How to get concourse auth token when I login concourse in the without browser Linux server


#1

concourse version: 3.12.0*

  1. I can get the basic auth token normally on windows with given URL when I login concourse by the following command:

fly -t test login -c http://cocnourse_server

the command will give me a URL to get concourse basic token.
the questions are:
when I run the command in Linux server machine. I don`t know how to get concourse basic token from the given URL

So anyone can give me some resolutions.


Automate concourse oauth login
#2

I am also getting this error with Concourse/Fly v4.2.2. When I login with both Local and GitHub OAuth enabled, I am presented with two problems.

$ fly -t poc login --concourse-url=https://192.168.1.10 --insecure --username=user01 --password="mypassword"
logging in to team 'main'

error: oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"access_denied","error_description":"Invalid username or password"}

However, when I drop the --password option, I am then presented with this:

$ fly --target=poc login --concourse-url=https://192.168.1.10 --team-name=main --username=user01 --insecure
logging in to team 'main'

navigate to the following URL in your browser:

  https://192.168.1.10/sky/login?redirect_uri=http://127.0.0.1:52996/auth/callback

or enter token manually:

to which I copy and paste this URL to my browser, and I’m in. However, as the subject says, I’ll be doing this via some Ansible, or shell script automation on a headless server.

How can I login using the given information and OAuth in order to perform these steps? Or am I just going to have to knuckle up and create a local admin/main user that would then set pipelines for people according to their teams?


#3

I just tried logging in with my local user, but I don’t see any of the teams, and I cannot set any pipelines. I get error: forbidden. So, there’s gotta be some way to login without having to access the browser for headless server setups.


#4

You can add the same local user to all the teams (via the command-line options of concourse web). This will allow you to use the same local user with fly. Or for segregation I think you can also set a different local user per team (I didn’t try this).


#5

I’m using the Concourse-CI setup that is provided in the Concourse-CI Docker GitHub Repo currently. The only thin I did was to add extra lines at startup for binding to an internal GitHub Enterprise URL.

version: '3'

services:
  concourse-db:
    image: docker.company.net/postgres:11
    environment:
      - "POSTGRES_DB=concourse"
      - "POSTGRES_PASSWORD=concourse_pass"
      - "POSTGRES_USER=concourse_user"
      - "PGDATA=/database"
  concourse-web:
    image: docker.company.net/concourse/concourse:4.2.2
    command: web
    links:
      - "concourse-db"
    depends_on:
      - "concourse-db"
    ports: ["8080:8080"]
    volumes:
      - "./keys/web:/concourse-keys"
    environment:
      - "CONCOURSE_POSTGRES_HOST=concourse-db"
      - "CONCOURSE_POSTGRES_USER=concourse_user"
      - "CONCOURSE_POSTGRES_PASSWORD=concourse_pass"
      - "CONCOURSE_POSTGRES_DATABASE=concourse"
      - "CONCOURSE_EXTERNAL_URL=http://localhost:8080"
      - "CONCOURSE_ADD_LOCAL_USER=test:$$2a$$10$$0W9/ilCpYXY/yCPpaOD.6eCrGda/fnH3D4lhsw1Mze0WTID5BuiTW"
      - "CONCOURSE_MAIN_TEAM_LOCAL_UESR=test"
      - "CONCOURSE_MAIN_TEAM_ALLOW_ALL_USERS=false"
      - "CONCOURSE_GITHUB_CLIENT_ID=alongstringgoeshere"
      - "CONCOURSE_GITHUB_CLIENT_SECRET=longstringgoeshere"
      - "CONCOURSE_GITHUB_HOST=github.company.com"
      - "CONCOURSE_MAIN_TEAM_GITHUB_USER=user01,user02"
      - "CONCOURSE_MAIN_TEAM_GITHUB_ORG=concourse-ci"
      - "CONCOURSE_MAIN_TEAM_GITHUB_TEAM=concourse-ci:admin-main"
  concourse-worker:
    image: docker.company.net/concourse/concourse:4.2.2
    command: worker
    privileged: true
    links:
      - "concourse-web"
    depends_on:
      - "concourse-web"
    volumes:
      - "./keys/worker:/concourse-keys"
    environment:
      - "CONCOURSE_TSA_HOST=concourse-web:2222"
      - "CONCOURSE_GARDEN_NETWORK"

When I didn’t have the GITHUB environment variables, I was able to login as test, and get it working. However, now with that docker-compose file above, test user can login, but gets the error: forbidden message, and I have to do the browser login with fly.

Maybe I’m misunderstanding you @marco-m. What do you mean by add the local user to all the teams?


#6

Think I have an idea. I setup the Github Secret and client ID, then only have local main users. Then I can use the local main users to setup teams individually with GitHub Organizations and such.

I’m going to give that a whirl now.


#7

I took out the CONCOURSE_MAIN_TEAM_GITHUB_* stuff and now concourse-web is telling me that there is no auth set.

version: '3'

services:
  concourse-db:
    image: docker.company.net/postgres:11
    environment:
      - "POSTGRES_DB=concourse"
      - "POSTGRES_PASSWORD=concourse_pass"
      - "POSTGRES_USER=concourse_user"
      - "PGDATA=/database"
  concourse-web:
    image: docker.company.net/concourse/concourse:4.2.2
    command: web
    links:
      - "concourse-db"
    depends_on:
      - "concourse-db"
    ports: ["8080:8080"]
    volumes:
      - "./keys/web:/concourse-keys"
    environment:
      - "CONCOURSE_POSTGRES_HOST=concourse-db"
      - "CONCOURSE_POSTGRES_USER=concourse_user"
      - "CONCOURSE_POSTGRES_PASSWORD=concourse_pass"
      - "CONCOURSE_POSTGRES_DATABASE=concourse"
      - "CONCOURSE_EXTERNAL_URL=http://localhost:8080"
      - "CONCOURSE_ADD_LOCAL_USER=test:$2a$10$0W9/ilCpYXY/yCPpaOD.6eCrGda/fnH3D4lhsw1Mze0WTID5BuiTW"
      - "CONCOURSE_MAIN_TEAM_LOCAL_UESR=test"
      - "CONCOURSE_MAIN_TEAM_ALLOW_ALL_USERS=false"
      - "CONCOURSE_GITHUB_CLIENT_ID=alongstringgoeshere"
      - "CONCOURSE_GITHUB_CLIENT_SECRET=longstringgoeshere"
      - "CONCOURSE_GITHUB_HOST=github.company.com"
  concourse-worker:
    image: docker.company.net/concourse/concourse:4.2.2
    command: worker
    privileged: true
    links:
      - "concourse-web"
    depends_on:
      - "concourse-web"
    volumes:
      - "./keys/worker:/concourse-keys"
    environment:
      - "CONCOURSE_TSA_HOST=concourse-web:2222"
      - "CONCOURSE_GARDEN_NETWORK"

However, I don’t understand why its saying that now.

—EDIT—

After flipping the CONCOURSE_MAIN_TEAM_ALLOW_ALL_USERS to true instead of false, I was able to get Concourse-CI Web to start up using Local Auth with the GitHub Secret and Client ID.


#8

You probably don’t want that! I believe that allows ANYONE with a github account to access your server as the main team!

Also you have a typo in “USER”:

CONCOURSE_MAIN_TEAM_LOCAL_UESR


#9

That’s probably my issue then. Thank you for catching that. Sometimes my eyes don’t see those spelling mistakes and my text editor doesn’t catch that.

–EDIT–

I was able to start up the service now, but it still seems that my GitHub OAuth user was still able to access the main team, and create pipelines.

fly \
  --target=poc \
  set-team \
  -n ets_team_forge \
  --github-org="concourse-ci" \
  --github-team="concourse-ci:team-forge"

That’s how I setup the second team. The new Docker Compose file looks like this:

version: '3'

services:
  concourse-db:
    image: docker.company.net/postgres:11
    environment:
      - "POSTGRES_DB=concourse"
      - "POSTGRES_PASSWORD=concourse_pass"
      - "POSTGRES_USER=concourse_user"
      - "PGDATA=/database"
  concourse-web:
    image: docker.company.net/concourse/concourse:4.2.2
    command: web
    links:
      - "concourse-db"
    depends_on:
      - "concourse-db"
    ports: ["8080:8080"]
    volumes:
      - "./keys/web:/concourse-keys"
    environment:
      - "CONCOURSE_POSTGRES_HOST=concourse-db"
      - "CONCOURSE_POSTGRES_USER=concourse_user"
      - "CONCOURSE_POSTGRES_PASSWORD=concourse_pass"
      - "CONCOURSE_POSTGRES_DATABASE=concourse"
      - "CONCOURSE_EXTERNAL_URL=https://10.144.1.95"
      - "CONCOURSE_ADD_LOCAL_USER=test:$$2a$$10$$0W9/ilCpYXY/yCPpaOD.6eCrGda/fnH3D4lhsw1Mze0WTID5BuiTW"
      - "CONCOURSE_MAIN_TEAM_LOCAL_USER=test"
      - "CONCOURSE_MAIN_TEAM_ALLOW_ALL_USERS=false"
      - "CONCOURSE_GITHUB_CLIENT_ID=c92af8746a8825da3434"
      - "CONCOURSE_GITHUB_CLIENT_SECRET=bce2444a3ba663edcd8763b84053f82f92469fe0"
      - "CONCOURSE_GITHUB_HOST=github.copmany.com"
  concourse-worker:
    image: docker.company.net/concourse/concourse:4.2.2
    command: worker
    privileged: true
    links:
      - "concourse-web"
    depends_on:
      - "concourse-web"
    volumes:
      - "./keys/worker:/concourse-keys"
    environment:
      - "CONCOURSE_TSA_HOST=concourse-web:2222"
      - "CONCOURSE_GARDEN_NETWORK"

—EDIT—

It seems I had to be patient, and actually logout. After I logged out on the web page, and in the CLI, and then relogged back in on the Web UI my GitHub users could not see the Main team pipelines.

Even if my user from GitHub attempts to login to the main team, it will default to the first team they have access to. So, that solves this problem.


#10

So, while all this was figured out, the original issue with the GitHub OAuth Login’s REQUIRING the need for a Web Browser to actually login the User via Fly does still prevent the automated side of this whole bit.

For the time being, I can use my local admin account I setup and execute commands from there on the main web box to setup pipelines in an automated fashion.


#11

Is there a REST API I could potentially hit to get the bearer token from Concourse-CI and use something to authenticate without having to use a web browser in a headless situation?

Is there a way to set an environment variable that a headless host could use to open w3m as a web browser for automated tasks administrating the Concourse-CI setup?

Looking at this Dependency of Fly

It has the ability to open a specific program, or it defaults to xdg-open, which if you’re on a headless server, you probably are not running xorg, or x11.

There are two lines in the fly login source file that mention open.Start()

I wonder if this could be modified to use open.StartWith() and have a variable that says CONCOURSE_FLY_BROWSER=xdg-open, but hten override with something like w3m, or lynx so it could potentially use the CLI browsers?