Skip to content

Add option in OAuthCred to load authUrlV2. #3777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 31, 2025
Merged

Add option in OAuthCred to load authUrlV2. #3777

merged 1 commit into from
Mar 31, 2025

Conversation

TingluoHuang
Copy link
Member

@TingluoHuang TingluoHuang commented Mar 31, 2025
edited
Loading

Here is the normally flow we auth with service today:

  • Load .credentials file to create a VssCredential object
  • Use the created VssCredential to ConnectAsync for different server, ex: RunnerServer, BrokerServer, RunServer, ActionsRunServer, etc.

The service will send down a newer version of the .credentials config that looks like the following:

{
  "scheme": "OAuth",
  "data": {
    "clientId": "GUID",
    "authorizationUrl": "https://tokenghub.actions.githubusercontent.com/_apis/oauth2/token/GUID",
    "authorizationUrlV2": "https://runner-auth.actions.githubusercontent.com/",
    "requireFipsCryptography": "True"
  }
}

I am changing the runner.listener to realize there might be 2 types of VssCredential, one created with authorizationUrl, another created with authorizationUrlV2.

Different VssCredential will be used for ConnectAsync for different server.

  • RunnerServer: authorizationUrl
  • ActionsRUnServer: authorizationUrl
  • BorkerServer: authorizationUrlV2
  • RunServer: authorizationUrlV2

This PR is not making real change of using authorizationUrlV2, since we pass allowAuthUrlV2: false in all the places we create VssCredential via VssCredentials GetVssCredentials(IHostContext context, bool allowAuthUrlV2);

https://github.com/github/actions-runner-admin/issues/1656

@TingluoHuang TingluoHuang requested a review from a team as a code owner March 31, 2025 18:45
Base automatically changed from users/tihuang/hostcontext to main March 31, 2025 19:26
@TingluoHuang TingluoHuang force-pushed the users/tihuang/loadcred branch 2 times, most recently from e74b6fa to 4af9b2c Compare March 31, 2025 20:04
TingluoHuang
TingluoHuang commented Mar 31, 2025
View reviewed changes
src/Runner.Listener/Configuration/CredentialManager.cs
{
credData = migratedCred;

// Re-write .credentials with Token URL
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove the code left when we finish SPS->Token migration.
We still want to keep .credentials and .credentials_migrated for a while in this case.

TingluoHuang
TingluoHuang commented Mar 31, 2025
View reviewed changes
src/Runner.Listener/Configuration/CredentialManager.cs
@@ -51,21 +51,16 @@ public VssCredentials LoadCredentials()

CredentialData credData = store.GetCredentials();
var migratedCred = store.GetMigratedCredentials();
if (migratedCred != null)
if (migratedCred != null &&
migratedCred.Scheme == Constants.Configuration.OAuth)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hosted runner will have different auth schema.

TingluoHuang
TingluoHuang commented Mar 31, 2025
View reviewed changes
src/Runner.Listener/RunnerConfigUpdater.cs
@@ -197,6 +197,16 @@ private async Task UpdateRunnerCredentialsAsync(string serviceType, string confi
await ReportTelemetryAsync($"Credential clientId in refreshed config '{refreshedClientId ?? "Empty"}' does not match the current credential clientId '{clientId}'.");
return;
}

// make sure the credential authorizationUrl in the refreshed config match the current credential authorizationUrl for OAuth auth scheme
var authorizationUrl = _credData.Data.GetValueOrDefault("authorizationUrl", null);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will make sure the .credentials_migrated is identical with .credentials for us to safely fallback.

@TingluoHuang TingluoHuang force-pushed the users/tihuang/loadcred branch from 4af9b2c to 231f9e1 Compare March 31, 2025 20:32
@TingluoHuang TingluoHuang merged commit d470139 into main Mar 31, 2025
9 checks passed
@TingluoHuang TingluoHuang deleted the users/tihuang/loadcred branch March 31, 2025 21:05
marko-k0 pushed a commit to dfinity/runner that referenced this pull request May 13, 2025
@TingluoHuang @marko-k0
Add option in OAuthCred to load authUrlV2. (actions#3777)
3a9dc19
@github-actions github-actions bot mentioned this pull request May 14, 2025
Merged
sirredbeard pushed a commit to sirredbeard/runner that referenced this pull request Jun 11, 2025
@TingluoHuang @sirredbeard
Add option in OAuthCred to load authUrlV2. (actions#3777)
b4fba18
sirredbeard pushed a commit to sirredbeard/runner that referenced this pull request Jun 11, 2025
@TingluoHuang @sirredbeard
Add option in OAuthCred to load authUrlV2. (actions#3777)
4950df7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericsciple ericsciple ericsciple approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TingluoHuang @ericsciple