search

sky-uk / osprey

Kubernetes OIDC CLI login
BSD 3-Clause "New" or "Revised" License
51 stars 18 forks source link

Azure OIDC V2.0 authorisation updates #75

Closed saley89 closed 2 years ago

saley89 commented 2 years ago

For sky-uk/core-aws#2448

Updates Osprey to use V2.0 of the /.well-known/openid-configuration API. This in turn make's Osprey use /oauth2/v2.0/authorize endpoint returned from the open-id config.

Version 2.0 handles situations where users have large numbers of groups in Azure. The authorisation then starts to return "distributed claims" instead of just the groups directly due to the number of them. Instead of the groups list, a URL is provided, from where the list can be fetched (see Groups overage claim).

Once updated to v2.0 the kubernetes API servers are already setup to handle this.

howardburgess commented 2 years ago

Testing

Linux

❯ cat /etc/fedora-release
Fedora release 35 (Thirty Five)

❯ uname -a
Linux zephyr.localdomain 5.15.12-200.fc35.x86_64 #1 SMP Wed Dec 29 15:03:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

❯ make install
== install
Installing binary for linux
GOOS=linux GOARCH=amd64 go install -ldflags '-X "github.com/sky-uk/osprey/cmd.version=dev-e24aa2d" -X "github.com/sky-uk/osprey/cmd.buildTime=Tue  4 Jan 18:21:55 UTC 2022"' -v

❯ which osprey
/var/home/howard/go/bin/osprey

❯ osprey --version
osprey version dev-e24aa2d (Tue  4 Jan 18:21:55 UTC 2022)

❯ osprey user login
INFO[0000] Active group (default): dev
Opening browser window to authenticate:
https://login.microsoftonline.com/REDACTED/oauth2/v2.0/authorize?client_id=REDACTED&redirect_uri=http%3A%2F%2Flocalhost%3A65525%2Fauth%2Fcallback&response_type=code&scope=api%3A%2F%2F9bd903fd-f8df-4390-9a45-ab2fa28673b4%2FKubernetes.API.All&state=as78%2Asadf%24212
INFO[0003] Logged in to: ...

❯ osprey user login --use-device-code
INFO[0000] Active group (default): dev
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CC8UGUYEH to authenticate.
INFO[0025] Logged in to: ...

macOS

# macOS Monterey
❯ sw_vers -productversion
12.1

❯ uname -a
Darwin lumen.local 21.2.0 Darwin Kernel Version 21.2.0: Sun Nov 28 20:29:10 PST 2021; root:xnu-8019.61.5~1/RELEASE_ARM64_T8101 arm64

❯ make install
== install
Installing binary for darwin
GOOS=darwin GOARCH=amd64 go install -ldflags '-X "github.com/sky-uk/osprey/cmd.version=dev-e24aa2d" -X "github.com/sky-uk/osprey/cmd.buildTime=Tue  4 Jan 2022 18:28:18 UTC"' -v

❯ which osprey
/Users/howard/go/bin/darwin_amd64/osprey

❯ osprey --version
osprey version dev-e24aa2d (Tue  4 Jan 2022 18:28:18 UTC)

❯ osprey user login
INFO[0000] Active group (default): dev
Opening browser window to authenticate:
https://login.microsoftonline.com/REDACTED/oauth2/v2.0/authorize?client_id=REDACTED&redirect_uri=http%3A%2F%2Flocalhost%3A65525%2Fauth%2Fcallback&response_type=code&scope=api%3A%2F%2F9bd903fd-f8df-4390-9a45-ab2fa28673b4%2FKubernetes.API.All&state=as78%2Asadf%24212
INFO[0005] Logged in to: ...

❯ osprey user login --use-device-code
INFO[0000] Active group (default): dev
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CDRYSNEBN to authenticate.
INFO[0035] Logged in to: ...