Proposal: Allow saving and reusing bearer tokens via the auth command

[LucasRoesler]

Expected Behaviour

I would like to authenticate the CLI using a token and persist this to the configuration

faas-cli login -g http://example.com --token abc123

And then subsequent CLI commands will reuse this token without needing to specify it via a flag, these two commands would be equivalent after authentication

faas-cli deploy -g http://example.com  --token abc123 --name echo --image theaxer/pycho --fprocess="python index.py"
faas-cli deploy -g http://example.com --name echo --image theaxer/pycho --fprocess="python index.py"

Current Behaviour

faas-cli login only supports basic auth

Context

This is useful when using an authentication proxy in the load balancer layer versus enabling auth directly in openfaas. For example, nginx can make a side request to authenticate a request. We often enable this as a centralized auth layer instead of enabling authentication in each application that is deployed.

[alexellis]

@viveksyngh what do you think? Could these tokens be saved in the existing config file design?

[viveksyngh]

To me this looks like, we already have an oauth2 authentication token and we want to just save it.

We can also use faas-cli auth command or add another subcommand. As long as we will send that token as bearer token, we can save that as oauth2 auth type in the config file.

We can directly save this to file or can also do some validation of the token by making a call to info endpoint of the gateway.

[viveksyngh]

If we are doing oauth flow with faas auth command. It saves the bearer token to the config file after successful oauth flow.

[alexellis]

Does that help with what you need @LucasRoesler ?

[LucasRoesler]

I want to have a way to save a token that does not need to be integrated into the openfaas specific auth provider. We disable auth in openfaas and have a proxy with a standardized auth in front of it. I would really hate to see this coupled to something in the gateway. All I really want is the ability for the CLI to reuse a token from the config so that o don't need to pass --token to every command.

I really don't have a strong preference for putting it in login or auth, I figured that because this flow is not specific to oauth, login made the most sense. I would actually like to see it generalized and to allow the person specify the header and an optional prefix, but I figured people wouldnt be interested and I didn't need it for my usecase, so I proposed the smallest change

[alexellis]

Perhaps a config type entry like external might work? https://github.com/openfaas/faas-cli/blob/master/config/config_file.go#L33

@viveksyngh and I were talking about this on a call, and we think it would be good to test the token before saving it, i.e. by hitting /system/info and looking for a 200. I prefer the auth command to save arbitrary tokens.

[LucasRoesler]

A separate type is a good idea, but I would call it token or authorizationToken instead of external. External is so generic that it might become a kitchen sink solution.

[alexellis]

Pinging @viveksyngh
What's the simplest way to make this work? Do we need any code changes in the config or can we use the existing mechanism?

[viveksyngh]

It will be a small change only. We will might have introduce a new auth type and make it implement ClientAuth from proxy. Then make some changes in NewCLIAuth function

faas-cli/commands/general.go

Line 46 in b0a70a3

func NewCLIAuth(token string, gateway string) proxy.ClientAuth {

Also, some changes will be required in login command to validate the token and save it to file with new type.