britive integration
Has anyone worked with britive for cloud accounts.
I am hoping to speed up the setup time for developers to authenticate with coder and then allow for workspace to require access to a specific cloud account via britive
13 Replies
<#1219807389872685146>
Category
Other
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
This sounds like a cool project. If they have an API, CLI or optimally a terraform provider we can work on an integration by creating a Coder module
And their CLI does work within a coder environment
It would launch and browser and return a token to use for authorization
The terraform provider is more for creating roles and profiles. And not doing seamless login
https://registry.terraform.io/providers/britive/britive/latest/docs
They do have openid connect support.
https://docs.britive.com/docs/service-identity-federation
But that bring back to the question as to why should have have to login more than once (in an enterprise setting?)
I have to log into coder using MS Entra ID, then log into GitHub / Gitlab to get to my repo (but that login was also via the same iDp). Then I need to log into Nexus/Jfrog, again. And then the cloud via Biritive.
This does not seem right. Ideal experience you log in once and then all other services know who you are and what your permissions are (which is often also centralized).
I guess this is why working on modern cloud is so liberating. You have a single role that lets you navigate many services. Enterprise breaks this model and users have to suffer the complexity.
This is some really great feedback.
One use case I can think of is,
If someone logs into Coder using GitHub they shouldn't be required to login to GitHub again to get access to their repos.
If we can skip this step and the use the token for initial login to authenticate with GitHub within workspaces that would solve this problem.
One of the modules is vault-github and can use the same GitHub token to authenticate with vault.
So a single login with GitHub could land you in Coder with access to your private org repos and additionally the Hashicorp Vault.
And for the external authentication in Coder. They work using OAuth flow. And should only require a one time login and keep the user logged in.
Coder workspaces can then make use of
access_token from these integrations within the workspaces.
Coder ensures that the tokens stay active and refresh them as required.
cc: @Steven for more context.External authentication was the first thing that confused early pilot group.
Especially for azure devops users. We log in was a singular event. So why log in twice or more.
External authentication exists to allow multiple authed services yes.
If you can have a single sign on token that can service multiple services, then by all means just use the 1 token.
Ideal experience you log in once and then all other services know who you are and what your permissions are (which is often also centralized).If a singular token can be used to fetch other tokens, this can all be done via the agent startup script. If this cannot be done, then you have to use multiple external auths. Coder handles refreshing the tokens, so the frequency of authenticating should be very rare.
I will have to try this and see how to allow for the agent to take a SSO token and authenticate with everything else.