search

klinux / gocd-keycloak-oauth-authorization-plugin

GoCD keycloak authorization plugin
Apache License 2.0
2 stars 5 forks source link

Plugin uses deprecated extension API version 1.0 (removed in GoCD 23.2.0) #6

Closed chadlwilson closed 1 year ago

chadlwilson commented 1 year ago

Hiya @klinux - GoCD maintainer courtesy call here as this appears quite a popular plugin for users. 👋

It seems this plugin is using the 1.0 extension API for authorizations.

https://github.com/klinux/gocd-keycloak-oauth-authorization-plugin/blob/86fe6b5dbefffc9c4959ac5bdd74551be9fa3a22/src/main/java/cd/go/authorization/keycloak/Constants.java#L28

Rather than intentional, this is possibly historical because it was forked from https://github.com/szamfirov/gocd-okta-oauth-authorization-plugin which was an older plugin (edit: subsequently updated since this github issue was created).

Support for "1.0" will soon be removed in GoCD 23.2.0 as part of clean-up to support https://github.com/gocd/gocd/issues/11629 (functionality also likely of use to this plugin to increase security) Authorization extension API version 2.0 was introduced in GoCD 19.2.0 and was supposed to be removed many years ago, but was probably forgotten.

https://plugin-api.gocd.org/current/#deprecations-across-extensions58

Supports version 2 of Authorization extension API. Version 2 adds the following new messages:

Plugins Capabilities message is enhanced to add a new capability can_get_user_roles.

The authorization extension v1 has been deprecated. This version will be removed in a release scheduled for September 2019. Plugin developers should upgrade their plugins to the latest version.

Although these additional messages are supported on V2, they are only used/required if you want GoCD access token-based authentication to work for users via the plugin, or if the the plugin declares capability can_get_user_roles e.g add on to the below

https://github.com/klinux/gocd-keycloak-oauth-authorization-plugin/blob/86fe6b5dbefffc9c4959ac5bdd74551be9fa3a22/src/main/java/cd/go/authorization/keycloak/models/Capabilities.java#L24-L33

Tl;DR - I believe you can likely just declare "2.0" API version compatibility and things will work just fine as the server will assume the plugin does not support user roles, and does not support GoCD access/API token usage. This will work on GoCD versions 19.2.0+ so going back 3.5 years or so.

klinux commented 1 year ago

@chadlwilson thank you, I created the first release with 2.0 support.

chadlwilson commented 1 year ago

Thanks! Looks like you've done a bit more than just declare compatibility to also attempt to support some of the extra (optional) features introduced since which is nice :-)