Add gcp and idtoken authenticators #9
Conversation
Could rename to something like EXPLICIT_AUTH_URIS or LIMIT_AUTH_URLS
The id token authenticator verifies the token in the header. The header name of id token is specified by the `ID_TOKEN_HEADER` config. The authenticator retrieves the USERID_CLAIM after the verification. If there is no id token header, the verification failes or the USERID_CLAIM does not exist, the request is passed to the next authenticator. Github-PR: arrikto#44 Signed-off-by: Yihong Wang <yh.wang@ibm.com> Reviewed-by: Yannis Zarkadas <yanniszark@arrikto.com>
| @@ -148,6 +152,11 @@ func main() { | |||
| oauth2Config: oauth2Config, | |||
| } | |||
|
|
|||
| gcpAuthenticator, err := newGcpAuthenticator(c.GCPHeader) | |||
| if err != nil { | |||
| log.Fatalf("error initializing gcp authenticator") | |||
There was a problem hiding this comment.
It would be useful to also emit the actual error
log.Fatalf("error initializing gcp authenticator: %v", err)
There was a problem hiding this comment.
Actually, do we want it to totally fail if it cannot load the gcp authenticator? Or just log and move on...
time="2021-08-31T09:05:06Z" level=fatal msg="error initializing gcp authenticator: error creating validator: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information."
There was a problem hiding this comment.
Actually failing on load isn't great either, since then you will have problems in server.go:103 at runtime...
There was a problem hiding this comment.
maybe we can have something like this in main.go
gcpAuthenticator, err := newGcpAuthenticator(c.GCPHeader)
if err != nil {
log.Info("error initializing gcp authenticator: %v", err)
log.Info("gcp authenticator not loaded")
}
...
authenticators := []Authenticator{sessionAuthenticator, idTokenAuthenticator}
if gcpAuthenticator != nil {
authenticators = append(authenticators, gcpAuthenticator)
}
...
caBundle: caBundle,
authenticators: authenticators,
authorizers: []Authorizer{groupsAuthorizer},
| gonum.org/v1/gonum v0.8.1 | ||
| google.golang.org/api v0.46.0 |
There was a problem hiding this comment.
I hit googleapis/google-api-go-client#1198 pretty hard while trying to get this branch working locally.
Need to update to v.0.56.0
go get google.golang.org/api
...
go get: upgraded google.golang.org/api v0.46.0 => v0.56.0
go mod tidy
|
So I eventually got the googleSAAuthenticator working. See previous notes. For reference I used this method (https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-oidc) to create the idtoken. I noticed that the current implementation seems to accept any service account: |
|
Closing this PR - we're going to use client credentials flow for M2M authentication and we'll pull in the idtoken authenticator as part of our updated master branch |
No description provided.