OAuth2 #8

wild-endeavor · 2019-10-01T17:43:32Z

This adds OAuth2 support for Flyte Admin.

Most of the logic has been implemented in the auth package. Care was taken, at least attepted, to separate logic that exclusively dealt with oauth into this package.
The code implements the authorization code flow, which means you'll need a client secret, and there is no implicit flow.
Most of the core logic is in the handlers.go file, which has functions that create handlers (both HTTP and gRPC) that can be attached to existing servers. See the serve.go file to see usage.
Encrypted cookies are used to store the user's access (oidc) and refresh tokens. Two other cookies (the CSRF token and the final redirect page) are stored unencypted.
Reworked some of the options handling around the base server logic in serve.go, specifically around SSL handling.

Docs forthcoming in the main flyte repo. Also more unit tests and metrics here in another PR after the remaining auth work is done.

…nd cookies into a cookie manager from other files

…ning up token validation logic

…l, add a new redirect url, move config to a separate object inside the auth package

* switched out the jwt-go library for the go-oidc library, which is also capable of handling jwt verification, and is even better because it caches jwks key sets. * delete old tests and comment

…an just the RFC specified ones like 'authorization' because Envoy.

…t, add a new grpc interceptor that renames the authorization header from a custom one to the official one

…rt cycle

…o the auth context setup part

…cope to authorization request

…mments

CORS support for gwmux

katrogan

sorry for a bunch of nits but this looks really great!

pkg/auth/auth_context.go

pkg/auth/cookie.go

pkg/auth/handler_utils.go

pkg/auth/handlers.go

pkg/server/cors.go

* origin/master: Metadata url and base url as items in the auth context (#33) OAuth2 (#8) Log links merging logic should take log link names into account (#32) Generic type support in workflow compiler (#31) Fix invalid filter function error message (#30) Support postgres extra options [gcp] (#27) Fix no auth provider [gcp] (#28)

honnix · 2019-11-20T19:29:09Z

As a reminder, https://github.com/lyft/flyteadmin/pull/8/files#diff-10cb7b7d10da61a9793a32f86a893485L5 makes sandbox deployment in flyte repo incompatible now with master.

wild-endeavor · 2019-11-20T21:48:33Z

@honnix thank you... I'll fix soon. forgot to do that.

This adds OAuth2 support for Flyte Admin. * Most of the logic has been implemented in the auth package. Care was taken, at least attepted, to separate logic that exclusively dealt with oauth into this package. * The code implements the authorization code flow, which means you'll need a client secret, and there is no implicit flow. * Most of the core logic is in the `handlers.go` file, which has functions that create handlers (both HTTP and gRPC) that can be attached to existing servers. See the `serve.go` file to see usage. * Encrypted cookies are used to store the user's access (oidc) and refresh tokens. Two other cookies (the CSRF token and the final redirect page) are stored unencypted. * Reworked some of the options handling around the base server logic in `serve.go`, specifically around SSL handling. Docs forthcoming in the main flyte repo. Also more unit tests and metrics here in another PR after the remaining auth work is done.

Also clean up the logic around resolving parameter and literal map a bit more.

Yee Hing Tong and others added 28 commits September 29, 2019 14:12

copying over

e1973aa

copying remaining files over

40801ca

changing ssl credentials options when building gRPC server

ef0abf0

moving securecookie keys to files and regenerating, moving logic arou…

3dddb35

…nd cookies into a cookie manager from other files

renaming jwt.go to token.go, using stdlib errors in most places, clea…

380828f

…ning up token validation logic

remove prints, use some constants

45d5916

move ssl stuff out of auth folder, rename redirect url to callback ur…

4a34573

…l, add a new redirect url, move config to a separate object inside the auth package

move allowed characters

5341109

updating sample configuration to match

92251ea

add cookie test

5d86638

nit

5d07f6b

Switch jwt library (#12)

d7234f7

* switched out the jwt-go library for the go-oidc library, which is also capable of handling jwt verification, and is even better because it caches jwks key sets. * delete old tests and comment

move common elements behind an AuthContext interface

169bb54

adding authcontext to non-ssl

b05257a

merging master and fixing conflicts

6174207

start adding options to allow different headers to be used, rather th…

5f6fda6

…an just the RFC specified ones like 'authorization' because Envoy.

change AuthContext to just provide access to the entire Options objec…

1e82da2

…t, add a new grpc interceptor that renames the authorization header from a custom one to the official one

remove errors file and move to where they're used

16a6670

moving interfaces into a lower directory to work around circular impo…

d5640d6

…rt cycle

one more unit test, also refactor the cookie manager file reading int…

10fc482

…o the auth context setup part

rename cookies to be less hacky, couple unit tests, add the profile s…

abf6dcc

…cope to authorization request

adding defaults for the custom http authorization header stuff and co…

9c14fcc

…mments

adding a redirect_url cookie

a2aa28b

adding /me endpoing

ed19e45

remove Okta reference to the user info endpoint

c9f5b8c

adding metadata redirect handler, gate user info by config

ef27604

change csrf cookie from same-site strict to same-site lax

7418943

CORS support (into auth PR) (#26)

afcd9c3

CORS support for gwmux

katrogan previously approved these changes Oct 31, 2019

View reviewed changes

add middleware for grpc gateway responses to always have that header

42f4bd7

wild-endeavor dismissed katrogan’s stale review via 42f4bd7 October 31, 2019 23:47

Yee Hing Tong added 19 commits October 31, 2019 16:59

addressing two minor pr comments, more to come

6e56b1c

trying one last thing for cors, adding the allow credentials header

6feffc6

changing allowed headers to be configurable

21872d0

addressing some more pr comments

1840c1b

running make generate

b5d5d0a

add one more header for cors, will need refactoring later

4b8eeab

Merge remote-tracking branch 'origin/master' into oauth

d380c75

merge master and re-rerun dep ensure

27143ee

lint part 1

0bd0751

lint part 2

a0efd69

haytham fixes everything

90e3279

fixing unit test and adding lint ignore

9e12a89

merge master and dep ensure

624578d

more lint

948f0e1

more lint

db4d3fd

more lint

b576b2c

removing couple leftover debug prints

b3a612b

nit

e8490e2

nit

02e0473

katrogan approved these changes Nov 11, 2019

View reviewed changes

wild-endeavor merged commit f0403ac into master Nov 11, 2019

wild-endeavor added a commit that referenced this pull request Sep 26, 2023

Emit event for execution time lineage (#8)

dbe3a77

Also clean up the logic around resolving parameter and literal map a bit more.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OAuth2 #8

OAuth2 #8

wild-endeavor commented Oct 1, 2019 •

edited

Loading

katrogan left a comment

honnix commented Nov 20, 2019

wild-endeavor commented Nov 20, 2019

OAuth2 #8

OAuth2 #8

Conversation

wild-endeavor commented Oct 1, 2019 • edited Loading

katrogan left a comment

Choose a reason for hiding this comment

honnix commented Nov 20, 2019

wild-endeavor commented Nov 20, 2019

wild-endeavor commented Oct 1, 2019 •

edited

Loading