OCI join method - Add proto and client #51444
Conversation
atburke
added
the
no-changelog
| @@ -158,6 +158,32 @@ message TPMEncryptedCredential { | |||
| bytes secret = 2; | |||
| } | |||
|
|
|||
| // RegisterUsingOracleMethod request is the request for registration via the | |||
| // Oracle join method. | |||
| message RegisterUsingOracleMethodRequest { | |||
There was a problem hiding this comment.
What will be the order of flow here? e.g does client send first or the server? which messages?
I think it'd be beneficial for us to ensure that RegisterUsingToken request is sent first if possible - this ensures that the Auth Server knows a bunch of key details if the flow fails part-way through. One of the problems we have with the IAM method at the moment is that we have basically zero details about the failing bot/agent if a failure occurs during the join process because all the details are sent at the end.
There was a problem hiding this comment.
Agree with Noah. This might be completely different from other joining flows, but without the additional context instance join failed audit events are mostly useless.
There was a problem hiding this comment.
👍 RegisterUsingToken is now sent first
| if err != nil { | ||
| return nil, trace.Wrap(err) | ||
| } | ||
| challengeResp, err := oracleJoinClient.Recv() |
There was a problem hiding this comment.
challengeResp is a confusing name for this, which is supposed to hold the challenge, and when there's already a parameter named challengeResponse
There was a problem hiding this comment.
I'm not sure what a better name for it would be, but I renamed challengeResponse to hopefully reduce the confusion.
This change adds protos, the client, and a bunch of boilerplate for the oracle join method (RFD).
Part of #41705.