Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow choosing host when OAuth / Bearer token authentication is enabled #21327

Open
marvinruder opened this issue Nov 25, 2024 · 2 comments
Open

Comments

@marvinruder
Copy link
Contributor

Page: Login

I run a cockpit-ws container on a Fedora CoreOS host, from which I occasionally connect to other hosts. With the host switcher being deprecated, I am looking into the options to connect to other hosts in different ways.

Also, I have activated authentication via OAuth and Bearer tokens. Having this setting active, when opening Cockpit, I am immediately redirected to the OAuth provider and back to the “Validating authentication token” dialog, where my custom Bearer token authentication script always receives the argument localhost as the host to connect to. Right now, I do not see an option for connecting to different hosts with OAuth enabled and the host switcher disabled.

Instead of immediately being redirected to the OAuth provider, I would like to have a button “Log in using OAuth” and the “Connect to” text field below it, so I can enter a host and then go to the OAuth provider. The Bearer token authentication script shall then receive the host input value as a command line argument.

@martinpitt
Copy link
Member

Do you use the cockpit/ws container just as a "jump host" (we call that "bastion host"), i.e. log directly into a remote host from the login page using "Connect to:"? That is supported, and will always be, it's not problematic.

image

It sounds like it as your oauth setup wouldn't make much sense from within a Cockpit session -- we don't support oauth in the shell's host switcher (or at least I've never heard of it, perhaps there's a clever trick to make it work).

The "host switcher" is the top left thing in a running session:

image

@marvinruder
Copy link
Contributor Author

Do you use the cockpit/ws container just as a "jump host" (we call that "bastion host"), i.e. log directly into a remote host from the login page using "Connect to:"? That is supported, and will always be, it's not problematic.

I am trying to set up my container as a bastion host, yes. I know the “Connect to:” interface from when I used password and SSH key authentication. But this input field never shows up when OAuth is enabled, it goes straight to the OAuth provider on page load and then tries to log into localhost.

It sounds like it as your oauth setup wouldn't make much sense from within a Cockpit session -- we don't support oauth in the shell's host switcher (or at least I've never heard of it, perhaps there's a clever trick to make it work).

Currently I sign in to one host preconfigured in my Bearer token authentication script, which is done using OAuth. Once I am in, I can use the host switcher to connect to other hosts, which is done using the first host’s SSH keys.

My cockpit.conf looks as follows:

[WebService]
ProtocolHeader = X-Forwarded-Proto
ForwardedForHeader = X-Forwarded-For
LoginTo = true     # appears to have no effect
RequireHost = true # appears to have no effect

[Bearer]
Command = /container/cockpit-auth-bearer

[OAuth]
URL = https://sso.<domain>/realms/<realm>/protocol/openid-connect/auth?client_id=cockpit&response_type=token

/container/cockpit-auth-bearer is a copy of /container/cockpit-auth-ssh-key, but reads the username and the password for the SSH key from the OAuth access token. It also has to define the host to connect as

host = os.environ.get("COCKPIT_OAUTH_HOST")

because the default behavior is logging into localhost, which does not make sense within a cockpit-ws container.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants