Giter Site home page Giter Site logo

Comments (2)

matej-g avatar matej-g commented on June 14, 2024

I think we cannot simply fail to start Observatorium API, since we OIDC config is per tenant and we do not want one misconfigured tenant to bring the whole API down at the start-up. But there is a loop which tries to initiate the OIDC authenticator (with backoff), so if this keeps failing it should be logged + there's also a metric for that.

On second thought, this sounds like the OIDC provider initiation actually succeeded, which should not have been the case without client ID / secret.

from api.

squat avatar squat commented on June 14, 2024

It would also be helpful if Observatorium-API failed to start without clientID or clientSecret.

I don't fully agree with this. This will mean one tenant's borked configuration breaks the API for everyone else. Ideally, if one tenant rolls out invalid configuration, other tenants can continue to use their API and even make changes of their own.
In fact, we've had issues with this in the past and implemented something that tries to isolate the auth configurations of various tenants so that one tenant's misconfigured OIDC issuer (or correctly configured issuer but maybe not responding for any reason) doesn't block startup of the API for other tenants:
https://github.com/observatorium/api/blob/main/main.go#L514-L525

Maybe it would be useful instead to have a utility to statically validate a tenant's configuration and be able to assert if they are valid before being applied to the server? This could be nice feature of the CLI.

Observatorium-API refuses to start if IssuerURL is empty

I'm having a hard time imaging how the Observatorium fails to start up entirely if one tenant's OIDC config is missing an issuerURL. AFAICT:

  1. the empty issuer check only happens here: https://github.com/observatorium/api/blob/main/authentication/oidc.go#L84
  2. the bounding function, newOIDCAuthenticator, is only called here:

    api/authentication/authentication.go

    Line 84 in 078b7ce

    authenticator, err := ProviderFactory(config, tenant, registrationRetryCount, logger)
    ;
  3. and this bounding function, InitializeProvider, is called asynchronously for every tenant to avoid one tenant breaking the API for other tenants: https://github.com/observatorium/api/blob/main/main.go#L515

from api.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.