Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-8762

Change Dex to support others OIDC providers besides OpenShift and enable Dex token exchange

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • GitOps
    • None
    • None
    • Product / Portfolio Work
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Feature Overview

      • Non-interactive authentication to GitOps using short-lived tokens released by an external OIDC provider
      • Support OIDC different than OpenShift

      Business Goal/Objective

      • Enhance security of automated processes using short-lived tokens for authentication

      Goals

      • Non-interactive authentication to GitOps using a short-lived token. Today none of the ways to authenticate to GitOps are suitable for that:
        • Using local administrator user -> broad scope, not short-lived
        • Using OpenShift credentials -> non-interactive, limited to OpenShift
        • Using ad-hoc tokens configured at GitOps project level -> token expiration configurable but limited scope and hard to automate tokens rotation
      • Ideal authentication flow:
        1. process wants to authenticate against GitOps. So it authenticates to a user's preferred OIDC, getting a token from it
        2. process authenticate to GitOps Dex server using the token got from OIDC provider
        3. if the token is valid and released from Dex's upstream OIDC, then Dex returns to process a short-lived authentication token for GitOps
        4. process uses the short-lived token returned by Dex to authenticate to GitOps

      Requirements

      Requirements Notes MVP
           
           

      Use Cases

      • Secure authentication to GitOps from CI runners.

      Out of Scope

      • <Defines what is not included in this story>

      Dependencies

      • < Link or at least explain any known dependencies. >

      Background and Strategic Fit

      • < What does the person writing code, testing, documenting need to know? >

      Assumptions

      • < Are there assumptions being made regarding prerequisites and dependencies?>
      • < Are there assumptions about hardware, software, or people resources?>

      Customer Considerations

      • < Are there specific customer environments that need to be considered (such as working with existing h/w and software)? >

      Documentation/QE Considerations

      • A documented, supported flow for CI (or any automated process) to obtain a GitOps token without user/browser interaction
      • Clear configuration guidance (argocd-cm / Dex config), required claims/audience/scopes, and RBAC mapping.
      • Security considerations and recommended best practices from Red Hat.

      Impact

      • < If the feature is ordered with other work, state the impact of this feature on the other work >

      Related Architecture/Technical Documents

      Definition of Ready

      • It is possible for a process performing a non-interactive login to GitOps using a short-lived token got by exchanging an OIDC token

              Unassigned Unassigned
              rhn-support-dcommiss Domenico Commisso
              None
              Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                None
                None