Draft: OIDC Authentication, and Cloud CLI Contexts #1082
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces 2 major features
OIDC Authentication.
Defaulted to off, unless the server is provided with a Client ID, Secret, and Organization URL.
Setting the aforementioned parameters will result in the provisioner validating requests to /api/* contain a valid Access Token from Okta.
Authentication for CLI's is handled using Device Authorization grants, via
cloud login
command. Authentication data (access tokens, refresh tokens, etc) are stored in a contextScreenshots:
Login page of Okta (Browser auto-opens)
Logs in terminal when initiated:
CLI Contexts
Most users have their own custom hacks or bash scripts to automate the passing of
--server
to handle interacting with different environments. This PR introduces the concept of contexts, stored in~/.cloud/contexts.json
Contexts store:
A new CLI option now exists
cloud contexts <command>
with the following options:Additionally, a
cloud login
command has been added, which allows you to retrigger the login flow for a particular context, should you run into authentication issues.The
--server
parameter has been removed. Instead, usecloud context create
to create a context for each Provisioner environment you interact with. To switch between them, usecloud context set-current
. Allcloud
commands will initiate based off of the currently set context (todo: support--context
to switch contexts for a single command)On first run of the Cloud CLI with this change, the contexts.json file will be created for you, containing one context with alias
local
pointing athttp://localhost:8075
.When creating a new context, if you provide a Client ID and OrgURL, the CLI will automatically initiate the login flow for you. To skip the authentication flow, pass the argument
--skip-auth
Ticket Link
https://mattermost.atlassian.net/browse/CLD-8406
Release Note