Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make OAuth scope optional #30

Merged
merged 3 commits into from
Feb 20, 2020
Merged

Make OAuth scope optional #30

merged 3 commits into from
Feb 20, 2020

Conversation

klalafaryan
Copy link
Member

Some OAuth Authorization servers such as AWS Cognito don't provide the scope in the response. For example:

{
    "access_token": "{JWT_TOKEN}",
    "expires_in": 3600,
    "token_type": "Bearer"
}

This PR makes scope property optional which gives us possibility to integrate with AWS Cognito. (Authorization servers which are not providing scope in the response)

@klalafaryan
Make scope optional
1d5f15e 
Signed-off-by: klalafaryan <konstantin.lalafaryan@blacklane.com>
@klalafaryan
Add comment
02fe62c 
Signed-off-by: klalafaryan <konstantin.lalafaryan@blacklane.com>
@klalafaryan
Improve the comment
f0b29fd 
Signed-off-by: klalafaryan <konstantin.lalafaryan@blacklane.com>
@klalafaryan klalafaryan mentioned this pull request Feb 11, 2020
Closed
@scholzj scholzj requested a review from ppatierno February 12, 2020 13:21
@mstruk
Copy link
Contributor

mstruk commented Feb 19, 2020

The fix is in fact on the Kafka client (the client side of OAuth) - it doesn't really concern the Kafka Broker unless inter-broker communication goes over OAuth protected listener (which in Strimzi Kafka Operator it doesn't).

I think adding the comment in the code is unnecessary, but overall the PR looks good.

@klalafaryan Thank you for your contribution.

@mstruk mstruk added this to the 0.4.0 milestone Feb 19, 2020
ppatierno
ppatierno approved these changes Feb 19, 2020
View reviewed changes
Copy link
Member

@ppatierno ppatierno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but how are we going to test this?

@mstruk
Copy link
Contributor

mstruk commented Feb 20, 2020

@ppatierno I guess we won't test it immediately - the addressed situation never occurs in our current test setups (using Keycloak and Hydra). We could create simple authorization server endpoints that would do just enough so we can test this, eventually.

@scholzj
Copy link
Member

scholzj commented Feb 20, 2020

@mstruk So we do not use the scope for anything in the broker part?

@mstruk
Copy link
Contributor

mstruk commented Feb 20, 2020

@scholzj Correct. Authentication part does not use it - it's more for authorization use, but there SimpleACL isn't aware of it, and KeycloakRBACAuthorizer doesn't make use of it either - in favor of fine grained security provided by Authorization Services.

@scholzj
Copy link
Member

scholzj commented Feb 20, 2020

Thanks for the PR.

@scholzj scholzj merged commit 2f5ee7f into strimzi:master Feb 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ppatierno ppatierno ppatierno approved these changes

@scholzj scholzj scholzj approved these changes

@mstruk mstruk mstruk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.4.0
Development

Successfully merging this pull request may close these issues.
4 participants
@klalafaryan @mstruk @scholzj @ppatierno