Merge pull request #2695 from coreos-inc/oidc-internal-auth

OIDC internal auth support

endpoints/api/suconfig.py

@@ -217,9 +217,10 @@ class SuperUserConfig(ApiResource):
       # Write the configuration changes to the config override file.
       config_provider.save_config(config_object)
 
-      # If the authentication system is not the database, link the superuser account to the
+      # If the authentication system is federated, link the superuser account to the
       # the authentication system chosen.
-      if config_object.get('AUTHENTICATION_TYPE', 'Database') != 'Database':
+      service_name = get_federated_service_name(config_object['AUTHENTICATION_TYPE'])
+      if service_name is not None:
         current_user = get_authenticated_user()
         if current_user is None:
           abort(401)

endpoints/api/user.py

@@ -529,6 +529,9 @@ class ClientKey(ApiResource):
   @validate_json_request('GenerateClientKey')
   def post(self):
     """  Return's the user's private client key. """
+    if not authentication.supports_encrypted_credentials:
+      raise NotFound()
+
     username = get_authenticated_user().username
     password = request.get_json()['password']
     (result, error_message) = authentication.confirm_existing_user(username, password)
@@ -744,7 +747,7 @@ class ExternalLoginInformation(ApiResource):
         'kind': {
           'type': 'string',
           'description': 'The kind of URL',
-          'enum': ['login', 'attach'],
+          'enum': ['login', 'attach', 'cli'],
         },
       },
     },
@@ -762,7 +765,7 @@ class ExternalLoginInformation(ApiResource):
 
     csrf_token = generate_csrf_token(OAUTH_CSRF_TOKEN_NAME)
     kind = request.get_json()['kind']
-    redirect_suffix = '/attach' if kind == 'attach' else ''
+    redirect_suffix = '' if kind == 'login' else '/' + kind
 
     try:
       login_scopes = login_service.get_login_scopes()