This will accept a JWT signed by auth0, and produce corresponding TC credentials.
:kang, can you please review the PR in comment 1 to ensure it's sensible and not missing any verification steps? If so, we'll want to add management API scopes to PROD clientId 1db5KNoLN5rLZukvLouWwVouPkbztyso and also add a new API to PROD with audience https://login.taskcluster.net, then get the PR deployed. This will support Eli's work on a demo client and position us to start using the new profiles once they're rolled out. Thanks!
Commits pushed to master at https://github.com/taskcluster/taskcluster-login https://github.com/taskcluster/taskcluster-login/commit/82c61353b3539ff2a6c9d183f0b86d81b51309c1 Bug 1385363 - Introduce handlers for OIDC access_tokens https://github.com/taskcluster/taskcluster-login/commit/8ee22d8951c3c3f830048e7d15f91cc0ed469a18 Bug 1385363 - Support converting an auth0 oidc token to TC creds Given an access_token with an appropriate audience, generate Taskcluster credentials for the authorized user. This is a partial implementation: at present, the profiles available from the auth0 management API are not updated to the new CIS profile, so this API cannot determine group membership, and thus issues powerless credentials. https://github.com/taskcluster/taskcluster-login/commit/dc11a7830c084f1e64a32300eee5b7376c32f020 Merge pull request #50 from djmitche/bug1385363 Bug 1385363: add /v1/oidc-credentials endpoint
Remaining to do on this: * generate credentials based on profile (waiting on profile deployment) * generate temporary credentials with the same expiration as the access_token * document the process
> * generate temporary credentials with the same expiration as the > access_token https://bugzilla.mozilla.org/show_bug.cgi?id=1388548 > * document the process https://github.com/taskcluster/taskcluster-login/pull/51
My test user "firstname.lastname@example.org" now has a new-style profile. Once we get the rest of the production stuff set up (maybe Tuesday when Eli's back), I can experiment with that.
I'll do that in bug 1392307.
Status: NEW → RESOLVED
Last Resolved: 8 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.