Skip to content

Implement federated (v3oidcaccesstoken) auth#176

Draft
lburgey wants to merge 2 commits intoncw:masterfrom
lburgey:oidc
Draft

Implement federated (v3oidcaccesstoken) auth#176
lburgey wants to merge 2 commits intoncw:masterfrom
lburgey:oidc

Conversation

@lburgey
Copy link

@lburgey lburgey commented Nov 4, 2021

v3oidcaccesstoken requires two authentication requests:

  1. Retrieving an unscoped token using an oidc access token
  2. Retrieving a scoped token using the unscoped token (already implemented in v3auth)

Change summary:

  • Extracted method for auth request handling
  • Added missing fields to Connection, e.g. IdentityProvider
    • Added mappings to the relevant openstack environment variables
  • Added interface TwoStageAuthenticator
  • Implemented PrelimRequest and PrelimResponse for v3auth

Sadly I saw no reasonable way to test these changes, but I'm completely
open to suggestions. This includes the way I extended the authentication
handling, which may or may not be optimal.

These changes are a follow up to this forum thread: https://forum.rclone.org/t/swift-env-auth-true-env-os-access-token-http-error-404-404-not-found/22520

Lukas Burgey added 2 commits November 4, 2021 09:28
Implement federated (v3oidcaccesstoken) auth
048ba13 
v3oidcaccesstoken requires two authentication requests:
1. Retrieving an unscoped token using an oidc access token
2. Retrieving a scoped token using the unscoped token (already implemented in v3auth)

Change summary:
 - Extracted method for auth request handling
 - Added missing fields to Connection, e.g. IdentityProvider
   - Added mappings to the relevant openstack environment variables
 - Added interface TwoStageAuthenticator
 - Implemented PrelimRequest and PrelimResponse for v3auth

Sadly I saw no reasonable way to test these changes, but I'm completely
open to suggestions. This includes the way I extended the authentication
handling, which may or may not be optimal.

These changes are a follow up to this forum thread: https://forum.rclone.org/t/swift-env-auth-true-env-os-access-token-http-error-404-404-not-found/22520
Make the order of new connection fields consistent
845bae3
@ncw
Copy link
Owner

ncw commented Nov 8, 2021

Just thinking about the testability for a moment...

Currently we have an integration test which tests against a swift all in one docker

https://github.com/ncw/swift/blob/master/integration_test.sh

Could you add tests to that?

@lburgey
Copy link
Author

lburgey commented Nov 9, 2021

Hi,
in integration_test.sh, you write v2 auth does't work for unknown reasons!.
According to this issue, the reason seems to be that docker-swift (successor to bouncestorage/swift-aio) only mocks the authentication. For testing v2 and v3 auth, we would need a real keystone server instance.
I can certainly try to set this up if you think its reasonable.
Cheers,
Lukas

@ncw
Copy link
Owner

ncw commented Nov 9, 2021

Hi, in integration_test.sh, you write v2 auth does't work for unknown reasons!. According to this issue, the reason seems to be that docker-swift (successor to bouncestorage/swift-aio) only mocks the authentication.

Ah, ha!

For testing v2 and v3 auth, we would need a real keystone server instance. I can certainly try to set this up if you think its reasonable.

It would make the integration tests much more realistic.

How difficult would it be? If we could use docker to run a few containers other people maintain that would be fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lburgey @ncw