Currently in Che there are still a number of requirements in upstream that are not required by the OIDC specification, so that Che still cannot be used with a number of OIDC compliant providers.
For example, in order to have Che working with the [`node-oidc-provider`](https://github.com/panva/node-oidc-provider), the following changes were necessary:
- Remove the requirement to have the email as a claim in the JWT access
token: this is not required the specification and is not supported by a
number of OIDC providers. Normally, the Id token contains such claims.
So now if the email is not in the JWT token the first time the user connects to Che, ten the email is retrieved from the OIDC provider through its `user-profile` endpoint.
- Explicitely specify the the `openid email profile` scope when requesting the access token. Because OIDC providers, when answering to the `userInfo` endpoint, are expected to return claims that corresponds to the scopes of the access token. So if an access token has the `openid` scope only, the `userinfo` might return no claim at all (according to the specification).
Until now it was working since keycloak allows adding claims to the returned tokens anyway.
- Allow supporting fixed redirect Uris: most OIDC providers support having a list of redirect URIs to come back to after the authorization step. But these authorized Uris don't necessarily support wildcards or prefix. Che doesn't support this currently, and these changes introduce 2 fixed callback HTML pages that redirect to the Dashboard / IDE URL of the final page we want to come back to after authentication. This makes Che compatible with more OIDC providers
We introduced a new boolean property to enable / disable fixed redirect URLs:
`che.keycloak.use_fixed_redirect_urls`
whose default value is `false`
- The previous points required some light changes in the Keycloak Javascript adapter file, that we will submit as a PR to the Keycloak project. I, the meantime the `OIDCKeycloak.js` file is still used, but has been updated to be now based on the `keycloak.js` file of the last `4.5.0-final` Keycloak release. This will make this Keycloak PR easier to get accepted.
Please keep in mind that this version upgrade only impacts the alternate OIDC provider case: when using a real Keycloak server, Che *always uses the `keycloak.js` file provided by the Keycloak server*.
Signed-off-by: David Festal <dfestal@redhat.com>
Since new machines may be added from Che Plugins description it is needed
to move provision CHE_MACHINE_NAME environment variable to provisioning phase
instead of creating of environment
- Make Resource memory request configurable for k8s and OpenShift.
- Add alias for backwards compatibility to che.workspace.default_memory_limit_mb.
- set memory request to 512Mb.
- document CHE_WORKSPACE_DEFAULT__MEMORY__REQUEST__MB in che.env.
- Configure helm scripts to allow memory attributes on deployment.
Signed-off-by: Sergey Kuperman <sergey.kuperman@sap.com>
* Move wsnext flow in Kubernetes infra implementation
Now we need to start a broker and pass meta.yaml files to it.
Starting a broker is infra-specific stuff, so it has to be done
on the infra implementation side because we don't have a part
in the infra SPI that would allow us to start a broker.
Passing Meta files using InternalEnvironment object is more
invasive than passing only attributes. So, this commit applies
less invasive scheme.
* CHE-10202,10561: Add fetching of Che editor, plugins meta from the registry
Add fetching of Che editor ID from workspace attributes.
Add fetching of Che plugins IDs from workspace attributes.
Use colon sign for separating editor/plugin ID and version
instead of the slash.
Remove old Workspace.Next model objects.
* CHE-10561: Share WS.NEXT between k8s and OS infras
Use WS.NEXT in both k8s and OS infrastructure implementations.
* CHE-10561: fix fetching meta.yaml files from che-plugin-registry
* CHE-10561: Fix sidecar model serialization
Fixes the fact that some fields in workspace sidecar tooling model
POJOs were incorrectly named or required custom serialization of
fields.
* CHE-10561: Add listening of che-plugin-broker
Add code that allows listening for events from Che plugin broker.
An event might contain workspace tooling config as a result if the broker
finished successfully or error otherwise.
* CHE-10561: Add PluginBrokerManager to control broker lifecycle
Adds PluginBrokerManager that configures/starts/waits Che plugin
broker.
Remove unused code.
Remove notion of Workspace next.
* Align plugin registry property between different components
* Fix extra path in che plugin registry URL
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
Removes properties
- che.infra.kubernetes.username : can change, requiring reconfiguration
- che.infra.kubernetes.password : can change, requiring reconfiguration
- che.infra.kubernetes.oauth_token : expires
as they complicate setup and all represent suboptimal running scenarios.
Use che serviceaccount instead.
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
Valeriy Svydenko