search

redhat-developer / app-services-cli

Command Line Interface for RHOAS
https://redhat-developer.github.io/app-services-website/
Apache License 2.0
41 stars 72 forks source link

Extend rhoas login by supporting SSO client id an secret #1579

Open apodhrad opened 2 years ago

apodhrad commented 2 years ago

Feature or problem description

Some teams use SSO service accounts which can be authenticated against sso.redhat.com but cannot be used for any "web page" loging and cannot obtain a token (pls correct me if I'm wrong). Such service accounts are used for logging to OCM as follows

ocm login --client-id "${CLIENT_ID}" --client-secret "${CLIENT_SECRET}"

Could we have something similar for rhoas, please?

wtrocki commented 2 years ago

While request can be done on the RHOAS CLI side. I'm not sure if we will support two types of login:

--token (offline token) --client-id=... (service accounts)

Moving to client-id is quite simple and natural choice but it it kinda exceeded scope of RHOAS CLI. This is more or less RHOAS SDKs/RHOAS ecosystem question. How we want to login for automation purposes etc.

@akoserwal Do you think we can we use service accounts to obtain AccessToken that will work with all fleet managers we have?

wtrocki commented 2 years ago

FYI @gowriswarupk

akoserwal commented 2 years ago

@apodhrad You can use the sso service account with ocm client for the requests to the control plane api. But it requires some claim configuration for your service account (sso mapper). I can help with getting it configured.

In the near future, rhosak will support the new sso service account api (self service)

wtrocki commented 2 years ago

Worth to mention that current solution is to use offline refresh token (and CLI supports it already by rhoas login --token option`

apodhrad commented 2 years ago

Hi @akoserwal @wtrocki thanks for your quick response.

Today I have found out that rhoas doesn't necessary require any OCM org or OCM user defined in ocm-resources. But it requires redhat orgs and users defined at access.redhat.com so that rhoas can properly work with objects within an org, e.g. clusters from org A cannot be seen from org B.

Thus, using an sso service account would require an org mapping - is that the mapping you have mentioned?

apodhrad commented 2 years ago

After discussion with @akoserwal we agreed that this request makes sense once we deal with the mas-sso.

I'm ok with that as we can use the token approach.

Please add proper labels according to your workflow.

wtrocki commented 2 years ago

Yes. All you need is https://cloud.redhat.com/openshift/token