Add a /user-credentials endpoint to login

RESOLVED FIXED

Status

Taskcluster
Login
RESOLVED FIXED
9 months ago
8 months ago

People

(Reporter: dustin, Assigned: dustin)

Tracking

Details

This will accept a JWT signed by auth0, and produce corresponding TC credentials.
:kang, can you please review the PR in comment 1 to ensure it's sensible and not missing any verification steps?

If so, we'll want to add management API scopes to PROD clientId 1db5KNoLN5rLZukvLouWwVouPkbztyso and also add a new API to PROD with audience https://login.taskcluster.net, then get the PR deployed.  This will support Eli's work on a demo client and position us to start using the new profiles once they're rolled out.

Thanks!
Flags: needinfo?(gdestuynder)

Comment 3

9 months ago
Commits pushed to master at https://github.com/taskcluster/taskcluster-login

https://github.com/taskcluster/taskcluster-login/commit/82c61353b3539ff2a6c9d183f0b86d81b51309c1
Bug 1385363 - Introduce handlers for OIDC access_tokens

https://github.com/taskcluster/taskcluster-login/commit/8ee22d8951c3c3f830048e7d15f91cc0ed469a18
Bug 1385363 - Support converting an auth0 oidc token to TC creds

Given an access_token with an appropriate audience, generate Taskcluster
credentials for the authorized user.

This is a partial implementation: at present, the profiles available
from the auth0 management API are not updated to the new CIS profile, so
this API cannot determine group membership, and thus issues powerless
credentials.

https://github.com/taskcluster/taskcluster-login/commit/dc11a7830c084f1e64a32300eee5b7376c32f020
Merge pull request #50 from djmitche/bug1385363

Bug 1385363: add /v1/oidc-credentials endpoint
Remaining to do on this:
 * generate credentials based on profile (waiting on profile deployment)
 * generate temporary credentials with the same expiration as the access_token
 * document the process
(Assignee)

Updated

9 months ago
Depends on: 1388542
(Assignee)

Updated

9 months ago
Depends on: 1388543, 1388541
(Assignee)

Updated

9 months ago
No longer depends on: 1388541, 1388542, 1388543
>  * generate temporary credentials with the same expiration as the
> access_token
   https://bugzilla.mozilla.org/show_bug.cgi?id=1388548
>  * document the process
   https://github.com/taskcluster/taskcluster-login/pull/51
Flags: needinfo?(gdestuynder)
My test user "djmitche@gmail.com" now has a new-style profile.  Once we get the rest of the production stuff set up (maybe Tuesday when Eli's back), I can experiment with that.
I'll do that in bug 1392307.
Status: NEW → RESOLVED
Last Resolved: 8 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.