-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restructure auth #1057
Restructure auth #1057
Conversation
af2b3c6
to
d006dad
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One minor change requested for the public changelog, please
@@ -0,0 +1 @@ | |||
Removed the prompt for a username. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should explicitly call out "you'll need to specify a BasicAuth username in the config now", since this is a pretty visible user-facing change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"--username" is also valid. But yes, good idea.
@@ -0,0 +1,2 @@ | |||
Changed the way OAuth2 Client Credentials are provided to give the user some choice over the authentication to use. | |||
The new parameters `--client-id` and `--client-secret` were added and `--username`, `--password` are now restricted to HTTP Basic. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
This introduces --client-id and --client-auth. Users can now infer the authentication to use in face of multiple available security proposals.
According to RFC6749 Section 2.3.1 all token servers are required to support http basic auth. Instead supporting the credentials as post data is specified as optional. Furthermore the RCF discourages using the latter.
Auth objects provided by the pulpcli auth provider are memoized. This way, no password needs to be written back to the pulp_ctx variable and the oauth token can be cached in memory for the lifetime of the context.
d006dad
to
e9535de
Compare
No description provided.