Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Authenticator for when serving OIDC as a proxy #877

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Add Authenticator for when serving OIDC as a proxy #877

wants to merge 5 commits into from
+2,572 −2,550

Conversation

DiamondJoseph
Copy link
Contributor

@DiamondJoseph DiamondJoseph commented Feb 3, 2025
edited
Loading

WIP: adds an Authenticator implementation for use when serving Tiled behind a proxy.
This is intended be used to define an alternative decode_access_token
In order to inject the desired behaviour for decode_access_token has required a fairly weighty refactor, inverting the creation order of a lot of router objects.

  • Removes injection of password into security obj
  • Removes use of dependency_override which is intended for use in tests

Checklist

  • Add a Changelog entry
  • Add the ticket number which this PR closes to the comment section

@DiamondJoseph
Add Authenticator for when serving OIDC as a proxy
b283eca
@DiamondJoseph
Refactor Authentication router construction
adb7bcb 
- Prevents having to inject the password late into the oauth2_schema, and allows supporting Proxied credentials
@DiamondJoseph
Invert the creation of API routes
cfdba08 
- Such that decode_access_token can be overriden
  when serving behind proxied OIDC
- Removes injection of password into security obj
- Removes use of dependency_override which is
  intended for use in tests
@DiamondJoseph
Remove incorrect caches
02232db
DiamondJoseph
DiamondJoseph commented Feb 5, 2025
View reviewed changes
tiled/server/utils.py
description: Optional[str] = None,
):
self.model: APIKey = APIKey(
**{"in": APIKeyIn.header}, name=name, description=description
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hate this but I see why it is required (in is a reserved keyword but APIKey uses it as an init arg... using _in does not work, as it is a serialisation alias only).

@DiamondJoseph
Copy link
Contributor Author

why setattr
do not call public keys with every request- find reasonable TTL

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@DiamondJoseph