Oh, Auth

Joshua Winters
May 11, 2018 · 4 min read

As most of you know we’ve been working hard on introducing Users into Concourse. Today, I’m excited to share with you some of the changes we’ve made for an upcoming release of Concourse.

In the old world, you used to log in as a team:

Image for post
Image for post

Now you log in as a user:

Image for post
Image for post

You can do this using external auth providers:

Image for post
Image for post

Or logging in as a local Concourse user:

Image for post
Image for post

How did we manage to accomplish this magic? With the power of dex!

In this new model:

  • We rely on dex to fetch the user’s identity and group affiliations from the external auth provider.
  • We then take this information and cross reference against all Concourse teams to establish team memberships for the user.
  • Team owners can whitelist external users and groups with the fly set-team command.

What this doesn’t fix:

  • We still don’t have an easy way for people to identify what users/groups are currently whitelisted for a team. This should be something that we can add to the fly teams command in the future (PRs welcome), but in the mean time you can always check the database ;).
  • We also aren’t implementing auditing or RBAC just yet…

…but its a good start!

Now, let’s dive into some of the technical changes that might affect your continuous thing doing.

ATC Startup

If you want to use the GitHub provider, you will need to provide:

atc ...
--github-client-id client-123
--github-client-secret 1234567890
--main-team-github-group my-org:my-team

Note that the configuration of the main team is slightly different now too.

Fly Set Team

You used to configure teams with all the provider information:

fly ...
--github-auth-client-id client-123
--github-auth-client-secret 1234567890
--github-auth-user my-github-login
--github-auth-team my-org/my-team ← Note the slash “/”

Now you simply whitelist a bunch of users and groups:

fly ...
--github-user my-github-login
--github-team my-org:my-team ← Note the colon “:”

Yeah, sorry we changed the delimiter from a slash to a colon, but that’s what dex uses, so we went with it.

Bearer Tokens

So the decoded token used to look like this:

“isAdmin”: true,
“teamName”: “main”

And now it looks like this:

“sub”: “CgcxMDcyMjMzEgZnaXRodWI”,
“is_admin”: true,
“email”: “user@email.com”,
“name”: “Some User”,
“user_id”: “1072233”,
“user_name”: “my-github-login”,
“teams”: [“main”]

No Auth

In the new world, you can’t do this. We don’t allow access without credentials, and teams can no longer be open to the public. You can, however, whitelist all authenticated users in the system using the --allow-all-users flag when setting up your team.

Fly Actions

Exposed pipelines

No provider left behind… sort of

For example, Bitbucket Server may be problematic since it still relies on OAuth1. Now that we have more auth options (hey we have an LDAP connector now), would current BitBucket users be willing to switch over to something else? Let us know in GH issue #1888.


If you have any questions or concerns about the work that’s being done, feel free to drop a comment on those issues, or reach out to us on our usual channels.

Concourse CI

The Continuous Thing Do-er

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store