add support of OAuth 2.0/OIDC 'code with PKCE' flow (back-end)#1792
Conversation
janhoy
left a comment
janhoy
left a comment
There was a problem hiding this comment.
Looks overall good.
Please do a stab on RefGuide docs. The ref guide should encourage the use of code flow and warn that implicit flow support is deprecated.
Perhaps we can also print a WARN log in backend if implicit is in use (either explicitly or implicitly) so that users upgrading to 9.4 without reading the release notes will at least get a warn log that they should switch.
laminelam
force-pushed
the
feature/SOLR-16897-oautho20-oidc-pkce-back-end
branch
15 times, most recently
from
ee18897 to
6437c1b
Compare
laminelam
force-pushed
the
feature/SOLR-16897-oautho20-oidc-pkce-back-end
branch
from
6437c1b to
9cdf0e4
Compare
Thank you @janhoy for the review. |
Thanks, the validation and warn log looks good 👍 Will do a final review when refguide docs are in. Also remember CHANGES.txt. |
janhoy
left a comment
janhoy
left a comment
There was a problem hiding this comment.
- Add refguide docs
- CHANGES entry
- Constant naming
- Backend part of CSP header
|
Eager to get this into 9.4. Let me know if we can help finalizing these two PRs |
@janhoy |
Cool. In my patch i completely disabled CSP response for all other endpoints than the |
Yes I was thinking the same thing, we don't need this header for non browser targeted servlets (API endpoint, etc.), it will be just ignored by other endpoints. Now, I am not sure of a scenario where we would need a different UI servlet exposed on a different path. Let me think about it and get back to you hopefully by tomorrow. |
Will add the CHANGES entry. Here are the main changes to the patch:
|
|
We do have two packages "in the wild" that come with a UI, the YASA package https://github.com/yasa-org/yasa and Splainer, https://github.com/o19s/splainer/tree/main/solr-splainer-package. Will these packages need to be updated? If we want to make this change, and that ripples down to packages, then we should do it now before more Packages are developed ;-). We do have a test (commented out) that validates deploying Packages that might be useful: https://github.com/apache/solr/blob/main/solr/packaging/test/test_packages.bats#L69 |
As stated anove, we never really needed to disable the old CSP header config in |
|
THANK YOU @janhoy for your extensive review and contribution. |
janhoy
left a comment
janhoy
left a comment
There was a problem hiding this comment.
I fixed the merge conflict and CHANGES entry. Think this is good to go now. Great work!
Co-authored-by: Jan Høydahl <janhoy@apache.org>
|
I'm going to force-push a squashed git-history in order for full test suite to run. Will preserve you as commit author.. |
janhoy
force-pushed
the
feature/SOLR-16897-oautho20-oidc-pkce-back-end
branch
from
f517f38 to
8264b15
Compare
6 participants
https://issues.apache.org/jira/browse/SOLR-16897
This is the "back-end" part of 'code with PKCE' contribution.
The back-end code is mainly for configuration. This is where the different options are configured.
This PR adds tokenEndpoint and authorizationFlow options.
Checklist
Please review the following and check all that apply:
mainbranch../gradlew check.