questions on coder module jfrog-oauth
does anyone have experience using this module when the user's permissions for a artifactory project are defined by groups? I think my scope is wrong but I am not sure if jfrog application integration allows group scopes
basically I have the integration set up but it only works if I manually add every individual user to the artifactory project instead of just using groups.
12 Replies
<#1316132324110499850>
Category
Help needed
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
Hi @Spiked_Grape
Hi @Atif
I totally forgot to hit enter for the remaing of the message.
What is you current settings? How are you creating the Application? What scope are you setting in Coder external auth?
Could you share steps to reproduce this?
integrations-enabled: false # Default: false
integration-templates: # list of possible integrations to create
- id: "1" # The id of the integration template, to save a reference back from the integration.
name: "my integration" # The name of the integration as will appear in the UI when creating a new integration.
redirect-uri: "https://my-jfrog-integrations.com/callback" # The redirect-uri that will direct users back to the integration client with the authorization code.
scope: "applied-permissions/user" # Only this scope is currently supported.
internal: false # Optional. Default false. Inidicates whether it's an internal template, meaning will not be returned to UI unless specifically asked to include internal templates.
https://jfrog.com/help/r/jfrog-installation-setup-documentation/supported-access-configurationsSupported Access Configurations
The following example shows a complete YAML file with all the different parameters that you may configure. # DO NOT IMPORT THIS FILE.
This file describes the JFrog Access YAML configuration file and should only be
as a reference.
To change the configuration in an Access service, follow these instructions:
1. ...
I think it only supports "applied-permissions/user"
if the user creates a token under user profile it gives them the group scopes as well. I am only a project admin on the artifactory instance and not a instance admin so I am limiting on what I can do. So I don't think I will be allowed to use the other artifactory coder module that requires a admin token
I was thinking maybe as part of the module there might be a way to generate a new token using the access token given by the app integration then add that to the jfrog config in the workspace. I was able to manually add a token generate via the artifactory UI under user profile new identity token and place it in the password of the jfrog config while leaving the oauth app accesstoken as access token in the config file in ~/.jfrog/<file name with conf v6 can't remember exact name>
with both of those values in the config file the jf cli worked as expected
I am not an Artifactory expert myself. Could you elaborate a bit on why you want to use the group scoped tokens? Also what is the limitation of using the current user scoped tokens?
Have you contacted JFrog support too about the problem? Maybe with the help of JFrog team we can solve this issue for you
I never got a reply back from Jfrog. We are using security groups for RBAC assigned to the roles versus managing individual user permissions is the limitation or not have the group scopes. The access token given by the oauth integration doesn't account for the role assignment made by the groups. So if the user isn't individually added to the role/permission in the artifactory project they don't have permissions within the cli in the coder workspace but they do have the permissions in the artifactory UI.
hey @Spiked_Grape, any luck?
@Phorcys still trying to get with jfrog for support ticket etc. I mean I guess this can be closed etc. I was just seeing if anyone else had run into the issue. Was there ever a fix for the ordering of the scripts or modules etc? I am currently using a custom version of the jfrog module with some wait logic to wait until dotfiles are loaded etc. but I haven't update or merged modules repo into it a while. Also I extended it to add the terraform repo setup, maybe I could add that upstream.
we still don't support ordering scripts, sorry :-(
feel free to PR by the way
thanks for the info, sorry that we haven't been able to help
please let us know if you figure it out!
@Phorcys closed the thread.