Tag-security: [Proposal] Considering the fitment of oauth2_proxy

Created on 6 Oct 2019  路  10Comments  路  Source: cncf/tag-security

Description: oauth2_proxy is a reverse proxy with ability to authenticate with IdPs

Impact: streamlining user validation for cloud native infrastructure projects, by authentication support to external identity providers

Scope: User authentication. Overall scope definition need to be established upon further read on the project.

Few things to consider:

  • OIDC and other relevant protocol support
  • Other projects in the space.

TO DO

  • [ TBD] SIG Representative
  • [ TBD] Project leader(s)
inactive usecaspersonas

All 10 comments

Alternatives suggested:
https://github.com/buzzfeed/sso

@pragashj what exactly do you mean by "fitment"? Are you asking us to consider whether it should be a CNCF sandbox project (or similar)? Do we have any docs in our repo about us engaging with potential CNCF projects like this one?

I would like us to get clarity on

  • use cases it solves and the relevance of those use cases for cloud native
  • structure of the project (APIs, storage requirements, dependencies)
  • Where does it fit on our landscape and how it fills or augments the ecosystem from the landscape perspective

Allow project to present itself and educate the rest of the team about some of the above questions and anything else project wants to the team to know about.

changed to use-case / presentation for starters... @pragashj want to invite them to present? or also fine if you want to bring up at a meeting to discuss.

Personally, I like the idea of having multiple providers of cloud native authentication systems present. I don't have a good sense of the different projects in the space and would be great to know more. (And probably whatever we can do to map out the space for cloud native community that would likely be helpful!)

Hey, I'm a maintainer of the OAuth2 Proxy! I spoke with @monadic about proposing the project a few weeks back. Pusher adopted the OAuth2 Proxy from Bitly when they archived it about a year ago, always with the intention of attempting to donate it to somewhere that did not have corporate association

Since then we have been trying to improve the project, in particular, around docs and configuration as these were two topics that people were struggling with.

@monadic brought the topic up at a TOC meeting and there was some interest in looking into the project further from what I understand, the next thing I saw was this tweet which got a few responses talking about other projects that could also fit the same space

https://twitter.com/jbeda/status/1180899919130873856

I am happy to answer questions here or jump on one of the community calls (realise there's one on now, oops) to answer any questions about the project, I am keen to find out what we would need to do from a security perspective before we could propose it officially for adoption

Any suggestions on how to move forward appreciated 馃槃

Hey @JoelSpeed I mentioned on the call, and we would like to schedule a presentation at a sig-security meeting.

@justincormack Is there a list anywhere of the things you would like to get out of that presentation? Happy to prepare one if I know roughly what points I need to cover 馃檪

I think it would be helpful to provide at least an outline of some of the key points on our assessment list https://github.com/cncf/sig-security/blob/master/assessments/guide/outline.md as well as an overview of how it relates to other projects in the space (complements/alternatives).

Thanks @justincormack for the info, myself and the other maintainers are planning a meeting in the next couple of weeks so will hopefully prepare a presentation for the new year

CC @syscll @steakunderscore so you're in on this loop

This issue has been automatically marked as inactive because it has not had recent activity.

Was this page helpful?
0 / 5 - 0 ratings