Making Netflix’s Dispatch work with Open ID Connect
Netflix’s Dispatch looks like a neat tool to manage incidents. It glues together a ton of things that one probably uses during availability incidents, like video calls, Google Docs, Slack, PagerDuty… all of which are relevant to my interests. I’m not a huge fan of pulling other people’s processes into my own org, but Dispatch looked like it might be customizable enough to build something else off of, and I want a little more structure around incidents. Seems promising!
Just one thing: before I dive into using this tool, it’s definitely not going to work for my needs if I can’t tie it in with an authentication provider. The documentation hints at supporting Open ID Connect (OIDC)/Proof Key for Code Exchange (PKCE), but… how? And with my Open ID Connect provider? I’ve never OIDC’ed before, what config values does Dispatch actually need? What do they look like? Why is the app ignoring the OIDC codepath for this even though I (thought I) set the right environment variables? Is what I’m trying to do impossible?
Well, It wasn’t impossible. It did, however, feel like pushing a boat up a mountain. I definitely lost at least an hour (it was more than an hour) because I put a trailing slash on a URL. This resulted in a CORS error, which was a very exciting, new, and fun way to pull my hair out. Thankfully my hair has regrown since.
Right, the first step is getting an OIDC connector set up.
You’ll want to set up a new OIDC connector. Perhaps you use an enterprisey authentication provider like OneLogin - which separates out connectors from the apps that use connectors. Go set up a connector, or ask the person who can set up connectors and apps in your enterprisey authentication provider to do that. You’ll need your base URL for your Dispatch setup to set up a connector. These values should do:
Then, create a new “app” using that connector. On the SSO page, set:
|Login URI||None (PKCE)|
And then copy your Client ID, and the URL for the OIDC “Well Known Configuration”, which you’ll need later.
Now for the code bits. We’re going to make a “custom” authentication provider and patch in an option for decoding JWTs. I say “custom” because it’s a pretty small change to the provided PKCE authentication provider.
Go clone the Dispatch repository for these next steps.
Making Your Custom Authentication Provider
I absolutely missed that big ol’ warning in the Dispatch documentation that
VUE_APP settings are used
during the build of the UI/frontend, so I kept trying to set these parameters as part of the backend’s
environment. Don’t be like me! Instead, put these values in
VUE_APP_DISPATCH_AUTHENTICATION_PROVIDER_SLUG="" VUE_APP_DISPATCH_AUTHENTICATION_PROVIDER_PKCE_CLIENT_ID=(the client id from earlier, without these parenthesis) VUE_APP_DISPATCH_AUTHENTICATION_PROVIDER_PKCE_OPEN_ID_CONNECT_URL=https://your-cool-org.onelogin.com/oidc/2
You’ll notice that
VUE_APP_DISPATCH_AUTHENTICATION_PROVIDER_SLUG is empty - this allows the use of a custom authentication
provider. Speaking of a custom authentication provider, you can drop
src/dispatch/static/dispatch/src/auth/. It’s just about the same as the
pkceAuthProvider.js with some more values added to
the request that makes it to the backend, I think. You should diff the two though, since I am a stranger on the internet who is
giving you authentication code.
One Weird JWT Decode Trick
You may also need to incorporate changes that are in my branch of Dispatch. I made a PR to
get those into the main project; we’ll see where it goes. I added a
log.debug() on the JWT decode as well, so if you run into JWT issues you can bump the log level
and get some valuable information.
Docker Docker Docker
Once you’ve gotten the bits in place, build the container. Put it somewhere it can be used, etc.
App Runtime Config
Since our “custom auth provider” is still OIDC/PKCE, we can use the existing backend variables.
Set these parameters in the app config.
DISPATCH_PKCE_DONT_VERIFY_AT_HASH is from the patch I mentioned in the other section.
DISPATCH_AUTHENTICATION_PROVIDER_SLUG: dispatch-auth-provider-pkce DISPATCH_AUTHENTICATION_PROVIDER_PKCE_JWKS: https://myorg.onelogin.com/oidc/2/certs DISPATCH_JWT_AUDIENCE: (the client id from earlier, without these parenthesis. But you don't have to specify this, and you may not need to.) DISPATCH_PKCE_DONT_VERIFY_AT_HASH: "true"
Start your app. Go to the main page. You should be logged in! Wow!
Funny enough, I set this up as a way to get more familiar with some kubernetes infrastructure that I’ve been playing with. Mission accomplished: debugging an application in a brand new environment is definitely one way to learn the joys of debugging. But honestly, I would not have figured any of this out without this issue and this PR.
2020-10-11 20:30 +0000