-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
api-server: remove stub authenticator #1008
Conversation
Signed-off-by: Teo Koon Peng <[email protected]>
Signed-off-by: Teo Koon Peng <[email protected]>
Signed-off-by: Teo Koon Peng <[email protected]>
Signed-off-by: Teo Koon Peng <[email protected]>
Signed-off-by: Teo Koon Peng <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for cleaning up the superuser
fiasco too. Other than a new token that's required, LGTM!
// "iss": "stub", | ||
// "exp": 2051222400 | ||
// } | ||
this.token = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is awesome! Can you regenerate another token such that it is an admin?
You can verify it by seeing if Admin Actions are enabled for this user
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added another token for user, also need to change the stub username to "admin". Without using other claims to determine if an user is admin, the only admin we can have is the default admin named "admin". We actually can use jwt claims to determine admin, but just not the realm_access
claim as that is exclusive to keycloak, we need to define custom roles and document, then configure keycloak to sign those claims instead.
Signed-off-by: Teo Koon Peng <[email protected]>
Remove the stub authenticator in api server. Now instead of a stub, we support using a secret to verify the jwt, for testing, the frontend hardcodes a token signed with the secret. This brings the test environment closer to prod and allows us to test with other claims in the future (e.g. address, emails, custom claims).