Merge pull request #2695 from coreos-inc/oidc-internal-auth

OIDC internal auth support

static/directives/config/config-setup-tool.html

@@ -622,21 +622,23 @@
       <div class="co-panel-body">
         <div class="description">
           <p>
-            Authentication for the registry can be handled by either the registry itself, LDAP or external JWT endpoint.
+            Authentication for the registry can be handled by either the registry itself, LDAP, Keystone, OIDC or external JWT endpoint.
           </p>
           <p>
             Additional <strong>external</strong> authentication providers (such as GitHub) can be used in addition for <strong>login into the UI</strong>.
           </p>
         </div>
 
-        <div class="co-alert co-alert-warning" ng-if="config.AUTHENTICATION_TYPE != 'Database' && !config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
-          It is <strong>highly recommended</strong> to require encrypted client passwords. External passwords used in the Docker client will be stored in <strong>plaintext</strong>!
-          <a ng-click="config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH = true">Enable this requirement now</a>.
-        </div>
+        <div ng-if="config.AUTHENTICATION_TYPE != 'OIDC'">
+          <div class="co-alert co-alert-warning" ng-if="config.AUTHENTICATION_TYPE != 'Database' && !config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
+            It is <strong>highly recommended</strong> to require encrypted client passwords. External passwords used in the Docker client will be stored in <strong>plaintext</strong>!
+            <a ng-click="config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH = true">Enable this requirement now</a>.
+          </div>
 
-        <div class="co-alert co-alert-success" ng-if="config.AUTHENTICATION_TYPE != 'Database' && config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
-          Note: The "Require Encrypted Client Passwords" feature is currently enabled which will
-          prevent passwords from being saved as plaintext by the Docker client.
+          <div class="co-alert co-alert-success" ng-if="config.AUTHENTICATION_TYPE != 'Database' && config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
+            Note: The "Require Encrypted Client Passwords" feature is currently enabled which will
+            prevent passwords from being saved as plaintext by the Docker client.
+          </div>
         </div>
 
         <table class="config-table" style="margin-bottom: 20px;">
@@ -648,6 +650,7 @@
                 <option value="LDAP">LDAP</option>
                 <option value="Keystone">Keystone (OpenStack Identity)</option>
                 <option value="JWT">JWT Custom Authentication</option>
+                <option value="OIDC">OIDC Token Authentication</option>
               </select>
             </td>
           </tr>
@@ -687,6 +690,21 @@
           </tr>
         </table>
 
+        <!--  OIDC Token Authentication -->
+        <table class="config-table" ng-if="config.AUTHENTICATION_TYPE == 'OIDC'">
+          <tr>
+            <td>OIDC Provider:</td>
+            <td>
+              <select class="form-control" ng-model="config.INTERNAL_OIDC_SERVICE_ID" ng-if="getOIDCProviders(config).length">
+                <option value="{{ getOIDCProviderId(provider) }}" ng-repeat="provider in getOIDCProviders(config)">{{ config[provider]['SERVICE_NAME'] || getOIDCProviderId(provider) }}</option>
+              </select>
+              <div class="co-alert co-alert-danger" ng-if="!getOIDCProviders(config).length">
+                An OIDC provider must be configured to use this authentication system
+              </div>
+            </td>
+          </tr>
+        </table>
+
         <!--  Keystone Authentication -->
         <table class="config-table" ng-if="config.AUTHENTICATION_TYPE == 'Keystone'">
           <tr>
@@ -1073,7 +1091,7 @@
             <span style="display: inline-block; margin-left: 10px">(<a href="javascript:void(0)" ng-click="removeOIDCProvider(provider)">Delete</a>)</span>
           </div>
           <div class="co-panel-body">
-            <div class="co-alert co-alert-warning" ng-if="config.AUTHENTICATION_TYPE != 'Database' && !(config[provider].LOGIN_BINDING_FIELD)">
+            <div class="co-alert co-alert-warning" ng-if="config.AUTHENTICATION_TYPE && config.AUTHENTICATION_TYPE != 'Database' && config.AUTHENTICATION_TYPE != 'OIDC' && !(config[provider].LOGIN_BINDING_FIELD)">
               Warning: This OIDC provider is not bound to your <strong>{{ config.AUTHENTICATION_TYPE }}</strong> authentication. Logging in via this provider will create a <strong><span class="registry-name"></span>-only user</strong>, which is not the recommended approach. It is <strong>highly</strong> recommended to choose a "Binding Field" below.
             </div>
 
@@ -1134,7 +1152,7 @@
                   </div>
                 </td>
               </tr>
-              <tr ng-if="config.AUTHENTICATION_TYPE != 'Database'">
+              <tr ng-if="config.AUTHENTICATION_TYPE != 'Database' && config.AUTHENTICATION_TYPE != 'OIDC'">
                 <td>Binding Field:</td>
                 <td>
                   <select class="form-control" ng-model="config[provider].LOGIN_BINDING_FIELD">
@@ -1292,7 +1310,7 @@
       </div>
       <div class="co-panel-body">
         <div class="description">
-           If enabled, users can submit Dockerfiles to be built and pushed by the Enterprise Registry.
+           If enabled, users can submit Dockerfiles to be built and pushed by <span class="registry-name"></span>.
         </div>
 
         <div class="config-bool-field" binding="config.FEATURE_BUILD_SUPPORT">