Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

az-jenkins-controller: handle auth by delegating to oauth2-proxy #352

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

az-jenkins-controller: handle auth by delegating to oauth2-proxy #352

wants to merge 2 commits into from

Conversation

flokli
Copy link
Collaborator

@flokli flokli commented Jan 22, 2025 

This configures caddy to delegate authentication to a deployment of
oauth2-proxy, which will redirect the user to GitHub for authentication.

We peek at the user profile, and in case they're part of the tiiuae
organization, let them in.

As GitHub redirects back to the application after the users consent, we
need to have one GitHub application per Jenkins deployment.
Said GitHub OAuth application also needs to have access to see
membership in the tiiuae application.

This will become easier in the future by adding a "trampoline" IdP
like Dex in between, allowing us to manage individual clients and their
redirect URIs locally, with only the Dex URL needing to be configured
in GitHub.

flokli added 2 commits January 22, 2025 14:15
@flokli
hosts/azure/jenkins: add reverseproxyauth plugin
4bc6e96 
Signed-off-by: Florian Klink <[email protected]>
@flokli
az-jenkins-controller: deploy oauth2-proxy for jenkins
cd525f8 
This configures caddy to delegate authentication to a deployment of
oauth2-proxy, which will redirect the user to GitHub for authentication.

We peek at the user profile, and in case they're part of the tiiuae
organization, let them in.

As GitHub redirects back to the application after the users consent, we
need to have one GitHub application per Jenkins deployment.
Said GitHub OAuth application also needs to have access to see
membership in the tiiuae application.

This will become easier in the future by adding a "trampoline" IdP
like Dex in between, allowing us to manage individual clients and their
redirect URIs locally, with only the Dex URL needing to be configured
in GitHub.

Signed-off-by: Florian Klink <[email protected]>
@flokli flokli requested a review from henrirosten January 22, 2025 12:23
@flokli
Copy link
Collaborator Author

flokli commented Jan 22, 2025

This is currently blocked on the oauth2 application setup, as the one that's configured isn't allowed to see membership in the tiiuae org.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@henrirosten henrirosten Awaiting requested review from henrirosten

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@flokli