search

pingcap / tidb-dashboard

A Web UI for monitoring, diagnosing and managing the TiDB cluster.
https://docs.pingcap.com/tidb/stable/dashboard-intro
Apache License 2.0
175 stars 133 forks source link

chore(sso): improve client secret security #1599

Closed baurine closed 11 months ago

baurine commented 11 months ago

Related PR: https://github.com/pingcap/tidb-dashboard/pull/1567, it adds support for "Client Secret Post" authentication method. (When you create a regular web app in auth0 console, it uses the "Client Secret Post" authentication method).

This PR handle the compatibility with old version, and hide the client secret for security.

Test

  1. Login Auth0 by google account

  2. Create a "Regular Web App" and "Single Web App" applications in the Auth0 image

  3. Set the Allowed Callback URLs and Allowed Logout URLs for the above applications, following the steps in the https://docs.pingcap.com/tidb/stable/dashboard-session-sso#example-2-use-auth0-for-tidb-dashboard-sso-sign-in image

  4. In tidb-dashboard, go to sso configuration page, fill the OIDC Client ID. If the Client ID comes from auth0 single web app, we don't need to fill OIDC Client Secret. If the Client ID comes from auth0 regular web app, we need to fill the OIDC Client Secret as well.

  5. Logout and Login via SSO.

Demo

https://github.com/pingcap/tidb-dashboard/assets/1284531/cd6a658e-8c53-466c-98fc-d3cb448e63d1

netlify[bot] commented 11 months ago

Deploy Preview for tidb-dashboard ready!

Name Link
Latest commit 54ee127ba615f739f563b85eaed7ff75c0182cb4
Latest deploy log https://app.netlify.com/sites/tidb-dashboard/deploys/6526446cc1bc190008dc553e
Deploy Preview https://deploy-preview-1599--tidb-dashboard.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

codecov[bot] commented 11 months ago

Codecov Report

Merging #1599 (54ee127) into master (38109d4) will increase coverage by 0.00%. Report is 1 commits behind head on master. The diff coverage is 28.57%.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## master #1599 +/- ## ======================================= Coverage 24.70% 24.71% ======================================= Files 169 169 Lines 15218 15227 +9 ======================================= + Hits 3760 3763 +3 - Misses 11176 11182 +6 Partials 282 282 ``` | [Flag](https://app.codecov.io/gh/pingcap/tidb-dashboard/pull/1599/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=pingcap) | Coverage Δ | | |---|---|---| | [backend_integration](https://app.codecov.io/gh/pingcap/tidb-dashboard/pull/1599/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=pingcap) | `9.32% <28.57%> (+<0.01%)` | :arrow_up: | | [backend_ut](https://app.codecov.io/gh/pingcap/tidb-dashboard/pull/1599/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=pingcap) | `26.42% <ø> (+<0.01%)` | :arrow_up: | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=pingcap#carryforward-flags-in-the-pull-request-comment) to find out more. ------ [Continue to review full report in Codecov by Sentry](https://app.codecov.io/gh/pingcap/tidb-dashboard/pull/1599?src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=pingcap). > **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=pingcap) > `Δ = absolute (impact)`, `ø = not affected`, `? = missing data` > Powered by [Codecov](https://app.codecov.io/gh/pingcap/tidb-dashboard/pull/1599?src=pr&el=footer&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=pingcap). Last update [e1ded02...54ee127](https://app.codecov.io/gh/pingcap/tidb-dashboard/pull/1599?src=pr&el=lastupdated&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=pingcap). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=pingcap).
ti-chi-bot[bot] commented 11 months ago

@mornyx: adding LGTM is restricted to approvers and reviewers in OWNERS files.

In response to [this](https://github.com/pingcap/tidb-dashboard/pull/1599#pullrequestreview-1670388552): > Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
ti-chi-bot[bot] commented 11 months ago

[LGTM Timeline notifier]

Timeline:

ti-chi-bot[bot] commented 11 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mornyx, shhdgit

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/pingcap/tidb-dashboard/blob/master/OWNERS)~~ [shhdgit] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment