Skip to content

[v8] Allow CF Authentication based on Tokens - user and client tokens #3455

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 19, 2025
Merged

[v8] Allow CF Authentication based on Tokens - user and client tokens #3455

merged 2 commits into from
Mar 19, 2025

Conversation

strehle
Copy link
Member

@strehle strehle commented Mar 15, 2025

(cherry picked from commit de83208)
PR from main: #3397

Description of the Change

Enhance the cf auth command with a parameter --assertion. The content of this token should be either a user token in order to perform a jwt-bearer or a client token in order to perform a client_credentials grant with federated trust.

UAA supports JWT bearer since UAA 4.5.0 , see https://docs.cloudfoundry.org/api/uaa/version/77.25.0/index.html#jwt-bearer-token-grant
UAA support the federated client credential flow since 77.25.0

Why Is This PR Valuable?

CF can be integrated into Github Action without any extra secret setup in Github Repo.
Customer can then decide about using external tokens like github action token for user and/or client authentication.

In a PR you retrieve a id_token from gh action, this can be passed with cf auth --assertion so that you are authentication in or to do a cf push ...

Applicable Issues

How Urgent Is The Change?

  • it is an enhancement but it solves security issues, because CF integrations need to omit secrets and/or client certificates, but integration of github action with CF is only possible if you store a secret in Github

Other Relevant Parties

Only CF landscapes with a configured trust to external OIDC parties

@strehle strehle changed the title Allow CF Authentication based on Tokens - user and client tokens [v8] Allow CF Authentication based on Tokens - user and client tokens Mar 15, 2025
@Samze Samze mentioned this pull request Mar 18, 2025
Merged
@Samze
Copy link
Contributor

Samze commented Mar 18, 2025

Looks like integration tests are failing due to changes to the auth command, the fix #3458 will need to be ported to this PR branch once it has been merged into main.

@strehle
Copy link
Member Author

strehle commented Mar 19, 2025

Looks like integration tests are failing due to changes to the auth command, the fix #3458 will need to be ported to this PR branch once it has been merged into main.

Thank you, I picked it into this PR

@strehle
Copy link
Member Author

strehle commented Mar 19, 2025

@a-b This PR is same as #3454 but #3454 was closed after a mistake in rebase.

I still see not everything green, but I dont see test failures related to the changes

@a-b
Copy link
Member

a-b commented Mar 19, 2025

We are planning to spend some time next month to improve stability of our tests

a-b
a-b approved these changes Mar 19, 2025
View reviewed changes
Copy link
Member

@a-b a-b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@strehle strehle mentioned this pull request Mar 19, 2025
Closed
@a-b a-b merged commit 0e8398e into cloudfoundry:v8 Mar 19, 2025
17 of 19 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Mar 28, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@a-b a-b a-b approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@strehle @Samze @a-b