API calls in OIDC mode

[chusAlvarez]

I have configure harbor version v1.8.0 with v1.1.0 harbor-helm configuration.
I have successfully configure OIDC auth mode.
I have successfully configure OIDC users against github (using a dex proxy)
I can login and make pulls and push with the OIDC user.

Problem is, when I try to use API REST calls with an OIDC user the response is every time wrong:

$ curl -u chusAlvarez:<password>  -X GET http://harbor.hades.k8s.dev.spotahome.net/api/users
{"code":401,"message":"UnAuthorize"}

I found in the core service these errors:

2019-06-12T10:04:05Z [DEBUG] [/common/dao/user.go:255]: Check if user chusAlvarez is super user
2019-06-12T10:04:05Z [DEBUG] [/core/auth/authenticator.go:139]: Current AUTH_MODE is oidc_auth
2019-06-12T10:04:05Z [ERROR] [/core/filter/security.go:471]: failed to authenticate chusAlvarez: Unrecognized auth_mode: oidc_auth
2019-06-12T10:04:05Z [DEBUG] [/core/filter/security.go:491]: can not get user information from session
2019-06-12T10:04:05Z [DEBUG] [/core/filter/security.go:560]: user information is nil

When I checked the code found the oidc auth mode is indeed still not implemented:
https://github.com/goharbor/harbor/tree/master/src/core/auth

As the admin user can't also make API calls, this means API is disabled in OIDC mode? Or am I missing something? => Admin user seems to be the only available for the API

[reasonerjt]

@chusAlvarez In that case you need to use the OIDC token to call the REST API.
See https://github.com/goharbor/community/blob/master/proposals/OIDC_Authentication_Support.md#user-onboarded-via-the-oidc-authentication-flow-accessing-the-api

[chusAlvarez]

OIDC token

The interchanged OIDC token is not available in the login procces, nor can be read after this. But seems that the failure in connect with the admin user was mine (mispelled password).

So API is still accesible, but only for admin user

[chusAlvarez]

Sorry, solved, seems I was triying to access to API functios restricted to admin (http://harbor.hades.k8s.dev.spotahome.net/api/users )

So this was the reason it launch an "unauthorized" message. When I tried to read projects, it works, listiing only the ones availables for my user

[annProg]

@chusAlvarez In that case you need to use the OIDC token to call the REST API.
See https://github.com/goharbor/community/blob/master/proposals/OIDC_Authentication_Support.md#user-onboarded-via-the-oidc-authentication-flow-accessing-the-api

Is there any example for this? How to get the OIDC token?

[aMozejko1]

Hi,

I've been able to use https://github.com/goharbor/harbor/wiki/Harbor-FAQs#api to generate a Bearer token.

However when trying to authenticate using that bearer token get the error:

Failed to verify token, error: oidc: id token issued by a different provider, expected "https://OIDC-Endpoint-URL" got "https://my.harbor.url/"

If authenticating through OIDC, are users meant to generate API tokens from Harbor or from the upstream OIDC server?

[chlins]

Same question， If authenticating through OIDC, are users meant to generate API tokens from Harbor or from the upstream OIDC server? +1 @reasonerjt