app-services-cli icon indicating copy to clipboard operation
app-services-cli copied to clipboard
verified publisher icon redhat-developer

Extend rhoas login by supporting SSO client id an secret

Open apodhrad opened this issue 3 years ago • 7 comments

Feature or problem description

Some teams use SSO service accounts which can be authenticated against sso.redhat.com but cannot be used for any "web page" loging and cannot obtain a token (pls correct me if I'm wrong). Such service accounts are used for logging to OCM as follows

ocm login --client-id "${CLIENT_ID}" --client-secret "${CLIENT_SECRET}"

Could we have something similar for rhoas, please?

apodhrad avatar May 23 '22 15:05 apodhrad

While request can be done on the RHOAS CLI side. I'm not sure if we will support two types of login:

--token (offline token) --client-id=... (service accounts)

Moving to client-id is quite simple and natural choice but it it kinda exceeded scope of RHOAS CLI. This is more or less RHOAS SDKs/RHOAS ecosystem question. How we want to login for automation purposes etc.

@akoserwal Do you think we can we use service accounts to obtain AccessToken that will work with all fleet managers we have?

wtrocki avatar May 23 '22 15:05 wtrocki

FYI @gowriswarupk

wtrocki avatar May 23 '22 15:05 wtrocki

@apodhrad You can use the sso service account with ocm client for the requests to the control plane api. But it requires some claim configuration for your service account (sso mapper). I can help with getting it configured.

In the near future, rhosak will support the new sso service account api (self service)

akoserwal avatar May 24 '22 10:05 akoserwal

Worth to mention that current solution is to use offline refresh token (and CLI supports it already by rhoas login --token option`

wtrocki avatar May 24 '22 10:05 wtrocki

Hi @akoserwal @wtrocki thanks for your quick response.

Today I have found out that rhoas doesn't necessary require any OCM org or OCM user defined in ocm-resources. But it requires redhat orgs and users defined at access.redhat.com so that rhoas can properly work with objects within an org, e.g. clusters from org A cannot be seen from org B.

Thus, using an sso service account would require an org mapping - is that the mapping you have mentioned?

apodhrad avatar May 24 '22 10:05 apodhrad

After discussion with @akoserwal we agreed that this request makes sense once we deal with the mas-sso.

I'm ok with that as we can use the token approach.

Please add proper labels according to your workflow.

apodhrad avatar May 25 '22 09:05 apodhrad

Yes. All you need is https://cloud.redhat.com/openshift/token

wtrocki avatar May 25 '22 09:05 wtrocki