bazel-remote icon indicating copy to clipboard operation
bazel-remote copied to clipboard

Published 20 hours ago verified publisher icon buchgr

Google Authentication support

Open steeve opened this issue 5 years ago • 4 comments
trafficstars

Following https://github.com/bazelbuild/bazel/issues/12135, I figure I'd open an issue to track adding support for Google Auth access tokens in bazel-remote. This would allow exposing it on the internet.

There are two endpoints to verify tokens. I'm thinking of basically adding which domains one wants to authorize users from via the hd and email_verified keys.

steeve avatar Sep 22 '20 14:09 steeve

fwiw, fronting bazel-remote with a dedicated proxy service in the style of https://github.com/oauth2-proxy/oauth2-proxy will be more flexible and doesn't require this project to implement auth for all those auth providers

kragniz avatar Sep 22 '20 14:09 kragniz

fwiw, fronting bazel-remote with a dedicated proxy service in the style of https://github.com/oauth2-proxy/oauth2-proxy will be more flexible and doesn't require this project to implement auth for all those auth providers

It would be good to add some documentation for this setup- have you tried it already?

mostynb avatar Sep 22 '20 15:09 mostynb

I've not: the cluster I run can get by with no auth + security groups to avoid the latency overhead of checking auth

kragniz avatar Sep 23 '20 09:09 kragniz

I've looked a oauth2-proxy, and unfortunately, it manages its own sessions: https://oauth2-proxy.github.io/oauth2-proxy/configuration/sessions

If you folks know if there is a proxy that would only valide tokens against Google's token-info, I'm all ears.

steeve avatar Sep 27 '20 19:09 steeve