From 0cb86503d4724c00bb7b9e3113ae5134f4905d93 Mon Sep 17 00:00:00 2001 From: Haibo Lin Date: Jan 15 2024 01:13:57 +0000 Subject: client: Use NO_OIDC_AUTHZ_CODE to disalbe authz code flow Users can disalbe ODIC authorization code flow if they don't want to use it by setting environment variable NO_OIDC_AUTHZ_CODE, e.g. NO_OIDC_AUTHZ_CODE=1 odcs --redhat create-tag test JIRA: RHELCMP-11335 Signed-off-by: Haibo Lin --- diff --git a/client/odcs/client/cli.py b/client/odcs/client/cli.py index 57fba70..d5840eb 100755 --- a/client/odcs/client/cli.py +++ b/client/odcs/client/cli.py @@ -134,7 +134,8 @@ def main(): Internal ODCS instances support both ODIC and kerberos authentication. If `OIDC_CLIENT_ID` and `OIDC_CLIENT_SECRET` environment variables are set, the client will try to authenticate using OIDC client credential flow otherwise - it will try OIDC authorizaiton code flow and finally it will try kerberos + it will try OIDC authorizaiton code flow (which can be disabled by setting + environment variable NO_OIDC_AUTHZ_CODE=1) and finally it will try kerberos authentication if OIDC authentication doesn't work. If you have problems authenticating with OpenID Connect, try: diff --git a/client/odcs/client/token_manager.py b/client/odcs/client/token_manager.py index ef67ebd..d9f747e 100644 --- a/client/odcs/client/token_manager.py +++ b/client/odcs/client/token_manager.py @@ -390,9 +390,19 @@ class TokenManager: # We have client credentials, use them! token = self._client_cred_auth() else: - token = self._authorization_code_flow( - with_browser=os.environ.keys() & {"DISPLAY", "WAYLAND_DISPLAY"} + logger.debug( + "OIDC client credentials flow is disabled as environment variables" + " OIDC_CLIENT_ID and OIDC_CLIENT_SECRET are not set." ) + if "NO_OIDC_AUTHZ_CODE" in os.environ: + logger.debug( + "OIDC authorization code flow is disabled by environment" + " variable NO_OIDC_AUTHZ_CODE." + ) + else: + token = self._authorization_code_flow( + with_browser=os.environ.keys() & {"DISPLAY", "WAYLAND_DISPLAY"} + ) if token: self._write_token_to_cache(token)