Feat: implement OIDC flow#1007
Conversation
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
|
@bupd Please have look at the idea. We may also required changes on harbore-core using existing oidc flow still required still needed few changes like polling state to get the id_token and other details. It's not completed yet but wanted you to have a look and design level decisions. PS: ignore lint for now :) |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #1007 +/- ##
=========================================
- Coverage 10.99% 9.62% -1.37%
=========================================
Files 173 322 +149
Lines 8671 16280 +7609
=========================================
+ Hits 953 1567 +614
- Misses 7612 14542 +6930
- Partials 106 171 +65 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
Suggestion:
Please let me know if you have more suggestion. |
|
@NishchayRajput Had a brief look through this. It looks really really cool! Lastly, which party is validating the trust relationship to the oidc source. Just to confirm: this is governed through OIDC providers that are configured in harbor itself and we just make use of the trusted identity provider from Harbor itself. |
Description
This pull request adds work-in-progress OIDC login support for
harbor-clitogether with the Harbor Core changes needed to support that flow.Current implementation allows
harbor-clito start an OIDC login through Harbor Core, return a browser login URL, poll Harbor Core for completion using OIDCstate, store the returned credential locally, and use bearer authentication for later API requests.This change is needed because Harbor currently supports browser-based OIDC login, but
harbor-clidoes not yet have a native OIDC login flow. The current implementation is still being actively worked on and is not final yet.Type of Change
Please select the relevant type.
Changes
harbor login <server> --oidcGET /c/oidc/login?mode=cliGET /c/oidc/cli-token?state=...auth-typeid-tokenrefresh-tokenexpires-atstate-based polling contractFlow Diagram
Video
Screencast.from.21-06-26.04.07.57.PM.IST.webm
In case of token expiry cli gives output as