Skip to content

Minor clean up and switch to Bearer token header #330

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
IEvangelist merged 4 commits into from
Apr 22, 2024
Merged

Minor clean up and switch to Bearer token header #330

IEvangelist merged 4 commits into from
Apr 22, 2024

Conversation

@IEvangelist
Copy link
Member

@IEvangelist IEvangelist commented Apr 19, 2024

In this PR:

  • Minor clean-up for readability, and pattern matching.
  • Convert the Authorization HTTP Header to Bearer w/o encoding.

Since the token parameter in the .ctor is assigned from the OspoKey environment variable value, we'd need to ensure that consuming GitHub Action workflows are updated to get a request token, similar to the following flow:

name: POC API 🐿️
 
on:
  push:
    branches: [main]
 
permissions:
  id-token: write
  contents: read
 
jobs:
  build:
    name: 'POC 🚛'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Azure OpenID Connect ✨
        uses: azure/login@v1
        with:
          client-id: ${{ secrets.CLIENT_ID }}
          tenant-id: ${{ secrets.TENANT_ID }}
          allow-no-subscriptions: true
 
      - name: OSMP API access
        run: |
          TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }})
          echo "OspoKey=$TOKEN" >> $GITHUB_ENV

This would need to happen before calling into quest, so that the OspoKey is assigned from the returned TOKEN. The main question we'd need answered is, where do we get these values, I'm assuming Jeff Wilcox would know:

  • secrets.CLIENT_ID
  • secrets.TENANT_ID
  • secrets.OSMP_API_AUDIENCE

@IEvangelist IEvangelist requested a review from BillWagner April 19, 2024 14:56
@IEvangelist IEvangelist changed the base branch from main to oidc-sandbox April 22, 2024 19:21
BillWagner
BillWagner approved these changes Apr 22, 2024
View reviewed changes
Copy link
Member

@BillWagner BillWagner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great start. Let's keep collaborating on it.

Let's :shipit:

@IEvangelist IEvangelist marked this pull request as ready for review April 22, 2024 19:23
@IEvangelist IEvangelist merged commit ae61761 into dotnet:oidc-sandbox Apr 22, 2024
BillWagner pushed a commit that referenced this pull request Apr 25, 2024
@IEvangelist @BillWagner
Minor clean up and switch to Bearer token header (#330)
404d899 
* Minor clean up and switch to Bearer token header

* Add a test sandbox, and expose a means for getting a hydrated `OspoClient` via a factory that does `az login` and `az account get-access-token`.

* A tweak or two
IEvangelist added a commit that referenced this pull request Apr 30, 2024
@BillWagner @IEvangelist
Update the authorization / authentication protocol for the OSPO REST …
c5e838d 
…API from PAT to OIDC (#335)

* Minor clean up and switch to Bearer token header (#330)

* Minor clean up and switch to Bearer token header

* Add a test sandbox, and expose a means for getting a hydrated `OspoClient` via a factory that does `az login` and `az account get-access-token`.

* A tweak or two

* use OIDC in the code for what's new (#333)

* use OIDC in the code for what's new, Quest

Update the What's New app code to use the new OIDC approach.
Update the Quest app to use the new OIDC approach.

* Configure the OSPO client using the new keys

In both SeQuester, and the What's New app, make the following changes:

- Use the OIDC configuration to setup access to the OSPO client.
- Check for the deprecated key, and produce a warning if the deprecated key is present.
- If the authorization fails, fail gracefully in both apps when an item needs to be updated.

* Minor clean up and switch to Bearer token header (#330)

* Minor clean up and switch to Bearer token header

* Add a test sandbox, and expose a means for getting a hydrated `OspoClient` via a factory that does `az login` and `az account get-access-token`.

* A tweak or two

* use OIDC in the code for what's new (#333)

* use OIDC in the code for what's new, Quest

Update the What's New app code to use the new OIDC approach.
Update the Quest app to use the new OIDC approach.

* Configure the OSPO client using the new keys

In both SeQuester, and the What's New app, make the following changes:

- Use the OIDC configuration to setup access to the OSPO client.
- Check for the deprecated key, and produce a warning if the deprecated key is present.
- If the authorization fails, fail gracefully in both apps when an item needs to be updated.

* update our configs

* Debugging session 1

* Debugging session 2

---------

Co-authored-by: David Pine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BillWagner BillWagner BillWagner approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@IEvangelist @BillWagner