☂️ SSO / OIDC / Token Expiry

[philrenaud]

ACL Token Expiration

The ability to set optional expiration times on ACL tokens. A prerequisite of Nomad SSO.

RFC

• (L) Draft RFC
• (S) Circulate within Nomad team
• (S) Circulate within RFC mailing list

Implementation

• (S) Update Server configuration with new options
• (S) Modify ACL token API and CLI
• (S) Modify ACL token state store schema
• (S) Modify ACL token resolve RPC funcs
• (M) Add new ACL token expiry garbage collector

Docs and Test

• (S) Update server config website documentation
• (S) Update API ACL token website documentation
• (S) Update CLI ACL token website documentation
• (S) Identify and update internal docs around ACL usage
• (M) Add token expiry E2E tests
• (L) New Learn guide

ACL Token Roles

The ability to group ACL policies within ACL roles. A prerequisite of Nomad SSO.

RFC

• (L) Draft RFC
• (S) Circulate within Nomad team
• (S) Circulate within RFC mailing list

Implementation

• (L) Implement ACL roles schema and store funcs
• (M) Implement ACL roles structs and diff funcs
• (L) implement ACL roles RPC endpoints
• (L) implement ACL roles API endpoints
• (M) implement ACL roles CLI
• (S) Update ACL token create CLI
• (L) Modify ACL token resolve functionality
• (M) Modify replication functionality to include ACL roles

Docs and Test

• (M) Add ACL role API website documentation
• (M) Add ACL role CLI website documentation
• (M) Identify and update ACL authentication website documentation
• (L) Add ACL role E2E tests
• (L) New Learn guide

ACL SSO (OIDC)

The SSO feature itself. There are still a number of unknown from my side as previous work focussed on expiry and roles.

RFC

• (L) Draft RFC
• (S) Circulate within Nomad team
• (S) Circulate within RFC mailing list

Implementation

• (L) Implement ACL auth method schema and store funcs
• (L) Implement ACL auth method structs and diff funcs
• (L) implement ACL auth method RPC endpoints
• (L) implement ACL auth method API endpoints
• (L) Implement login API
• (L) Implement login RPC
• (M) implement ACL auth method CLI
• (L) Modify replication functionality to include ACL auth method
• (L) Implement login CLI
• (L) Add ACL auth-methods to event stream
• (L) Implement ACL binding rule schema and store funcs
• (L) Implement ACL binding rule structs and diff funcs
• (L) implement ACL binding rule RPC endpoints
• (L) implement ACL binding rule API endpoints
• (L) Add ACL binding rules to event stream
• (L) Add ACL binding rule CLI
• (L) Add ACL binding rules evaluation and conversion

Docs and Test

• (M) Add ACL auth method API website documentation
• (M) Add ACL auth method CLI website documentation
• (S) Add login CLI website documentation
• (S) Add login API website documentation
• (S) Add ACL binding rules CLI website documentation
• (S) Add ACL binding rules API website documentation
• (L) Add login E2E tests (if possible)
• (L) New Learn guide
• (S) Modify Nomad security model

UI

• New Route: Redirect (ephemeral; when signing in via CLI)
• New Route: "You may now close this window" (ephemeral; when signing in via CLI)
• UI: SSO: Top nav auth dropdown #15051
• Enhance localStorage-saved tokens with TTL
  • [ui, sso] Handle token TTL ending gracefully #15061
    • Consider a “Your authentication is ending soon. Keep me signed in” toast
  • Handle /v1/oidc/complete-auth requests by storing required auth info
• Rework the ACL page into the Auth page and let it auth against /v1/acl/oidc/auth-url and /v1/acl/oidc/complete-auth
  • Handle “Authentication Failed” cases
    • Differentiate between “There was an issue with config/provider” and “You were able to successfully auth but there is no role for you” etc.
  • Make the Policies component conditional (can’t have both policies and role) (postponed)
• [ui] Expand the Token service to be an Auth service and include storage of supported AuthMethods #15124
• [ui] Modify “not permitted” states around the app to prompt a general login, rather than just asking for token #15556
• Authentication page styles #15269