opal
opal copied to clipboard
permitio
OAuth2 client credentials support for OPAL Server
Is your feature request related to a problem? Please describe. The OPAL Client Configuration Variables currently only support sending static values to OPAL through the OPAL_CLIENT_TOKEN. However, our machine-to-machine communication relies on OAuth2 client_credentials, which cannot be implemented with a static token. As a result, we are unable to use the current authentication method provided by the OPAL Client Configuration Variables.
Describe the solution you'd like
OPAL Client To provide more flexibility in authentication for the OPAL Client, we propose adding support for additional authentication methods to communicate with OPAL server. Specifically, we suggest implementing the ability to create additional tokens using either a Token or OAuth2 method.
To enable this functionality, we recommend adding new configuration variables: OPAL_CLIENT_AUTH_TYPE OPAL_CLIENT_AUTH_OAUTH_SERVER OPAL_CLIENT_AUTH_OAUTH_CLIENT_ID OPAL_CLIENT_AUTH_OAUTH_CLIENT_SECRET.
If the value "oauth" is found in the OPAL_CLIENT_AUTH_TYPE variable, the OPAL Client will send the client id and secret to the OAuth2 server using the client_credentials standard. The response will include a token with an expiration time. The OPAL Client will use this token to communicate with the OPAL Server and will cache it until its expiration before requesting a new one.
OPAL Server On the OPAL server side, it needs some modifications to support other tokens than the ones it creates itself.
To enable this functionality, we recommend adding new configuration variables: OPAL_AUTH_TYPE (default or oauth) OPAL_AUTH_OAUTH_JWKS_ENDPOINT OPAL_AUTH_OAUTH_ISSUER OPAL_AUTH_OAUTH_SCOPE_CLIENT (the scope name that needs to be in the token for having “client” permissions)
The server can then use the OPAL_AUTH_OAUTH_JWKS_ENDPOINT for retrieving the public keys for validating the token. The OPAL_AUTH_OAUTH_ISSUER for validating the correct issuer in the token The OPAL_AUTH_OAUTH_SCOPE_CLIENT for validating that the scope name exist in the token to give permissions of type “client”
Because it uses web sockets it should accept the token from the client to validates against before sending data to the opal client The client should be able to send updated tokens, so the server can validate against “fresh” tokens when required.
Summary In summary, by making the suggested modifications to the OPAL server and client, it can enable support to a more diverse set of authentication methods. This is a valuable enhancement that will facilitate greater interoperability between systems and use of central authentication servers within the organization.
