support client_credentials with client_assertion #167
Conversation
|
This PR has been tested in a real deployment and hourly re-authentication is working as expected. |
|
@robbertvanwaveren Thanks for the PR. I also had one problem running the tests. See the proposed fix. |
oauth-common/src/test/java/io/strimzi/kafka/oauth/common/TokenProviderTest.java
Outdated
Show resolved
Hide resolved
…ProviderTest.java Co-authored-by: Marko Strukelj <marko.strukelj@gmail.com> Signed-off-by: Robbert van Waveren <robbert1@gmail.com>
Signed-off-by: Robbert van Waveren <robbert.van.waveren@alliander.com>
robbertvanwaveren
force-pushed
the
oauth-client-assertion-support
branch
from
b037f47 to
31d8670
Compare
|
I've made a few suggested additions. |
|
@mstruk Do you require anything further from my side? |
|
@robbertvanwaveren Not at the moment. This PR still has to be thoroughly reviewed. Currently I'm busy doing the 0.11.0 release, and integrating the functionality into the main Strimzi Project. I'll get back to this when I find the time. |
|
@mstruk What is the plan for this? |
|
@scholzj The plan is to go back to this very soon now. |
|
@robbertvanwaveren I'm looking at this issue again. There's been a lot of changes by other PRs resulting in conflicts. I can merge the changes in some branch, and you can hard reset your branch from there so we can then continue this PR and get it merged, if that's ok with you. |
|
@robbertvanwaveren I merged the changes here: https://github.com/mstruk/strimzi-kafka-oauth/commits/oauth-client-assertion-support Feel free to hard reset your branch to mstruk@d280c41 |
|
@mstruk Did you managed to make any progress around this? Any ideas what to do with it? |
|
@robbertvanwaveren Are you still interested in getting this PR merged? If yes, we can get it merged quickly. I can prepare another rebase to which you just hard reset your PR and we can merge it. |
|
Discussed on the Community cal of 19.10.2023: There was no reply for a long time. This PR should be closed. If there is some renewed interest later, we can reopen it. |
|
This PR would allow clients to use OpenID Connect with federated identity via client assertion issued by another IdP to get a token. Kubernetes workloads in Azure cloud provider are migrating to this authentication model. It would be great to reopen the review of this PR. Best regards. https://curity.io/resources/learn/jwt-assertion/ |
|
@shinji The PR has stalled and without the DCO sign-off there is not much we can do with it. We either need the DCO sign-off to be fixed and then the existing code here might be used. Or it needs to be implemented from scratch. |
|
Any specific action required from me? |
|
If you could at least fix the DCO signoff, it would be possible to re-use the code. The instructions should be here (assuming the link works): https://github.com/strimzi/strimzi-kafka-oauth/runs/8930450983 |
@robbertvanwaveren You can just use your I will then do the rebase, because there are many conflicts at this point due to other PRs that were merged in the mean time. You can read more about DCO here: https://github.com/apps/dco Another thing you can do is enable commits into your branch as described here which will allow me to also merge the PR. Otherwise I'll have to ask you to hard reset your PR to my rebased branch and force push it again before we can merge. Thanks. |
|
I had to create a new PR to grant rights: #211 |
PR for issue #164
All builds and tests are working.
I added the following abilities:
I was not yet able to test the changing token in real scenario as part of a re-authentication request. So the fact that a re-authentication re-triggers JaasClientOauthLoginCallbackHandler.handle is an untested assumption at this point.