Enhance API system token authentication to support OIDC and SAML #842
Comments
16 tasks
|
@gtanzillo as discussed. /cc @chessbyte |
This was referenced May 21, 2020
|
PRs merged, so closing the issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
With system token authentication, user authorization works with database authentication as well as authentications where we can query the user for the metadata needed for creating and authorizing the user. i.e.
For External authentications where we cannot fetch the user metadata on demand, authorization will not work, this includes:
While for OIDC, we can enhance the API client to add support for JWT authentication as per ManageIQ/manageiq-api-client#91, this is only for OIDC and will not work from the CloudForms UI where the authentication is via web redirects (OIDC or SAML), so no JWT token is available for the appliance's region-to-region code to leverage.
The proposal here is that for OIDC and SAML based authentications, we extend the X-Miq-Token system token triad to include the current user's metadata. The current user having just been authorized via the external auth system, we have the trusted and latest attributes for them. We can now include :user_metadata as part of the system to token to include the attributes necessary to create or update the user in the receiving region for proper authorization. So the triad would now include:
With :user_metadata being optional where we'd populate for OIDC and SAML authentications.
The text was updated successfully, but these errors were encountered: