Open decko opened 3 months ago
Please have a look at container registries. We do not want the user to know the url of the token server. The api (or api-gateway) must send the bearer server url along with a www-authenticate header, which in turn a subclass of requests.auth.AuthBase in pulp-cli shall use to issue a token. No need to add any new parameter for the user to bother.
Summary
Using OAuth2 or OpenIDConnect
client_credential
grant, we can issue a token from an third party Identity Provider to be used to authenticate against Pulp or an API Gateway in front of it. Thisaccess_token
would be sent as anAuthorization
header along the request to the Pulp instance.Examples
As an example we could use:
pulp --client_id <client_id> --client_secret <client_secret> --token_url <https://identityprovider.com/oidc/token> status
to request pulp status.