If a user does not have OIDC meta data in DB, it means he's not
onboarded via OIDC authn, hence, we should not check the token.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
Ths commmit ensures that when user's token is invalidated OIDC provider, he
cannot access protected resource in Harbor with the user info in his session.
We share the code path with secret verification b/c the refresh token
can be used only once, so it has to be stored in one place.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit tweaks the attribute for auth proxy mode and OIDC auth mode.
To change it from "Skip verify cert" to "verify cert" so they are more
consistent with other modes.
Additionally it removes a workaround in `SearchUser` in auth proxy
authenticator.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
adding token review endpoint to the configuration page allows users to edit token review endpoint when logging in through http auth.
Signed-off-by: Yogi_Wang <yawang@vmware.com>
user could copy the CLI secret when login through oidc, and using this cli secret as password when using docker/helm cli to access Harbor.
Signed-off-by: Yogi_Wang <yawang@vmware.com>
As CLI does not support oauth flow, we'll use secret for help OIDC user
to authenticate via CLI.
Add column to store secret and token, and add code to support
verify/refresh token associates with secret. Such that when the user is
removed from OIDC provider the secret will no longer work.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit adjust the code and fix some bugs to make onboard process
work.
Only thing missed is that the UI will need to initiate the redirection,
because the request of onboarding a user was sent via ajax call and didn't
handle the 302.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit is to build a regsitry bases on v2.7.1 code and introduces
an fix on issue #2819, this is a P0 bug on v2.7.1 which causes GCS doesn't
work well on v2.7.1
For more details, refer to https://github.com/docker/distribution/pull/2821
Signed-off-by: wang yan <wangyan@vmware.com>
1.when we are the first time we login harbor page when we login from OIDC ,we add the url in onboard-add-username page.
2.fix the part of issue that we cannot redirect to de origin page when we login
Signed-off-by: Yogi_Wang <yawang@vmware.com>
Solve the problem that when we log on to the harbor page, the automation test will click on an incorrect button, which results in the test page being unable to log in.
Signed-off-by: Yogi_Wang <yawang@vmware.com>
When a user logs in to Harbor for the first time through OIDC, the user will enter an onboard page, prompting the user to add the user name of Harbor. After the user name is entered, click save, and the user successfully logs in to Harbor through OIDC.
Signed-off-by: Yogi_Wang <yawang@vmware.com>
