[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Prototype/exploration of access tokens



Oops, you need this branch of doorkeeper (I knew there was a reason it's path'd in the Gemfile) https://github.com/applicake/doorkeeper/pull/181.

----- Original Message -----
> If there's one complaint about the rhc tools I hear every day, it's
> about having to put your password in.  Now that the model_refactor
> branch is progressing, I figured it was time to take a general look
> at our authentication situation in OpenShift and play around with
> some options.
> 
> * We want to support multiple identities down the road (so you can
> log into OpenShift with a github/google/facebook account)
> * We want to support access tokens for api clients like RHC
> * We'd *like* to have a working auth delegation flow so that 3rd
> parties can request limited API access to certain applications in
> OpenShift, ideally OAuth
> 
> If we assume we need to implement an OAuth provider to do the above,
> there are a few existing options in the gem community - of them,
> doorkeeper (https://github.com/applicake/doorkeeper) is both the
> most spec complaint AND supports Mongoid3 (now used in the
> model_refactor branch).
> 
> This branch:
> 
> https://github.com/smarterclayton/origin-server/compare/2c11db8c22ae5c92c4c384da900ae3ead2eee481...smarterclayton:add_simple_auth_tokens
> 
> has some speculative changes to the authentication process in the
> broker, adds identity support to users (mostly as a proof of
> concept, needs more discussion), and does some light integration
> with doorkeeper to expose access tokens both as an OAuth endpoint
> (/oauth/authorize and /oauth/token) but also as a REST concept
> (/user/authorizations).
> 
> This branch:
> 
> https://github.com/smarterclayton/rhc/compare/25d3e2e...smarterclayton:add_simple_auth_tokens
> 
> has the necessary changes to RHC to generate an API token in the
> setup wizard (haven't thought through all the corner cases though).
> 
> --------------
> 
> If you're interested in trying this out here are some hackish steps
> that you can do from any linux box with mongo and ruby
> 
> 0) Install mongo locally,
>    a) Make sure you have the user/password configured in
>    /etc/openshift/broker-dev.conf file
> 1) check out both branches
> 2) From the origin-server/broker directory run:
>    a) touch /etc/openshift/development (to start dev mode)
>    a) bundle install (to install gems)
>    b) NO_SSL=1 bundle exec rails s (to boot the server without
>    requiring the certs)
> 3) From the RHC source dir you can run
>    a) "bundle exec bin/rhc setup --server
>    http://localhost:3000/rest/api";
> 
> ---------------
> 
> What the branches don't have:
> 
> 1) Any sort of final decisions on identities and how they should be
> modelled
> 2) Any client UI in the broker around the web OAuth flows (you can
> grant application access and create tokens via doorkeeper, but we
> don't have a web login experience in the broker and won't until we
> get some other stuff sorted)
> 3) Test cases / polish / etc...
> 4) Any console UI stuff.
> 
> --------------
> 
> I'm pretty emotionally invested in removing the need to have to put
> passwords in every. single. time. I. run. a. rhc. command, so please
> jump into the discussion if you have an OAuth / access token
> scenario that matters to you, especially if that scenario is about
> writing tools that can integrate into the openshift experience.
>   I'll probably clean some of this up next sprint and try to land it
> sometime after the model refactor is ready, but passwords.... you're
> on the list.
> 
> Clayton Coleman | OpenShift UI lead
> (919)754-4982 - Raleigh Tower - 16/N145
> 
> _______________________________________________
> dev mailing list
> dev lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]