Add proposal CLI-secret-for-api #250
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| # Proposal: Use CLI secret for auth against the API (OIDC) | ||
|
|
||
| Author: Luis Fittkau | ||
|
|
||
| Discussion: - | ||
|
|
||
| ## Abstract | ||
|
|
||
| Use basic auth, consisting of username and CLI secret, instead of the OIDC id token when authenticating against the API when OIDC is enabled | ||
|
|
||
| ## Background | ||
|
|
||
| With OIDC enabled, it is not possible for a normal user to use the API without accessing the OIDC id token, which is not accessible by appropriate means; this proposal fixes that. | ||
|
|
||
| The usual workaround for this is to use robot accounts, but that would mean that each user has to own a separate robot account just to access the API, which doesn't seem clean to me. | ||
| Also, this means that robot accounts can not be created via the API by someone other than the local admin. | ||
|
|
||
| The OIDC id token is accessible via either the harbor debug log, which the user can't see, or via direct communication with the identity provider, which requires credentials that the user isn't supposed to have. | ||
|
|
||
| ## Proposal | ||
|
|
||
| - Extend oidc_cli security context generator to include calls to the v2 API | ||
| - remove idtoken security context generator | ||
| - rename and consolidate tests and names accordingly | ||
|
|
||
| ## Non-Goals | ||
|
|
||
| - | ||
|
There was a problem hiding this comment. docker login already works with the cli secret and nothing changes about that |
||
|
|
||
| ## Rationale | ||
|
|
||
| This change can be seen as a security "downgrade", but since this way of authenticating is already present when using the docker cli, the vulnerability already exists (if it can be considered one). | ||
|
There was a problem hiding this comment. We should double check if the token is invalid the secret becomes invalid at the same time, and clarify it in the design. If there is vulnerability existing now, we should absolutely not move forward, we should fix the vulnerability. There was a problem hiding this comment. What I meant with this being a possible "vulnerability" (depending on the way you look at it, personally I don't think it is a vulnerability) is the fact that the CLI secret only needs to be copied from the UI once and can be used repeatedly without signing in with OIDC again. But:
|
||
|
|
||
| This change disables the authentication via id token. Alternatively, one could allow both ways of authentication at the same time and only deprecate the id-token-way, but since the id token is such a "bumpy" solution (in my opinion) anyway, I don't think it is necessary. | ||
LGhoull marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ## Compatibility | ||
|
|
||
| Authentication against the API via OIDC id token will no longer be possible. | ||
|
|
||
| ## Implementation | ||
|
|
||
| A first version is already done, see https://github.com/goharbor/harbor/pull/20851 | ||
|
|
||
| ## Open issues (if applicable) | ||
|
|
||
| https://github.com/goharbor/harbor/issues/14236 | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should add a case to make sure when the token is invalid the cli secret will not be usable for calling the API.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You mean the id token? From my understanding, harbor attempts to renew the id token to keep the secret valid. If that's not possible, the Secret becomes invalid. All this logic already exists for the CLI secret