Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft: OIDC Authentication, and Cloud CLI Contexts #1082

Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

Draft: OIDC Authentication, and Cloud CLI Contexts #1082

wants to merge 6 commits into from

Conversation

nickmisasi
Copy link
Contributor

Summary

This PR introduces 2 major features

OIDC Authentication.

Defaulted to off, unless the server is provided with a Client ID, Secret, and Organization URL.
Setting the aforementioned parameters will result in the provisioner validating requests to /api/* contain a valid Access Token from Okta.
Authentication for CLI's is handled using Device Authorization grants, via cloud login command. Authentication data (access tokens, refresh tokens, etc) are stored in a context

Screenshots:
Login page of Okta (Browser auto-opens)
image
Logs in terminal when initiated:
image

CLI Contexts

Most users have their own custom hacks or bash scripts to automate the passing of --server to handle interacting with different environments. This PR introduces the concept of contexts, stored in ~/.cloud/contexts.json

Contexts store:

  • Server URL
  • Auth Data (like your access and refresh tokens)
  • An alias (for switching)
  • Client ID, and Org URL to kick off authorization flow (if configured)

A new CLI option now exists cloud contexts <command> with the following options:

Manipulate local contexts for the Cloud CLI

Usage:
  cloud contexts [command]

Available Commands:
  create      Create a new context.
  delete      Delete a context.
  get         Get details of a specific context.
  list        List all contexts.
  set-current Set the current context.
  update      Update a context.

Additionally, a cloud login command has been added, which allows you to retrigger the login flow for a particular context, should you run into authentication issues.

cloud login --help
Login to the Mattermost Cloud provisioning server.

Usage:
  cloud login [flags]

Flags:
      --context string   The name of the context to use.
  -h, --help             help for login

The --server parameter has been removed. Instead, use cloud context create to create a context for each Provisioner environment you interact with. To switch between them, use cloud context set-current. All cloud commands will initiate based off of the currently set context (todo: support --context to switch contexts for a single command)

On first run of the Cloud CLI with this change, the contexts.json file will be created for you, containing one context with alias local pointing at http://localhost:8075.

When creating a new context, if you provide a Client ID and OrgURL, the CLI will automatically initiate the login flow for you. To skip the authentication flow, pass the argument --skip-auth

Ticket Link

https://mattermost.atlassian.net/browse/CLD-8406

Release Note

@mm-cloud-bot
Copy link

@nickmisasi: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

I understand the commands that are listed here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
do-not-merge/release-note-label-needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nickmisasi @mm-cloud-bot