Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth: support OIDC authentication provider and token authentication #496

Merged
merged 8 commits into from
Jun 26, 2024
Merged

auth: support OIDC authentication provider and token authentication #496

merged 8 commits into from
Jun 26, 2024

Conversation

mattisonchao
Copy link
Member

@mattisonchao mattisonchao commented Jun 24, 2024
edited
Loading

Motivation

We should support some general authentication methods for the Oxia server for security concerns.

Modification

  • Support basic OIDC authentication provider on the server
  • Support basic token authentication on the client
  • Support integration test for OIDC with the token.

Next

  • Performance will be affected Since we use GRPC per call authentication. We might do a cache for the token to improve the performance.
  • For next improvement. We can customise a transport layer authentication. But we already have mTLS. We can evaluate it in the future.

@mattisonchao mattisonchao self-assigned this Jun 24, 2024
tuteng
tuteng reviewed Jun 26, 2024
View reviewed changes
server/auth/oidc.go
if _, ok := p.allowedAudiences[audience]; ok {
audienceAllowed = true
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think it's necessary to check the permissions/scope field to verify the permissions?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't support authorization yet. We can consider it when we support authorization. :)

tuteng
tuteng reviewed Jun 26, 2024
View reviewed changes
server/auth/interceptor.go
const (
MetadataAuthorizationKey = "authorization"
TokenPrefix = "Bearer "
)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should accept the header of authorizaiton/Authorizaiton and Bearer/bearer

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, make sense. let me add it later. :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, the authorizaiton and Bearer should be standard. We can support leveraging case insensitivity in other PRs

@poorbarcode poorbarcode mentioned this pull request Jun 26, 2024
Merged
merlimat
merlimat approved these changes Jun 26, 2024
View reviewed changes
Copy link
Collaborator

@merlimat merlimat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! 👍

@merlimat merlimat merged commit a9ca6ac into main Jun 26, 2024
7 checks passed
@merlimat merlimat deleted the auth/oidc branch June 26, 2024 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@merlimat merlimat merlimat approved these changes

@tuteng tuteng tuteng approved these changes

@coderzc coderzc Awaiting requested review from coderzc coderzc is a code owner

@RobertIndie RobertIndie Awaiting requested review from RobertIndie RobertIndie is a code owner

Assignees

@mattisonchao mattisonchao

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mattisonchao @merlimat @tuteng