Feat: implement OIDC flow#1007
Conversation
|
@bupd Please have look at the idea. We may also required changes on harbore-core using existing oidc flow still required still needed few changes like polling state to get the id_token and other details. It's not completed yet but wanted you to have a look and design level decisions. PS: ignore lint for now :) |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #1007 +/- ##
==========================================
- Coverage 10.99% 10.35% -0.64%
==========================================
Files 173 322 +149
Lines 8671 16440 +7769
==========================================
+ Hits 953 1702 +749
- Misses 7612 14529 +6917
- Partials 106 209 +103 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
Suggestion:
Please let me know if you have more suggestion. |
|
@NishchayRajput Had a brief look through this. It looks really really cool! Lastly, which party is validating the trust relationship to the oidc source. Just to confirm: this is governed through OIDC providers that are configured in harbor itself and we just make use of the trusted identity provider from Harbor itself. |
Hey, Thanks @qcserestipy for review. |
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
d532c48 to
a469bf0
Compare
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
Signed-off-by: Nishchay Rajput <nishchayr@iitbhilai.ac.in>
…harbor-cli into feat/implement-oidc-flow
Untitled.design.1.mp4Added Refresh Token support. |
There was a problem hiding this comment.
Pull request overview
This PR introduces work-in-progress OIDC login support to harbor-cli, enabling a browser-based authentication flow via Harbor Core, persisting OIDC credentials locally, and using bearer-token auth for subsequent API requests.
Changes:
- Added OIDC login helpers (initiate login, poll for completion, refresh tokens) and corresponding unit tests.
- Extended credential/config model to store OIDC auth metadata (auth-type, id/refresh tokens, expiry) and added token refresh + retry-on-401 support in the Harbor API client.
- Updated
harbor logincommand/docs to add--oidcand tests for the new flag/flow.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/utils/oidc.go | Implements OIDC login initiation, polling, refresh, and URL construction helpers. |
| pkg/utils/oidc_test.go | Adds unit tests covering OIDC login, polling, and refresh behaviors. |
| pkg/utils/config.go | Extends stored credentials for OIDC fields and adds helpers to store/decrypt/update OIDC tokens. |
| pkg/utils/config_test.go | Adds tests for OIDC credential storage + token update/decryption. |
| pkg/utils/client.go | Adds OIDC bearer auth client path, token refresh logic, and retry transport for 401 responses. |
| pkg/utils/client_oidc_internal_test.go | Adds internal tests for JWT expiry parsing and retry transport behavior. |
| cmd/harbor/root/login.go | Adds --oidc flag and RunOIDCLogin flow. |
| cmd/harbor/root/login_test.go | Adds tests for OIDC flag mutual exclusivity and successful OIDC login. |
| doc/man-docs/man1/harbor-login.1 | Documents the new --oidc flag in man pages. |
| doc/cli-docs/harbor-login.md | Documents the new --oidc flag in CLI docs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| func joinServerPath(serverAddress, path string) (string, error) { | ||
| u, err := url.Parse(serverAddress) | ||
| if err != nil { | ||
| return "", fmt.Errorf("failed to parse server URL: %w", err) | ||
| } | ||
| u.Path = path | ||
| u.RawQuery = "" | ||
| u.Fragment = "" | ||
| return u.String(), nil | ||
| } |
| q.Set("mode", "cli") | ||
| u.RawQuery = q.Encode() | ||
|
|
||
| resp, err := http.Get(u.String()) //nolint:gosec // endpoint is user-provided Harbor server URL for login. |
| } | ||
|
|
||
| func pollOIDCTokenOnce(endpoint string) (*OIDCPollResponse, bool, error) { | ||
| resp, err := http.Get(endpoint) //nolint:gosec // endpoint is the Harbor server URL validated by PollForOIDCToken. |
| } | ||
| req.Header.Set("Content-Type", "application/json") | ||
|
|
||
| resp, err := http.DefaultClient.Do(req) |
| return nil, fmt.Errorf("failed to parse OIDC token endpoint: %w", err) | ||
| } | ||
| q := u.Query() | ||
| q.Set("poll_token", pollToken) |
| log.Fatalf("failed to write updated config file: %v", err) | ||
| } | ||
|
|
||
| CurrentHarborConfig = &c |
| return buildClientWithAuth(credential.ServerAddress, tokenManager, &oidcRetryTransport{ | ||
| base: harbor.InsecureTransport, | ||
| tokenManager: tokenManager, | ||
| }) |
| base = harbor.InsecureTransport | ||
| } |
|
|
||
| harborData, err := utils.GetCurrentHarborData() | ||
| if err != nil { | ||
| return fmt.Errorf("failed to get current harbor data: %s", err) |
| deadline := time.Now().Add(timeout) | ||
| ticker := time.NewTicker(3 * time.Second) | ||
| defer ticker.Stop() |

Description
This pull request adds work-in-progress OIDC login support for
harbor-clitogether with the Harbor Core changes needed to support that flow.Current implementation allows
harbor-clito start an OIDC login through Harbor Core, return a browser login URL, poll Harbor Core for completion using OIDCstate, store the returned credential locally, and use bearer authentication for later API requests.This change is needed because Harbor currently supports browser-based OIDC login, but
harbor-clidoes not yet have a native OIDC login flow. The current implementation is still being actively worked on and is not final yet.Type of Change
Please select the relevant type.
Changes
harbor login <server> --oidcGET /c/oidc/login?mode=cliGET /c/oidc/cli-token?state=...auth-typeid-tokenrefresh-tokenexpires-atstate-based polling contractFlow Diagram
Video
Screencast.from.21-06-26.04.07.57.PM.IST.webm
In case of token expiry cli gives output as