Closed mantas-sidlauskas closed 4 months ago
tbh I'm not seeing why this is internal at all, assuming this is going to end up similarly to the jwt authorizer - it's just a client-RPC-interface wrapper, that's trivial to build externally. (the same is true of the jwt authorizer, but that ship has sailed. at least until we remove it.)
is there something about this that requires internal code? that's not part of this PR, so I'm not sure if anything would prevent it from just being another external-friendly wrapper.
edit: ah, we have... some recently changed oauth stuff in the server too 🤔. hmm. that too would be MUCH better broken out into a "real" plugin, rather than the hardcoded half-plugin it currently is. then this'd all be pretty easy to do separately.
tbh I'm not seeing why this is internal at all, assuming this is going to end up similarly to the jwt authorizer - it's just a client-RPC-interface wrapper, that's trivial to build externally. (the same is true of the jwt authorizer, but that ship has sailed. at least until we remove it.)
is there something about this that requires internal code? that's not part of this PR, so I'm not sure if anything would prevent it from just being another external-friendly wrapper.
edit: ah, we have... some recently changed oauth stuff in the server too 🤔. hmm. that too would be MUCH better broken out into a "real" plugin, rather than the hardcoded half-plugin it currently is. then this'd all be pretty easy to do separately.
100% agree on the plugin way. Anyway, we can move this later. Regarding the "internal" part: if OAuth validation is turned on, internal RPC communication needs to be validated also. Right now, self-signed JWT with admin privileges are generated. This PR is adding external token support for internal Cadence RPC calls as well.
What changed? Adding AuthorizationProvider which retrieves token from external provider
Why? This allows to provide access token which is retrieved from configured, external auth provider (Okta, Auth0, AWS Cognito, etc.) This is two legged authentication flow when client sends ID and secret to auth provider. Token will be sent to cadence server where it has to be validated to allow or deny access.
How did you test it?
Potential risks None