Add support for using OIDC tokens via the Docker CLI
This commit is contained in:
Joseph Schorr
parent
6600b380ca
commit
e724125459
16 changed files with 176 additions and 14 deletions
|
|
@ -513,6 +513,9 @@ class ClientKey(ApiResource):
|
|||
@validate_json_request('GenerateClientKey')
|
||||
def post(self):
|
||||
""" Return's the user's private client key. """
|
||||
if not authentication.supports_encrypted_credentials:
|
||||
raise NotFound()
|
||||
|
||||
username = get_authenticated_user().username
|
||||
password = request.get_json()['password']
|
||||
(result, error_message) = authentication.confirm_existing_user(username, password)
|
||||
|
|
@ -728,7 +731,7 @@ class ExternalLoginInformation(ApiResource):
|
|||
'kind': {
|
||||
'type': 'string',
|
||||
'description': 'The kind of URL',
|
||||
'enum': ['login', 'attach'],
|
||||
'enum': ['login', 'attach', 'cli'],
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
@ -746,7 +749,7 @@ class ExternalLoginInformation(ApiResource):
|
|||
|
||||
csrf_token = generate_csrf_token(OAUTH_CSRF_TOKEN_NAME)
|
||||
kind = request.get_json()['kind']
|
||||
redirect_suffix = '/attach' if kind == 'attach' else ''
|
||||
redirect_suffix = '/' if kind == 'login' else '/' + kind
|
||||
|
||||
try:
|
||||
login_scopes = login_service.get_login_scopes()
|
||||
|
|
|
|||
|
|
@ -250,6 +250,24 @@ def _register_service(login_service):
|
|||
auth_url = login_service.get_auth_url(app.config, '', csrf_token, login_scopes)
|
||||
return redirect(auth_url)
|
||||
|
||||
@require_session_login
|
||||
@oauthlogin_csrf_protect
|
||||
def cli_token_func():
|
||||
# Check for a callback error.
|
||||
error = request.args.get('error', None)
|
||||
if error:
|
||||
return _render_ologin_error(login_service.service_name(), error)
|
||||
|
||||
# Exchange the OAuth code for the ID token.
|
||||
code = request.args.get('code')
|
||||
try:
|
||||
idtoken, _ = login_service.exchange_code_for_tokens(app.config, client, code, '/cli')
|
||||
except OAuthLoginException as ole:
|
||||
return _render_ologin_error(login_service.service_name(), ole.message)
|
||||
|
||||
user_obj = get_authenticated_user()
|
||||
return redirect(url_for('web.user_view', path=user_obj.username, tab='settings',
|
||||
idtoken=idtoken))
|
||||
|
||||
oauthlogin.add_url_rule('/%s/callback/captcha' % login_service.service_id(),
|
||||
'%s_oauth_captcha' % login_service.service_id(),
|
||||
|
|
@ -266,6 +284,11 @@ def _register_service(login_service):
|
|||
attach_func,
|
||||
methods=['GET'])
|
||||
|
||||
oauthlogin.add_url_rule('/%s/callback/cli' % login_service.service_id(),
|
||||
'%s_oauth_cli' % login_service.service_id(),
|
||||
cli_token_func,
|
||||
methods=['GET'])
|
||||
|
||||
# Register the routes for each of the login services.
|
||||
for current_service in oauth_login.services:
|
||||
_register_service(current_service)
|
||||
|
|
|
|||
Reference in a new issue