search

uber-go / cadence-client

Framework for authoring workflows and activities running on top of the Cadence orchestration engine.
https://cadenceworkflow.io
MIT License
339 stars 128 forks source link

Support two-legged OAuth flow #1304

Closed mantas-sidlauskas closed 4 months ago

mantas-sidlauskas commented 6 months ago

What changed? Adding AuthorizationProvider which retrieves token from external provider

Why? This allows to provide access token which is retrieved from configured, external auth provider (Okta, Auth0, AWS Cognito, etc.) This is two legged authentication flow when client sends ID and secret to auth provider. Token will be sent to cadence server where it has to be validated to allow or deny access.

How did you test it?

Potential risks None

Groxx commented 5 months ago

tbh I'm not seeing why this is internal at all, assuming this is going to end up similarly to the jwt authorizer - it's just a client-RPC-interface wrapper, that's trivial to build externally. (the same is true of the jwt authorizer, but that ship has sailed. at least until we remove it.)

is there something about this that requires internal code? that's not part of this PR, so I'm not sure if anything would prevent it from just being another external-friendly wrapper.

edit: ah, we have... some recently changed oauth stuff in the server too 🤔. hmm. that too would be MUCH better broken out into a "real" plugin, rather than the hardcoded half-plugin it currently is. then this'd all be pretty easy to do separately.

mantas-sidlauskas commented 5 months ago

tbh I'm not seeing why this is internal at all, assuming this is going to end up similarly to the jwt authorizer - it's just a client-RPC-interface wrapper, that's trivial to build externally. (the same is true of the jwt authorizer, but that ship has sailed. at least until we remove it.)

is there something about this that requires internal code? that's not part of this PR, so I'm not sure if anything would prevent it from just being another external-friendly wrapper.

edit: ah, we have... some recently changed oauth stuff in the server too 🤔. hmm. that too would be MUCH better broken out into a "real" plugin, rather than the hardcoded half-plugin it currently is. then this'd all be pretty easy to do separately.

100% agree on the plugin way. Anyway, we can move this later. Regarding the "internal" part: if OAuth validation is turned on, internal RPC communication needs to be validated also. Right now, self-signed JWT with admin privileges are generated. This PR is adding external token support for internal Cadence RPC calls as well.