Hi all, I missed this email when it came out, but I'm excited to hear about OAuth support in Brooklyn. You've all clearly put a tremendous amount of work into it. Are there any docs anywhere about how this works? e.g. maybe more email threads I missed? :-) I don't suppose any of you folks who were involved would like to write up a short blog post or how-to email about the changes that have been made? Or is it best to just review the PR?
Cheers Geoff On Tue, 22 Jan 2019 at 14:37 Alex Heneveld <[email protected]> wrote: > > Thanks Duncan. > > The PR [1] is on this email now (sorry!). > > The brooklyn.cfg that ships with karaf sets up AnyoneSecurityProvider I > believe, not requiring login, rather than basic (this PR hasn't changed > that). The docs to configure basic are at [2], but they need a minor > update to reflect the change in the default or the default should be > changed back to ExplicitUser or RandomUser. We should also review the > docs at [3] and [4] as some parts of those are no longer current with 1.0. > > Best > Alex > > [1] https://github.com/apache/brooklyn-server/pull/1024 > [2] > > http://brooklyn.apache.org/v/latest/ops/configuration/brooklyn_cfg.html#authentication > [3] http://brooklyn.apache.org/v/latest/ops/security-guidelines.html > [4] http://brooklyn.apache.org/v/latest/ops/configuration/index.html > > > > On 22/01/2019 11:32, Duncan Grant wrote: > > Alex, > > > > Nice work - this seems to be a regular feature request, I have a couple > of > > questions. > > > > I think you're missing a link to the PR (ref[1]). > > > > When I try the latest Brooklyn snapshot it basic auth is not enabled. > How > > would I re-enable it? Or do we now need to write a basicauth security > > provider? > > > > Regards > > > > Duncan > > > > > > On Wed, 16 Jan 2019 at 11:20, Alex Heneveld < > [email protected]> > > wrote: > > > >> Hi All- > >> > >> We've had quite a few requests to support OAuth, and I'm pleased to say > >> we can now support it via plugins. > >> > >> Folks are still working on sample plugins for Google and/or GitHub, but > >> enough is there already for people to write their own to integrate with > >> their choice of OAuth servers. > >> > >> It is a bigger change than probably anyone expected however. It is in > >> [1], which has been merged with the help of Juan Cabrerizo (thanks > >> Juan!). This is not expected to break any APIs, but it does have > >> implications for people using the code directly or developing extensions > >> (REST endpoints and UI modules). > >> > >> Firstly background -- JAAS is geared around Basic auth, which is > >> incompatible with OAuth and other modern auth schemes, so we've had to > >> rip out the LoginModule and replace it with Filters. Jersey (REST > >> bundles) and resources (WAR bundles) need different filters so there's a > >> bit of extra complexity, but we've refactored to share code. Then it > >> needed a few version bumps to make it all work as expected -- CXF, > >> javax.ws.rs, Resteasy, and a point bump to karaf itself. All of which > >> are good things, though there was quite a bit of pain in getting them > >> all aligned and playing nicely. > >> > >> They all wrap the Brooklyn SecurityProvider class, so configuring > >> security providers (what users do) is unchanged. There is a new method > >> on the interface to say whether it needs basic auth or not, so custom > >> SecurityProviders will need a minor update. But you now have a lot more > >> flexibility in writing the provider: you can for instance throw a > >> SecurityProviderDeniedAuthentication exception containing a Response to > >> have that Response returned to the HTTP caller. This allows us to > >> handle the redirects needed for OAuth. > >> > >> We've also enabled auth for all the static resouces modules (WARs). This > >> is so the redirect happens for the user's browser request, rather than > >> loading html and JS, and the 302 redirect only occurring within angular > >> which is unhelpful. It also is a bit more secure, as now nothing is > >> available if you aren't logged in. > >> > >> Changes to downstream REST projects are pretty simple, see the > >> `blueprint.xml` change; and WAR bundles also, an update to `web.xml` and > >> the `pom.xml`. > >> > >> Any questions just let us know. > >> > >> Best > >> Alex > >> (with a lot of work by Juan!) > >> > >
