OpenID Connect support #865
Conversation
Utilized Spring Security's OAuth2 respectively OIDC support as another possibility to manage users and their permissions. Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com>
Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com>
|
Thanks for taking the time to contribute to hawkBit! We really appreciate this. Make yourself comfortable while I'm looking for a committer to help you with your contribution. |
Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com>
|
Thanks a lot for your contribution! OpenID connect support is highly appreciated in hawkBit. In order to fix the licence issue in the build just add a new licence-header file for your company here. The content provided first in You deserve credit for your contribution in hawkBit for sure 😉 I’ll wrap my head around your PR and provide feedback. I assume testing this will take me quite a while |
This reverts commit 23d3624 Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com>
- Explicitly import the needed specific classes - Document public methods - Add `static` to the constant `JwtAuthoritiesOidcUserService.INVALID_REQUEST` - Remove superfluous runtime exception `OAuth2AuthenticationException` Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com>
|
Thank you for your reply and the hint for the license. I have resolved most SonarQube issues but the extra one: |
…nnect support (#132) * Added Docker image pull secrets to the hawkbit update server Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Removed empty line after imagePullSecrets if it is set. `toYaml` currently and unintentionally creates a new line at the end of its output. This is going to be fixed in Helm 3 but not in Helm 2 since it would break existing charts (see helm/helm#3470). Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Add support for OpenID Connect OpenID Connect is not yet supported by the official hawBit project. However, a pull request has been opened concerning this feature. See eclipse/hawkbit#865. This commit covers the changes introduced by that pull request. The configuration uses the nested value `oidc`. The feature can be enabled by setting `oidc.enabled=true`. In that case the following, additional values must be set: oidc.clientId, oidc.clientSecret, oidc.issuerUri, oidc.authorizationUri, oidc.tokenUri, oidc.userInfoUri, oidc.jwkSetUri The liveness and readiness probe has been changed accordingly to use a static resource which is always accessible without authentication. Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Add oidc.enabled = false to the default values.yaml Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Revert "Removed empty line after imagePullSecrets if it is set." It increased complexity only for the sake of removing one empty line. This reverts commit 374ca1a Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Document OIDC and its status in hawkBit Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Add starting space in comments Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com>
It's just static code analysis and general speaking a good advice. But in this case I totally agree. I'd prefer to see secured URL pattern right away instead of generic constant name. Furthermore changing the constant value later on might have unintended security side-effects. So long story short: No need to fix that |
This comment has been minimized.
This comment has been minimized.
Signed-off-by: Dominic Schabel <dominic.schabel@bosch-si.com>
Signed-off-by: Dominic Schabel <dominic.schabel@bosch-si.com>
|
Busy times in hawkBit ... but I made some progress and finished the paperwork for the Eclipse IP team |
Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com>
|
@BrandonSchmitt sorry, got distracted will work on it soon |
Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com>
|
Don't want to nag everyone, but this seems like a great addition to hawkbit. Is this going to be merged anytime soon? :) |
|
ECA valid and in place (checked manually). Thanks a lot @BrandonSchmitt for your patience! |
Signed-off-by: Dominic Schabel <dominic.schabel@bosch-si.com>
|
Thanks for getting this merged. |
|
Building a new milestone will be my next task. This will include updated docker image as well. Expect to see it by end of next week |
Signed-off-by: Dominic Schabel <dominic.schabel@bosch-si.com>
Signed-off-by: Dominic Schabel <dominic.schabel@bosch-si.com>
* Added OpenID Connect support Utilized Spring Security's OAuth2 respectively OIDC support as another possibility to manage users and their permissions. Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Document OpenID Connect Support Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Updated license in OidcUserManagementAutoConfiguration.java Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Revert updated license notice and add Kiwigrid license file This reverts commit 23d3624 Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Resolve SonarQube issues - Explicitly import the needed specific classes - Document public methods - Add `static` to the constant `JwtAuthoritiesOidcUserService.INVALID_REQUEST` - Remove superfluous runtime exception `OAuth2AuthenticationException` Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Add OidcUser support in SpringSecurityAuditorAware Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Secure Management API using OpenID Connect, too. Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com>
Signed-off-by: Dominic Schabel <dominic.schabel@bosch-si.com>
This pull request adds support for authentication providers implenting the OpenID Connect interface. It uses the Spring Security 5 features for OAuth2 respectively OpenID Connect.
The default configuration has not changed, thus the single user/tenant with basic auth is still the default method.