OpenID Connect for remote write
23 views
Skip to first unread message
Julien Pivotto
Jan 28, 2021, 5:45:30 PM1/28/21
to prometheus-developers
Dear -developers,
Per the last dev summit, there is a consensus for having OpenID
connect support for remote_write.
My understanding and experience of the protocol is that we should
actually aim at oauth2 support, and not openid connect.
Implementation wise, it would mean sticking to
https://pkg.go.dev/golang.org/x/oauth2
Who has an actual use case and can confirm this?
Regards,
--
Julien Pivotto
@roidelapluie
Frederic Branczyk
Jan 29, 2021, 5:08:44 AM1/29/21
to prometheus-developers
OIDC specifies a couple of important things on top of oauth2. I would welcome it if we implemented it OIDC compliant (since all OIDC is oauth2, this shouldn't be a big deal for those that only care about oauth2).
I don't have time to implement this in the foreseeable future but I'm happy to review designs, I've worked a number of times with OIDC in similar scenarios. Specifically for OIDC for remote-write, we should probably limit ourselves to a few reasonable OIDC-flows that actually make sense for machine-to-machine authn/authz.
The use case I imagine is having short-lived tokens that are refreshed relatively often. A common security practice.
--
You received this message because you are subscribed to the Google Groups "Prometheus Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/20210128224526.GA1343460%40oxygen.
Julien Pivotto
Jan 29, 2021, 5:12:47 AM1/29/21
to Frederic Branczyk, prometheus-developers
My understanding is that for machine-to-machine oauth2 would be
sufficient, just you would not use the autodiscovery of openid connect
(.well-known).
Refreshing tokens etc are part of oauth2.
All the rest should work. We do not need the identity part of openid
connect.
> To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CAOs1UmxC63zQP9SPorZPnKXd00SqgFkj44BZxfzPhRA6mPh1GQ%40mail.gmail.com.
--
Julien Pivotto
@roidelapluie
sufficient, just you would not use the autodiscovery of openid connect
(.well-known).
Refreshing tokens etc are part of oauth2.
All the rest should work. We do not need the identity part of openid
connect.
--
Julien Pivotto
@roidelapluie
Bartłomiej Płotka
Jan 29, 2021, 7:13:01 AM1/29/21
to Frederic Branczyk, prometheus-developers
In all places, I worked we use pure OpenID, so I see this in the same colors as Frederic. OpenID Connect is what would be amazing to have on remote write as agreed on dev summit.
Let's focus on that discussions when we have the full design, I would be happy to contribute / review/guide as well.
Kind Regards,
Bartek Płotka (@bwplotka)
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/20210129101242.GA285087%40oxygen.
Reply all
Reply to author
Forward
0 new messages