- Admin should be able to configure OIDC endpoint in Harbor.
- After step 1. in addition to login via DB/LDAP, user should be able to login via the OIDC endpoint, based on the code-based oauth2 flow. After first successful authentication, the user will "on board" to Harbor, so there is a record in Harbor's DB and the user can be added to a project and assigned a role in the project.
- Client should access Harbor's API via OIDC token provided by the endpoint, which represents an on boarded user.
- The user in step 2 should be able to use docker CLI or kubelet to interact with Harbor to perform push/pull image. However, b/c the CLI cannot handle the SSO, we may need to allow user to use some
token to authenticate, the detail of the solution is TBD.
There is a proposal WIP: goharbor/community#17 we'll work together to refine it, or create a new one if needed.
Some issues will be closed after this work is done:
#1893 #4616 #5358
tokento authenticate, the detail of the solution is TBD.There is a proposal WIP: goharbor/community#17 we'll work together to refine it, or create a new one if needed.
Some issues will be closed after this work is done:
#1893 #4616 #5358