CNTRLPLANE-1458: (authentication): external oidc multiple idp support #1852
Conversation
Signed-off-by: Bryce Palmer <[email protected]>
openshift-ci-robot
added
the
jira/valid-reference
|
@everettraven: This pull request references CNTRLPLANE-1458 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
I'm missing a section that discusses the changes that will be needed for the Console, in particular:
- changes to how the IDP client secret(s) will be managed
- hosting the IDP selection page (in oauth, hosted by the oauth-server)
Since this is integral part of the main goal of this feature, we should at least outline the main changes expected.
| - everettraven | ||
| reviewers: # Include a comment about what domain expertise a reviewer is expected to bring and what area of the enhancement you expect them to focus on. For example: - "@networkguru, for networking aspects, please look at IP bootstrapping aspect" | ||
| - liouk # Original author of the ExternalOIDC feature for OpenShift | ||
| - TBD # Someone from Console team to cover Console nuances? |
There was a problem hiding this comment.
This is a good question for @jhadvig 🙂
|
|
||
| ### Goals | ||
|
|
||
| - Add support for configuring more than on external OIDC provider. |
There was a problem hiding this comment.
Maybe emphasize the fact that they'll be active at the same time.
|
|
||
| ### Non-Goals | ||
|
|
||
| - Anything outside of the above outlined goal. |
There was a problem hiding this comment.
I'd describe "user profiles" as a non-goal to avoid any expectation misunderstandings.
|
|
||
| ### Goals | ||
|
|
||
| - Add support for configuring more than on external OIDC provider. |
There was a problem hiding this comment.
| - Add support for configuring more than on external OIDC provider. | |
| - Add support for configuring more than one external OIDC provider. |
| operations / org specific systems. | ||
|
|
||
| To configure the UID of a cluster user identity using a specific claim value on OpenShift, a Cluster Administrator updates the `authentications.config.openshift.io/cluster` resource | ||
| to populate the claim mapping like so: |
There was a problem hiding this comment.
Missed delete from a copy-paste of the uid-extra EP, will remove :)
Signed-off-by: Bryce Palmer <[email protected]>
|
@everettraven: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
3 participants
Outlines the plan for adding support for multiple identity providers with the BYO External OIDC feature.