Extend rhoas login by supporting SSO client id an secret

[apodhrad]

Feature or problem description

Some teams use SSO service accounts which can be authenticated against sso.redhat.com but cannot be used for any "web page" loging and cannot obtain a token (pls correct me if I'm wrong).
Such service accounts are used for logging to OCM as follows

ocm login --client-id "${CLIENT_ID}" --client-secret "${CLIENT_SECRET}"

Could we have something similar for rhoas, please?

[wtrocki]

While request can be done on the RHOAS CLI side. I'm not sure if we will support two types of login:

--token (offline token)
--client-id=... (service accounts)

Moving to client-id is quite simple and natural choice but it it kinda exceeded scope of RHOAS CLI. This is more or less RHOAS SDKs/RHOAS ecosystem question. How we want to login for automation purposes etc.

@akoserwal Do you think we can we use service accounts to obtain AccessToken that will work with all fleet managers we have?

[wtrocki]

FYI @gowriswarupk

[akoserwal]

@apodhrad You can use the sso service account with ocm client for the requests to the control plane api. But it requires some claim configuration for your service account (sso mapper). I can help with getting it configured.

In the near future, rhosak will support the new sso service account api (self service)

[wtrocki]

Worth to mention that current solution is to use offline refresh token (and CLI supports it already by rhoas login --token option`

[apodhrad]

Hi @akoserwal @wtrocki thanks for your quick response.

Today I have found out that rhoas doesn't necessary require any OCM org or OCM user defined in ocm-resources.
But it requires redhat orgs and users defined at access.redhat.com so that rhoas can properly work with objects within an org, e.g. clusters from org A cannot be seen from org B.

Thus, using an sso service account would require an org mapping - is that the mapping you have mentioned?

[apodhrad]

After discussion with @akoserwal we agreed that this request makes sense once we deal with the mas-sso.

I'm ok with that as we can use the token approach.

Please add proper labels according to your workflow.

[wtrocki]

Yes. All you need is https://cloud.redhat.com/openshift/token