Open LucasRoesler opened 4 years ago
@viveksyngh what do you think? Could these tokens be saved in the existing config file design?
To me this looks like, we already have an oauth2
authentication token and we want to just save it.
We can also use faas-cli auth
command or add another subcommand. As long as we will send that token as bearer token, we can save that as oauth2
auth type in the config file.
We can directly save this to file or can also do some validation of the token by making a call to info
endpoint of the gateway.
If we are doing oauth flow with faas auth
command. It saves the bearer token to the config file after successful oauth flow.
Does that help with what you need @LucasRoesler ?
I want to have a way to save a token that does not need to be integrated into the openfaas specific auth provider. We disable auth in openfaas and have a proxy with a standardized auth in front of it. I would really hate to see this coupled to something in the gateway. All I really want is the ability for the CLI to reuse a token from the config so that o don't need to pass --token
to every command.
I really don't have a strong preference for putting it in login or auth, I figured that because this flow is not specific to oauth, login made the most sense. I would actually like to see it generalized and to allow the person specify the header and an optional prefix, but I figured people wouldnt be interested and I didn't need it for my usecase, so I proposed the smallest change
Perhaps a config type entry like external
might work? https://github.com/openfaas/faas-cli/blob/master/config/config_file.go#L33
@viveksyngh and I were talking about this on a call, and we think it would be good to test the token before saving it, i.e. by hitting /system/info and looking for a 200. I prefer the auth command to save arbitrary tokens.
A separate type is a good idea, but I would call it token
or authorizationToken
instead of external
. External is so generic that it might become a kitchen sink solution.
Pinging @viveksyngh What's the simplest way to make this work? Do we need any code changes in the config or can we use the existing mechanism?
It will be a small change only. We will might have introduce a new auth type and make it implement ClientAuth
from proxy. Then make some changes in NewCLIAuth
function https://github.com/openfaas/faas-cli/blob/b0a70a3f4f20d986ce12aff4216b3e7e07c0c44f/commands/general.go#L46
Also, some changes will be required in login command to validate the token and save it to file with new type.
Expected Behaviour
I would like to authenticate the CLI using a token and persist this to the configuration
And then subsequent CLI commands will reuse this token without needing to specify it via a flag, these two commands would be equivalent after authentication
Current Behaviour
faas-cli login
only supports basic authContext
This is useful when using an authentication proxy in the load balancer layer versus enabling auth directly in openfaas. For example,
nginx
can make a side request to authenticate a request. We often enable this as a centralized auth layer instead of enabling authentication in each application that is deployed.