Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(sdk): public client and other enhancements to well-known SDK functionality #1365

Merged
merged 24 commits into from
Aug 19, 2024
Merged

feat(sdk): public client and other enhancements to well-known SDK functionality #1365

merged 24 commits into from
Aug 19, 2024

Conversation

jakedoublev
Copy link
Contributor

@jakedoublev jakedoublev commented Aug 16, 2024
edited
Loading

Resolves #1373

This PR makes the following changes:

  1. provisions a public client to keycloak with an allowlisted redirectUri of http://localhost:9000 to support otdfctl
  2. adds a few idP accessor methods to the SDK for reading the well-known configuration of the platform pre-auth
  3. removes a few errors about the SDK being unauthenticated now that reading from the well-known pre-auth is a valid SDK use
  4. adds a public_client_id to the well-known idP config (with example configs updated) and a warning log about discovery if not provided in the config on startup
  5. cannot remove platform_issuer as a top-level well-known config key that is a duplicate of idp.issuer because of this issue sdk should retrieve platform issuer from well-known idp.issuer instead of platform_issuer java-sdk#119
{
  "configuration": {
    "health": {
      "endpoint": "/healthz"
    },
    "idp": {
      "authorization_endpoint": "http://localhost:8888/auth/realms/opentdf/protocol/openid-connect/auth",
      "id_token_signing_alg_values_supported": [
        "PS384",
        "RS384",
        "EdDSA",
        "ES384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "PS256",
        "PS512",
        "RS512"
      ],
      "issuer": "http://localhost:8888/auth/realms/opentdf",
      "jwks_uri": "http://localhost:8888/auth/realms/opentdf/protocol/openid-connect/certs",
      "public_client_id": "opentdf-public", // this is new
      "require_request_uri_registration": true,
      "response_types_supported": [
        "code",
        "none",
        "id_token",
        "token",
        "id_token token",
        "code id_token",
        "code token",
        "code id_token token"
      ],
      "subject_types_supported": [
        "public",
        "pairwise"
      ],
      "token_endpoint": "http://localhost:8888/auth/realms/opentdf/protocol/openid-connect/token"
    }
  }
}

jakedoublev
jakedoublev commented Aug 16, 2024
View reviewed changes
@jakedoublev jakedoublev changed the title new proto accessors for idp well-known info on SDK feat(sdk): public client and other enhancements to well-known SDK functionality Aug 16, 2024
jakedoublev
jakedoublev commented Aug 16, 2024
View reviewed changes
@jakedoublev jakedoublev marked this pull request as ready for review August 16, 2024 20:38
@jakedoublev jakedoublev requested review from a team as code owners August 16, 2024 20:38
@jakedoublev
Copy link
Contributor Author

Cannot deprecate platform_issuer at top level without doing this first: opentdf/java-sdk#119

jrschumacher
jrschumacher requested changes Aug 19, 2024
View reviewed changes
@jakedoublev jakedoublev mentioned this pull request Aug 19, 2024
Merged
@jakedoublev
Copy link
Contributor Author

Work on this uncovered #1384

@jakedoublev jakedoublev enabled auto-merge August 19, 2024 19:09
@jakedoublev jakedoublev added this pull request to the merge queue Aug 19, 2024
Merged via the queue into main with commit 3be50a4 Aug 19, 2024
19 checks passed
@jakedoublev jakedoublev deleted the feat/cli-auth branch August 19, 2024 19:17
This was referenced Aug 19, 2024
Merged
Merged
github-merge-queue bot pushed a commit that referenced this pull request Aug 19, 2024
@opentdf-automation
chore(main): release sdk 0.3.8 (#1386)
700312c 
🤖 I have created a release *beep* *boop*
---


##
[0.3.8](sdk/v0.3.7...sdk/v0.3.8)
(2024-08-19)


### Features

* **sdk:** public client and other enhancements to well-known SDK
functionality ([#1365](#1365))
([3be50a4](3be50a4))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
github-merge-queue bot pushed a commit that referenced this pull request Aug 20, 2024
@opentdf-automation
chore(main): release service 0.4.19 (#1327)
677d588 
🤖 I have created a release *beep* *boop*
---


##
[0.4.19](service/v0.4.18...service/v0.4.19)
(2024-08-20)


### Features

* **core:** add RPCs to namespaces service to handle assignment/removal
of KAS grants ([#1344](#1344))
([ee47d6c](ee47d6c))
* **core:** Adds key ids to kas registry
([#1347](#1347))
([e6c76ee](e6c76ee))
* **core:** further support in policy for namespace grants
([#1334](#1334))
([d56231e](d56231e))
* **core:** support grants to namespaces, definitions, and values in
GetAttributeByValueFqns
([#1353](#1353))
([42a3d74](42a3d74))
* **core:** validate kas uri
([#1351](#1351))
([2b70931](2b70931))
* **policy:** 1277 protos and service methods for Resource Mapping
Groups operations
([#1343](#1343))
([570f402](570f402))
* **sdk:** Load KAS keys from policy service
([#1346](#1346))
([fe628a0](fe628a0))
* **sdk:** public client and other enhancements to well-known SDK
functionality ([#1365](#1365))
([3be50a4](3be50a4))


### Bug Fixes

* **authz:** Add http routes for authorization to casbin policy
([#1355](#1355))
([3fbaf59](3fbaf59))
* **core:** align keycloak provisioning in one command
([#1381](#1381))
([c3611d2](c3611d2)),
closes [#1380](#1380)
* **core:** align policy kas grant assignments http gateway methods with
actions ([#1299](#1299))
([031c6ca](031c6ca))
* **core:** Autobump service
([#1340](#1340))
([3414670](3414670))
* **core:** Autobump service
([#1369](#1369))
([2ac2378](2ac2378))
* **core:** Autobump service
([#1403](#1403))
([8084e3e](8084e3e))
* **core:** Autobump service
([#1405](#1405))
([74a7f0c](74a7f0c))
* **core:** bump go version to 1.22
([#1407](#1407))
([c696cd1](c696cd1))
* **core:** cleanup sensitive info being logged from configuration
([#1366](#1366))
([2b6cf62](2b6cf62))
* **core:** policy kas grants list (filter params and namespace grants)
([#1342](#1342))
([f18ba68](f18ba68))
* **core:** policy migrations timestamps merge order
([#1325](#1325))
([2bf4290](2bf4290))
* **sdk:** align sdk with platform modes
([#1328](#1328))
([88ca6f7](88ca6f7))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrschumacher jrschumacher jrschumacher approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unauthenticated Clients (CLI and PEPs) should be able to fetch well-known idp config values with SDK
2 participants
@jakedoublev @jrschumacher