hongming
@@ -25,6 +25,7 @@ import (
|
||||
"k8s.io/klog"
|
||||
"kubesphere.io/kubesphere/pkg/api"
|
||||
"kubesphere.io/kubesphere/pkg/api/auth"
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider"
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth"
|
||||
authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options"
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/authentication/token"
|
||||
@@ -85,7 +86,7 @@ func (h *oauthHandler) AuthorizeHandler(req *restful.Request, resp *restful.Resp
|
||||
responseType := req.QueryParameter("response_type")
|
||||
redirectURI := req.QueryParameter("redirect_uri")
|
||||
|
||||
conf, err := h.options.OAuthOptions.GetOAuthClient(clientId)
|
||||
conf, err := h.options.OAuthOptions.OAuthClient(clientId)
|
||||
|
||||
if err != nil {
|
||||
err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))
|
||||
@@ -105,10 +106,10 @@ func (h *oauthHandler) AuthorizeHandler(req *restful.Request, resp *restful.Resp
|
||||
return
|
||||
}
|
||||
|
||||
expiresIn := h.options.OAuthOptions.AccessTokenMaxAgeSeconds
|
||||
expiresIn := h.options.OAuthOptions.AccessTokenMaxAge
|
||||
|
||||
if conf.AccessTokenMaxAgeSeconds != nil {
|
||||
expiresIn = *conf.AccessTokenMaxAgeSeconds
|
||||
if conf.AccessTokenMaxAge != nil {
|
||||
expiresIn = *conf.AccessTokenMaxAge
|
||||
}
|
||||
|
||||
accessToken, err := h.issuer.IssueTo(user, expiresIn)
|
||||
@@ -130,7 +131,7 @@ func (h *oauthHandler) AuthorizeHandler(req *restful.Request, resp *restful.Resp
|
||||
redirectURL = fmt.Sprintf("%s#access_token=%s&token_type=Bearer", redirectURL, accessToken)
|
||||
|
||||
if expiresIn > 0 {
|
||||
redirectURL = fmt.Sprintf("%s&expires_in=%v", redirectURL, expiresIn)
|
||||
redirectURL = fmt.Sprintf("%s&expires_in=%v", redirectURL, expiresIn.Seconds())
|
||||
}
|
||||
|
||||
resp.Header().Set("Content-Type", "text/plain")
|
||||
@@ -147,14 +148,14 @@ func (h *oauthHandler) OAuthCallBackHandler(req *restful.Request, resp *restful.
|
||||
resp.WriteError(http.StatusUnauthorized, err)
|
||||
}
|
||||
|
||||
idP, err := h.options.OAuthOptions.GetIdentityProvider(name)
|
||||
idP, err := h.options.OAuthOptions.IdentityProviderOptions(name)
|
||||
|
||||
if err != nil {
|
||||
err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))
|
||||
resp.WriteError(http.StatusUnauthorized, err)
|
||||
}
|
||||
|
||||
oauthIdentityProvider, err := idP.GetOAuth2IdentityProviderInstance()
|
||||
oauthIdentityProvider, err := identityprovider.ResolveOAuthProvider(idP.Type, idP.Provider)
|
||||
|
||||
if err != nil {
|
||||
err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))
|
||||
@@ -168,7 +169,7 @@ func (h *oauthHandler) OAuthCallBackHandler(req *restful.Request, resp *restful.
|
||||
resp.WriteError(http.StatusUnauthorized, err)
|
||||
}
|
||||
|
||||
expiresIn := h.options.OAuthOptions.AccessTokenMaxAgeSeconds
|
||||
expiresIn := h.options.OAuthOptions.AccessTokenMaxAge
|
||||
|
||||
accessToken, err := h.issuer.IssueTo(user, expiresIn)
|
||||
|
||||
@@ -181,7 +182,7 @@ func (h *oauthHandler) OAuthCallBackHandler(req *restful.Request, resp *restful.
|
||||
result := oauth.Token{
|
||||
AccessToken: accessToken,
|
||||
TokenType: "Bearer",
|
||||
ExpiresIn: expiresIn,
|
||||
ExpiresIn: int(expiresIn.Seconds()),
|
||||
}
|
||||
|
||||
resp.WriteEntity(result)
|
||||
|
||||
@@ -23,12 +23,19 @@ import (
|
||||
restfulspec "github.com/emicklei/go-restful-openapi"
|
||||
"kubesphere.io/kubesphere/pkg/api"
|
||||
"kubesphere.io/kubesphere/pkg/api/auth"
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth"
|
||||
authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options"
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/authentication/token"
|
||||
"kubesphere.io/kubesphere/pkg/constants"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
// ks-apiserver includes a built-in OAuth server. Users obtain OAuth access tokens to authenticate themselves to the API.
|
||||
// The OAuth server supports standard authorization code grant and the implicit grant OAuth authorization flows.
|
||||
// All requests for OAuth tokens involve a request to <ks-apiserver>/oauth/authorize.
|
||||
// Most authentication integrations place an authenticating proxy in front of this endpoint, or configure ks-apiserver
|
||||
// to validate credentials against a backing identity provider.
|
||||
// Requests to <ks-apiserver>/oauth/authorize can come from user-agents that cannot display interactive login pages, such as the CLI.
|
||||
func AddToContainer(c *restful.Container, issuer token.Issuer, options *authoptions.AuthenticationOptions) error {
|
||||
ws := &restful.WebService{}
|
||||
ws.Path("/oauth").
|
||||
@@ -48,12 +55,17 @@ func AddToContainer(c *restful.Container, issuer token.Issuer, options *authopti
|
||||
|
||||
// Only support implicit grant flow
|
||||
// https://tools.ietf.org/html/rfc6749#section-4.2
|
||||
// curl -u admin:P@88w0rd 'http://ks-apiserver.kubesphere-system.svc/oauth/authorize?client_id=kubesphere-console-client&response_type=token' -v
|
||||
ws.Route(ws.GET("/authorize").
|
||||
Doc("All requests for OAuth tokens involve a request to <ks-apiserver>/oauth/authorize.").
|
||||
To(handler.AuthorizeHandler))
|
||||
//ws.Route(ws.POST("/token"))
|
||||
|
||||
// Authorization callback URL, where the end of the URL contains the identity provider name.
|
||||
// The provider name is also used to build the callback URL.
|
||||
ws.Route(ws.GET("/callback/{callback}").
|
||||
To(handler.OAuthCallBackHandler))
|
||||
Doc("OAuth callback API, the path param callback is config by identity provider").
|
||||
To(handler.OAuthCallBackHandler).
|
||||
Returns(http.StatusOK, api.StatusOK, oauth.Token{}))
|
||||
|
||||
c.Add(ws)
|
||||
|
||||
|
||||
@@ -16,30 +16,34 @@
|
||||
* /
|
||||
*/
|
||||
|
||||
package serverconfig
|
||||
package v1alpha2
|
||||
|
||||
import (
|
||||
"github.com/emicklei/go-restful"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
apiserverconfig "kubesphere.io/kubesphere/pkg/apiserver/config"
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/runtime"
|
||||
)
|
||||
|
||||
func AddToContainer(c *restful.Container, config *apiserverconfig.Config) error {
|
||||
configs := &restful.WebService{}
|
||||
const (
|
||||
GroupName = "config.kubesphere.io"
|
||||
)
|
||||
|
||||
configs.Path("/server/configs").
|
||||
Consumes(restful.MIME_JSON).
|
||||
Produces(restful.MIME_JSON)
|
||||
var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
|
||||
|
||||
func AddToContainer(c *restful.Container, config *apiserverconfig.Config) error {
|
||||
webservice := runtime.NewWebService(GroupVersion)
|
||||
|
||||
// information about the authorization server are published.
|
||||
configs.Route(configs.GET("/oauth-configz").To(func(request *restful.Request, response *restful.Response) {
|
||||
webservice.Route(webservice.GET("/configs/oauth").To(func(request *restful.Request, response *restful.Response) {
|
||||
response.WriteEntity(config.AuthenticationOptions.OAuthOptions)
|
||||
}))
|
||||
|
||||
// information about the server configuration
|
||||
configs.Route(configs.GET("/configz").To(func(request *restful.Request, response *restful.Response) {
|
||||
webservice.Route(webservice.GET("/configs/configz").To(func(request *restful.Request, response *restful.Response) {
|
||||
response.WriteAsJson(config.ToMap())
|
||||
}))
|
||||
|
||||
c.Add(configs)
|
||||
c.Add(webservice)
|
||||
return nil
|
||||
}
|
||||
Reference in New Issue
Block a user