OAuth Support about flagr HOT 8 CLOSED

What are your current OAuth or SSO solution in your company? Is it possible that you implement your own login page with any ID providers you have, and just store the final access token as subdomain.your_company.com cookie?

At the beginning I was thinking of implementing a full-fledged OAuth2 flow, for example, leveraging https://github.com/markbates/goth and we can cover some major social login cases. I'm not 100% sure, but it needs flagr to be exposed publicly so that the external ID providers can send a POST callback. I didn't prioritize this approach because I want flagr to be 100% private within our cluster.

And moreover, it turns out that people usually have their own login flow, and we can just piggyback on it and just validate the access token.

That said, if any of you want to bring in OAuth, I'd be happy to help and review the PRs.

The steps I can think of as now:

1. Set Config.JWTAuthNoTokenRedirectURL=/auth to be a local relative path GET /auth instead of redirecting to other website or pages.
2. Set Config.JWTAuthPrefixWhitelistPaths to include /auth so that we don't validate access token for /auth related paths.
3. Serve GET /auth with a static html page, with login buttons (e.g. Google, Github, and etc.). Buttons point to GET /auth/{provider}
4. Serve GET /auth/{provider}/, POST /auth/{provider}/callback, and GET /auth/logout/{provider} with goth. For example, https://github.com/markbates/goth/blob/master/examples/main.go#L188-L218
5. Set corresponding env variables for client_key and client_secret
6. Expose flagr to the public so that Google or Github can send the callback to.

from flagr.

Definitely open to it. We have HS256 and RS256 now, and it should be straightforward to add more JWT validations.

https://github.com/checkr/flagr/blob/master/pkg/config/middleware.go#L122-L132

from flagr.

Stale issue message

from flagr.

I'd be interesting in helping work on this. I have a situation where I'd like to be able to auth against a Google login. Do we have any sense as to what would be necessary to make this happen?

from flagr.

I added the OAuth by putting flagr behind a reverse proxy and using vouch for authentication.

This is not an out of the box solution but it works really good.

from flagr.

Interesting!

@zhouzhuojie thanks for the details.

I agree about keeping the application private within the cluster, that is how we have things set up right now as well. I was talking to some folks about how we want to handle auth and it sounds like we are moving towards using Google's Cloud Identity-Aware Proxy. I don't know a whole lot about it at this point, but I see that it can provide JWT tokens via signed headers with the ES256 algorithm. At this point the question from me would be are you open to a PR at some point that could expand the JWT handling in Flagr?

from flagr.

Hey all! I'm trying to setup flagr behind a OAuth2Proxy to be authenticated with google. Latest versions allow to proxy pass the Authorization header using the id_token that Google provides, it's a JWT token with the ES256 algorithm as @crberube said.

But from here I'm not sure how to proceed with flagr, as it's not properly authorizing resquests with those authorization headers.

We want to setup this for the audit_logs so we properly audit each interaction within flagr.

Thanks in advance.

from flagr.

You can also enable the basic auth.
For the GUI, you will be prompted to enter your user name and password.
For the API, you will need pass header
Authentication: Basic base64decode(username:password)

from flagr.