Add support for issue a token from an IdentityProvider using OAuth2 or OpenIDConnect `client_credential` grant.

pulp / pulp-cli

https://docs.pulpproject.org/pulp_cli/

GNU General Public License v2.0

33 stars 41 forks source link

Add support for issue a token from an IdentityProvider using OAuth2 or OpenIDConnect `client_credential` grant. #926

Open decko opened 3 months ago

decko commented 3 months ago

Summary

Using OAuth2 or OpenIDConnect client_credential grant, we can issue a token from an third party Identity Provider to be used to authenticate against Pulp or an API Gateway in front of it. This access_token would be sent as an Authorization header along the request to the Pulp instance.

Examples

As an example we could use: pulp --client_id <client_id> --client_secret <client_secret> --token_url <https://identityprovider.com/oidc/token> status to request pulp status.

mdellweg commented 3 months ago

Please have a look at container registries. We do not want the user to know the url of the token server. The api (or api-gateway) must send the bearer server url along with a www-authenticate header, which in turn a subclass of requests.auth.AuthBase in pulp-cli shall use to issue a token. No need to add any new parameter for the user to bother.