --data-urlencode 'response_type=id_token' \ --data-urlencode 'username=$script.USER' \ --data-urlencode 'password=$script.PASS'", returnStdout: true return script.readJSON(text: out).id_token } } After that I try to connect via api: curl -v -H "Authorization: Bearer $token" https://harbor.mycompany.com/api/v2.0/users/current `{ [5 bytes data]

Mark bundle as not supporting multiuse < HTTP/1.1 401 Unauthorized < Server: nginx < Date: Tue, 23 Nov 2021 13:39:42 GMT < Content-Type: application/json; charset=utf-8 < Content-Length: 62 < Connection: keep-alive < Set-Cookie: sid=55abaabc7eaef26vvqc84f02423e5ca45e; Path=/; Secure; HttpOnly < X-Request-Id: 7f72qa2ab-4422-45bf-a455-70dfs26f3e9732 < { [62 bytes data] {"errors":[{"code":"UNAUTHORIZED","message":"unauthorized"}]}`

Is there a real solution to this problem?

Vad1mo commented 2 years ago

A user can get the CLI Token with that he can do also API Calls and push/pull images with docker.
Another approach is to use robot accounts, push pull operation.

There is no other way.

Could you explain what you are trying to achieve a bit more in detail or why it's difficult for a user to login to Harbor and get his token?

dm0610 commented 2 years ago

@Vad1mo hello, Thanks for the answer. I know about robot accounts. Their main fault is that they do not work with harbor api. Therefore, our team decided to use domain technical accounts. A keyloak is used for authentication. One problem is that in Harbor, for authentication using OIDC, you must log in for the first time through the browser (GUI) - harbor needs to create local copy of account. There is no such possibility for api. Therefore, any automation for creating cli tokens loses its meaning - you will have to manually login first (( Hence my question - maybe I just did not find a way to make the first login via api

Vad1mo commented 2 years ago

here is a hack: how you might use robot accounts for api calls:

Enable Debugging on Harbor Core
Create a system-wide robot account (the permission set does not matter)
run the API operation
Check logs what permission is missing
Add the missing permission in the DB manually
Repeat until you don't see any errors!

mymarche commented 2 years ago

Hack it's a nice, but why don't realize the Client credentials flow?

sagikazarmark commented 2 years ago

This is really a pain for a lot of reasons:

The documentation is absolutely useless, the wiki contains some random links to issues with no real details, so people will have to find most if this out for themselves.
The average user can't be expected to "add missing permissions in the DB manually"
Similarly, the general direction to "get an ID token somehow" isn't something that an average user will do.

Robot accounts can't do everything (without some manual hacking), so using robot accounts for API authentication is not always going to be enough.

Am I missing something? After spending half a day in the docs and on the issue tracker, this is what I managed to figure out.

chazapis commented 2 years ago

I am facing a similar issue (also mentioned in #15556, #13683, and many others...). I need to get a user's id and CLI token before the user logs in for the first time "properly", i.e. via a browser. Since Harbor is configured to use OIDC, there is no way to create a user programmatically.

An easy fix would be to allow just that. Now, when POSTing to /users, I get 403, since OIDC is enabled. I suggest the admin to be allowed to create a user with a username (and nothing else) via the API, and Harbor to assign an id and CLI token. When the actual user does eventually log in via a browser, he/she should be mapped to the existing account with the same username (which I guess is already done).

As a workaround, I now have to monitor logins via the OIDC server and trigger my code several seconds after a user logs in to Harbor, which is impractical.

prashi2202 commented 2 years ago

@Vad1mo : A user can get the CLI Token with that he can do also API Calls and push/pull images with docker.

How do we do that ? My setup is behind Okta OIDC provider and Harbor running on EKS cluster.