feat: Disable CSRF check for "/c/oidc/onboard" API for authenticating and Onboarding a User via API from Custom CLI

[Rajpratik71]

Issue being fixed

Fixes #16966

Please indicate you've done the following:

• Well Written Title and Summary of the PR
• Label the PR as needed. "release-note/ignore-for-release, release-note/new-feature, release-note/update, release-note/enhancement, release-note/community, release-note/breaking-change, release-note/docs, release-note/infra, release-note/deprecation"
• Accepted the DCO. Commits without the DCO will delay acceptance.
• Made sure tests are passing and test coverage is added if needed.
• Considered the docs impact and opened a new docs issue or PR with docs changes if needed in website repository.

[codecov]

Codecov Report

Merging #16969 (5476e4d) into main (697f1c7) will decrease coverage by 22.76%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##             main   #16969       +/-   ##
===========================================
- Coverage   67.39%   44.64%   -22.76%     
===========================================
  Files         984      235      -749     
  Lines      106980    13089    -93891     
  Branches     2670     2670               
===========================================
- Hits        72096     5843    -66253     
+ Misses      31004     6951    -24053     
+ Partials     3880      295     -3585     

Flag	Coverage Δ
unittests	44.64% <ø> (-22.76%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 753 files with indirect coverage changes

[Rajpratik71]

@reasonerjt requesting review

[maheshsmartcow]

It would be great if it can be merged sooner, our solution is depending on this fix. Meanwhile, is there any workaround to onboard OIDC user through API ? Thanks in advance.

[Rajpratik71]

@zyyw @reasonerjt requesting review

[reasonerjt]

Sorry for the late response but I don't understand why this is needed. To onboard a user you need to follow the SSO flow to authenticate via the OIDC provider and do token exchange. After that, you will be redirected to onboard endpoint.

Therefore, this is DESIGNED for the browser, but in the issue you mentioned you wanna call this via curl which is not supposed to work.

[Vad1mo]

Maybe I am wrong but, as I understand it from @Rajpratik71 and other similar issues, is that they want to manage the user before he actually logs in to Harbor the first time. Examples are add the user to the different projects and grant them the right permissions.

Am I right @Rajpratik71 ?

[Rajpratik71]

Hi @reasonerjt @Vad1mo

This is required to do:

1. authentication with OIDC provider and
2. user onboarding

via custom-made cli or curl request using API.

As mentioned in issue, In browser flow CSRF token got added in request, i.e. why it is happening fine but when calling direct API , csrf check is blocking.

i.e. exception was added in "csrfSkipper" function to skip csrf check for "/c/oidc/onboard" API.

[Rajpratik71]

@ywk253100 @wy65701436 @stonezdj @zyyw @daixiang0 @heww requesting review

[ashishkumar-07]

I also need the same behavior. For my use case @Vad1mo is correct. If not this then a similar API should exist for backend flow

[fredbjer]

why blocked? we need this pr.

[reasonerjt]

Maybe I am wrong but, as I understand it from @Rajpratik71 and other similar issues, is that they want to manage the user before he actually logs in to Harbor the first time. Examples are add the user to the different projects and grant them the right permissions.

@ashishkumar-07
I think this may be a valid requirement but I'm not convinced this PR is the right way to solve the problem. To use this endpoint you need the ID token of a specific user, but admin can't do that b/c he doesn't know the credentials of this user.
If we wanna support this case, we need to find a way to allow admin to onboard users without ID token, and for that purpose, I don't think we should use the current /c/onboard endpoint.

[Rajpratik71]

@reasonerjt I think there is some confusion in understanding the scenario.

Here, we don't want this for admin user and don't needs to be done by admin user.

This step is required for self-service i.e signup to harbor using configured Oauth.

This is required for first time signing in of a User in Harbor with configured Oauth.

While from UI, First time signing in of a User in Harbor with configured Oauth got success because in request UI passes the CSRF Token after getting the token from configured Auth/Oauth server then using the token fires the "/c/oidc/onboard" API to get it onboarded in Harbor as a User.

From next time it is not required as user is already there in Harbor.

On the other hand

While from CLI/API , First time signing in of a User in Harbor with configured Oauth got failed because of missing CSRF Token after getting the token from configured Auth/Oauth server then using the token fires the "/c/oidc/onboard" API to get it onboarded in Harbor as a User.

But as CLI/API request doesn't add CSRF Header in requests i.e. the check is failing

[Rajpratik71]

Further , missed the today community meeting due to time zone confusion, was thinking to discuss this.

@reasonerjt and Harbor Team can we schedule a meeting to discuss this over call ?

[reasonerjt]

@Rajpratik71
I would love to, I'll reach out to you on slack.

[github-actions]

This PR is being marked stale due to a period of inactivty. If this PR is still relevant, please comment or remove the stale label. Otherwise, this PR will close in 30 days.

[github-actions]

This PR was closed because it has been stalled for 30 days with no activity. If this PR is still relevant, please re-open a new PR against main.

[github-actions]

This PR is being marked stale due to a period of inactivty. If this PR is still relevant, please comment or remove the stale label. Otherwise, this PR will close in 30 days.

[WeiXie96]

Any updates? We also need this pr.

[WeiXie96]

Is it still possible that it can be merged sooner or later? We want to onboard OIDC users through CLI but not GUI, and this fix can solve our problem.

[WeiXie96]

Sorry for asking: can it still be merged into harbor's main branch? And will there be a release that includes this change then? Otherwise we need to build harbor again from the source code.

[Vovanys]

I build images from this commit with CSRF disabled
I try to create a user and get an error

curl -X 'POST' 'https://harbor-registry.xxxx/c/oidc/onboard' -H 'Content-Type: application/json' -H 'Authorization: Basic YWRtaW46SGFyYm9yMTIzU=' -d '{"username": "testuser" }'

{"errors":[{"code":"BAD_REQUEST","message":"Failed to get OIDC user info from session"}]}

At the same time, everything onboard works through the GUI.
I use keycloack

what else is needed?

in harbor logs

[DEBUG] [/server/middleware/security/basic_auth.go:79][requestID="266741f532898a29f1e2ecf1083a980f"]: a basic auth security context generated for request POST /c/oidc/onboard
[DEBUG] [/lib/http/error.go:61]: {"errors":[{"code":"BAD_REQUEST","message":"Failed to get OIDC user info from session"}]}

[OrlinVasilev]

@goharbor/all-maintainers can you check please

[WeiXie96]

My error message is still {"errors":[{"code":"FORBIDDEN","message":"CSRF token invalid"}]}, any updates on this issue??

[github-actions]

This PR is being marked stale due to a period of inactivty. If this PR is still relevant, please comment or remove the stale label. Otherwise, this PR will close in 30 days.

[github-actions]

This PR was closed because it has been stalled for 30 days with no activity. If this PR is still relevant, please re-open a new PR against main.