Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(WIP) Okta token auth for Process Automation 5.1.0 #545

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

gschueler
Copy link
Member

No description provided.

enable RD_AUTH env var to provide JWT token used in Authorization: Bearer $TOKEN auth format
note: should move to separate class
authenticate to okta to retrieve a JWT bearer token, can be used with RD_AUTH env var to authenticate to Rundeck 5.1.0+. See SSO setup in rundeck docs.
@gschueler gschueler requested a review from ahormazabal January 16, 2024 23:32
@ahormazabal
Copy link
Contributor

This looks great as a first step. The change i'd propose is that the actual token api call is OAuth standard, so there's no need to tie it to Okta. Instead we could have a command rd oauth token or something alike.
The flow to implement is called client credentials, although there are more that we could implement in the future (the device grant is very interesting, its the one used to configure netflix on TV).

Examples of token retrieval calls:

Azure:

### Authorization by token, AZURE
POST https://login.microsoftonline.com/ba468bd4-88e0-40fc-8115-5478ce6e8eb6/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
Accept: application/json

grant_type=client_credentials &
client_id=azure_client_id &
client_secret=azure_client_secret &
scope=api://rd-api-oauth/.default &
state=myownpersonalstate123

# Response
{
  "token_type": "Bearer",
  "expires_in": 3599,
  "ext_expires_in": 3599,
  "access_token": "eyJ0eXAiOiJKV1QiLC..."
}

Ping:

### Authorization by token, Ping
POST https://auth.pingone.com/8e142195-3912-4340-85da-c41c069e66f0/as/token
Content-Type: application/x-www-form-urlencoded
Accept: application/json

grant_type=client_credentials &
client_id=ping_client_id &
client_secret=ping_client_secret &
scope=rundeck.api.admin.access &
state=myownpersonalstate123

#Response
{
  "access_token": "eyJraWQiOiJmZDZjNzBl...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "rundeck.api.admin.access"
}

Okta

### Authorization by token, Okta
POST https://trial-1510695.okta.com/oauth2/default/v1/token
Content-Type: application/x-www-form-urlencoded
Accept: application/json

grant_type=client_credentials &
client_id=okta_client_id &
client_secret=okta_client_secret &
scope=rd.okta.api.admin.access &
state=myownpersonalstate123

#Response
{
  "token_type": "Bearer",
  "expires_in": 3600,
  "access_token": "eyJraWQiOiJqaDJWYk...",
  "scope": "rd.okta.api.admin.access"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants