我已经在 concourse ci 中建立了一个新团队,并且可以作为 Bitbucket 用户登录。
fly set-team -n main \
--basic-auth-username myuser \
--basic-auth-password xxxx \
--generic-oauth-display-name bitbucket \
--generic-oauth-client-id xxxx \
--generic-oauth-client-secret xxxx \
--generic-oauth-auth-url https://bitbucket.org/site/oauth2/authorize \
--generic-oauth-token-url https://bitbucket.org/site/oauth2/access_token
设置成功的关键是,bitbucket 中 OAuth 消费者的回调 url 只需要是 concourse ci 网站(回调 url 中没有 /auth/oauth/callback
)现在我发现了一个问题。任何用户(甚至是 bitbucket 云中新注册的免费用户)都可以登录我的 concourse ci 服务器。
经过一番研究,我得到了这个
Generic oAuth
The --generic-oauth-* flags configure a generic oAuth provider which performs no additional verification about the individual user signing in by default. It should only be used with internal auth systems in this way. If it were used to configure Google or Twitter oAuth, for example, it would permit just about every person on the internet to create pipelines. It'd be mighty generous. If you need verification, make sure you are using the --generic-oauth-scope flag.
那么有什么方法可以阻止未经授权的bitbucket云用户登录,这应该仅限于我的组织吗?与 github 的选项相同
--github-auth-organization=ORG
我尝试添加 --generic-oauth-scope concourse.main
但是总是报错:failed to verify token
我也看了OAuth on Bitbucket Cloud - Scopes并尝试使用大多数范围,例如--generic-oauth-scope account
仍然得到同样的错误。我应该在范围内放什么?
最佳答案
对于 Concourse CI >= v.3.7 和 <= v.4.0,您可以使用专用的 Bitbucket Cloud 身份验证提供程序。我写了一个 blog post关于这一点,但要点是使用
fly -t ci set-team -n dev --bitbucket-cloud-auth-client-id=xxx --bitbucket-cloud-auth-client-secret=xxx --bitbucket-cloud-auth-repository=myorg/myrepo`
遗憾的是,Concourse 4.0 的新用户模型 no longer supports比特桶云。
There is no longer support for BitBucket auth. Sorry - Dex doesn't support it. :( However we do support generic LDAP, oAuth, and OIDC connectors, which you may be able to use instead.
关于oauth-2.0 - 如何将 Bitbucket 云与 Concourse CI 集成?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/45605786/