acl: JWT as SSO auth method #15897
Merged
acl: JWT as SSO auth method #15897
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pkazmierczak
force-pushed
the
f-sso-jwt-auth-method
branch
from
dc70538 to
519c746
Compare
pkazmierczak
force-pushed
the
f-sso-jwt-auth-method
branch
from
5edd5d4 to
f4c7b09
Compare
pkazmierczak
force-pushed
the
f-sso-jwt-auth-method
branch
from
e76b325 to
b526bac
Compare
Ember Asset Size actionAs of 696d4d4 Files that got Bigger 🚨:
Files that stayed the same size 🤷:
|
Ember Test Audit comparison
|
* Bones of JWT detection * JWT to token pipeline complete * Some live-demo fixes for template language * findSelf and loginJWT funcs made async * Acceptance tests and mirage mocks for JWT login * [ui] Allow for multiple JWT auth methods in the UI (#16665) * Split selectable jwt methods * repositions the dropdown to be next to the input field
pkazmierczak
force-pushed
the
f-sso-jwt-auth-method
branch
from
6959151 to
f4e0056
Compare
tgross
approved these changes
Mar 30, 2023
| // Measure the OIDC endpoint performance. | ||
| defer metrics.MeasureSince([]string{"nomad", "acl", "jwt", "oidc_jwt"}, time.Now()) | ||
|
|
||
| // TODO why do we have DiscoverCaPem as an array but JWKSCaPem as a single string? |
There was a problem hiding this comment.
Just a quick check that this TODO is ok to leave before merging?
There was a problem hiding this comment.
Right, this is "a note for future us." Something we'll definitely revisit.
nomad/acl_endpoint.go
Outdated
| defer metrics.MeasureSince([]string{"nomad", "acl", "login"}, time.Now()) | ||
|
|
||
| // This endpoint can only be used once all servers in all federated regions | ||
| // have been upgraded to 1.5.2 or greater, since JWT Auth method was |
There was a problem hiding this comment.
Should this read 1.5.3? Or should we just remove the specific version here and let that live in the minACLJWTAuthMethodVersion constant so we don't need to update it if we have to ship a security update or whatever before this goes out?
There was a problem hiding this comment.
Good call, I'll adjust.
There was a problem hiding this comment.
See 696d4d4 for details.
philrenaud
approved these changes
Mar 30, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces a new ACL Auth Method: JWT, which allows users to exchange 3rd party JSON Web Tokens for Nomad ACL Tokens. We achieve this by:
ACL.Login/v1/acl/login-type=JWTwhen creating and updating auth methods, and to thenomad logincommandAll the changes mentioned above were described in NMD-167, and all the commits in this pull request (except for changelog) were previously reviewed.