Serge Smertin
02d9f877b5
Make `bricks auth` use `all-apis` scope ( #304 )
...
## Changes
Use `all-apis` scope, so that we can use the issued token for SCIM APIs.
The production environment has to be tuned in order to enable `all-apis`
scope for a specific account.
## Tests
Manual
2023-04-05 10:18:13 +02:00
Fabian Jakobs
f0c35a2b27
Initialize BRICKS_CLI_PATH and increase default OAuth timeout ( #237 )
...
related to https://github.com/databricks/databricks-sdk-go/pull/330
2023-03-08 16:14:24 +01:00
Fabian Jakobs
da4b58a897
Fix link to workspace after AWS OAuth login ( #234 )
...
`Host` is already normalized and always has the `https://` prefix.
2023-03-08 11:56:46 +01:00
Serge Smertin
b87b4b0f40
Added `bricks auth login` and `bricks auth token` ( #158 )
...
# Auth challenge (happy path)
Simplified description of [PKCE](https://oauth.net/2/pkce/ )
implementation:
```mermaid
sequenceDiagram
autonumber
actor User
User ->> CLI: type `bricks auth login HOST`
CLI ->>+ HOST: request OIDC endpoints
HOST ->>- CLI: auth & token endpoints
CLI ->> CLI: start embedded server to consume redirects (lock)
CLI -->>+ Auth Endpoint: open browser with RND1 + SHA256(RND2)
User ->>+ Auth Endpoint: Go through SSO
Auth Endpoint ->>- CLI: AUTH CODE + 'RND1 (redirect)
CLI ->>+ Token Endpoint: Exchange: AUTH CODE + RND2
Token Endpoint ->>- CLI: Access Token (JWT) + refresh + expiry
CLI ->> Token cache: Save Access Token (JWT) + refresh + expiry
CLI ->> User: success
```
# Token refresh (happy path)
```mermaid
sequenceDiagram
autonumber
actor User
User ->> CLI: type `bricks token HOST`
CLI ->> CLI: acquire lock (same local addr as redirect server)
CLI ->>+ Token cache: read token
critical token not expired
Token cache ->>- User: JWT (without refresh)
option token is expired
CLI ->>+ HOST: request OIDC endpoints
HOST ->>- CLI: auth & token endpoints
CLI ->>+ Token Endpoint: refresh token
Token Endpoint ->>- CLI: JWT (refreshed)
CLI ->> Token cache: save JWT (refreshed)
CLI ->> User: JWT (refreshed)
option no auth for host
CLI -X User: no auth configured
end
```
2023-01-06 16:15:57 +01:00