Forward OAuth tokens to Uyuni server #33
Conversation
cbbayburt
force-pushed
the
oauth-mlm
branch
2 times, most recently
from
569de2b to
a8ba578
Compare
jordimassaguerpla
left a comment
jordimassaguerpla
left a comment
There was a problem hiding this comment.
Do I understand correctly that we cannot have oauth in mcp if oauth is not in mlm?
Do I understand correctly that, prior to this PR, we can have oauth in mcp but not in mlm?
If I understand correctly, this is a regression and will "break" what we had until mlm oauth support is released.
If that is the case, could we somehow make it backward compatible and not break/create a regression? Maybe some env variable to control the mlm authentication?
|
As discussed in the slack, it is a security design decision to only support oauth if oauth is supported in mlm. Thus, forget my previous comments. |
| fastmcp_ctx = ctx.fastmcp_context | ||
| auth_header = fastmcp_ctx.request_context.request.headers['authorization'] | ||
| token = None | ||
| if auth_header: |
There was a problem hiding this comment.
could we add a config variable that controls if auth is expected for mlm? Could be we have a token for the mcp authorization but mlm does not yet support it..
Extracts the JWT token from the requests, logs into Uyuni server using the token instead of user/pass. The token auth uses the new
/manager/api/oicdLoginendpoint. The rest of the flow is done using the usual session key from Uyuni.Notes:
oicdLoginendpoint will be introduced in MLM 5.1.2 (expected early 2026)UYUNI_AUTH_SERVERis not configured.Related PR in the Uyuni repo: uyuni-project/uyuni#11084
Fixes https://github.com/SUSE/spacewalk/issues/28483