[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Prototype/exploration of access tokens



If there's one complaint about the rhc tools I hear every day, it's about having to put your password in.  Now that the model_refactor branch is progressing, I figured it was time to take a general look at our authentication situation in OpenShift and play around with some options.

* We want to support multiple identities down the road (so you can log into OpenShift with a github/google/facebook account)
* We want to support access tokens for api clients like RHC
* We'd *like* to have a working auth delegation flow so that 3rd parties can request limited API access to certain applications in OpenShift, ideally OAuth

If we assume we need to implement an OAuth provider to do the above, there are a few existing options in the gem community - of them, doorkeeper (https://github.com/applicake/doorkeeper) is both the most spec complaint AND supports Mongoid3 (now used in the model_refactor branch).

This branch:

https://github.com/smarterclayton/origin-server/compare/2c11db8c22ae5c92c4c384da900ae3ead2eee481...smarterclayton:add_simple_auth_tokens

has some speculative changes to the authentication process in the broker, adds identity support to users (mostly as a proof of concept, needs more discussion), and does some light integration with doorkeeper to expose access tokens both as an OAuth endpoint (/oauth/authorize and /oauth/token) but also as a REST concept (/user/authorizations).

This branch:

https://github.com/smarterclayton/rhc/compare/25d3e2e...smarterclayton:add_simple_auth_tokens

has the necessary changes to RHC to generate an API token in the setup wizard (haven't thought through all the corner cases though).

--------------

If you're interested in trying this out here are some hackish steps that you can do from any linux box with mongo and ruby

0) Install mongo locally, 
   a) Make sure you have the user/password configured in /etc/openshift/broker-dev.conf file
1) check out both branches
2) From the origin-server/broker directory run:
   a) touch /etc/openshift/development (to start dev mode)
   a) bundle install (to install gems)
   b) NO_SSL=1 bundle exec rails s (to boot the server without requiring the certs)
3) From the RHC source dir you can run 
   a) "bundle exec bin/rhc setup --server http://localhost:3000/rest/api";

---------------

What the branches don't have:

1) Any sort of final decisions on identities and how they should be modelled
2) Any client UI in the broker around the web OAuth flows (you can grant application access and create tokens via doorkeeper, but we don't have a web login experience in the broker and won't until we get some other stuff sorted)
3) Test cases / polish / etc...
4) Any console UI stuff.

--------------

I'm pretty emotionally invested in removing the need to have to put passwords in every. single. time. I. run. a. rhc. command, so please jump into the discussion if you have an OAuth / access token scenario that matters to you, especially if that scenario is about writing tools that can integrate into the openshift experience.   I'll probably clean some of this up next sprint and try to land it sometime after the model refactor is ready, but passwords.... you're on the list.

Clayton Coleman | OpenShift UI lead
(919)754-4982 - Raleigh Tower - 16/N145


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]