opal icon indicating copy to clipboard operation
opal copied to clipboard

Published 20 hours ago verified publisher icon permitio

Enable OAuth2 authentication

Open ojecborec opened this issue 1 year ago • 1 comments

Hello OPAL team. Following PR is enabling OAuth2 authentication for both server and client. Client would send access token generated by Client Credentials grant and server would validate this token by either calling introspect endpoint or reading JWT signature. Please note that I'm not python developer. Any suggestions are welcomed. There's also missing documentation.

To configure OPAL client Docker container.

environment:
  - OPAL_AUTH_TYPE=oauth2
  - OPAL_OAUTH2_CLIENT_ID=$OAUTH2_CLIENT_ID
  - OPAL_OAUTH2_CLIENT_SECRET=$OAUTH2_CLIENT_SECRET
  - OPAL_OAUTH2_TOKEN_URL=https://example.com/token
  # Choose either introspect or JWT validation
  # If you wish to use introspect endpoint for token validation
  - OPAL_OAUTH2_INTROSPECT_URL=https://example.com/introspect
  # Validate JWT signature instead of calling introspect endpoint
  - OPAL_OAUTH2_OPENID_CONFIGURATION_URL=https://example.com/.well-known/openid-configuration
  - OPAL_OAUTH2_EXACT_MATCH_CLAIMS=foo=bar
  - OPAL_OAUTH2_REQUIRED_CLAIMS=client_id,iat,exp

To configure OPAL server Docker container.

environment:
  - OPAL_AUTH_TYPE=oauth2
  - OPAL_OAUTH2_TOKEN_URL=https://example.com/token
  # Choose either introspect or JWT validation
  # If you wish to use introspect endpoint for token validation
  - OPAL_OAUTH2_INTROSPECT_URL=https://example.com/introspect
  # Validate JWT signature instead of calling introspect endpoint
  - OPAL_OAUTH2_OPENID_CONFIGURATION_URL=https://example.com/.well-known/openid-configuration
  - OPAL_OAUTH2_EXACT_MATCH_CLAIMS=foo=bar
  - OPAL_OAUTH2_REQUIRED_CLAIMS=client_id,iat,exp
  - OPAL_OAUTH2_JWT_ALGORITHM=RS256
  - OPAL_OAUTH2_JWT_AUDIENCE=some_audience
  - OPAL_OAUTH2_JWT_ISSUER=some_issuer

Let me know what you think.

ojecborec avatar Jun 25 '24 12:06 ojecborec

Deploy Preview for opal-docs canceled.

Name Link
Latest commit 971da7f99a2c89eb21124ce4e6972e25be5bc909
Latest deploy log https://app.netlify.com/sites/opal-docs/deploys/66bde6d7df5a1f00080c0e95

netlify[bot] avatar Jun 25 '24 12:06 netlify[bot]

Hi @ojecborec this PR seems great - but I somehow missed it. There're a few conflicts to resolve, and we can look into reviewing it.

orweis avatar Jul 28 '24 10:07 orweis

Hi @ojecborec, thanks for your contribution Can you resolve the conflicts and create an example docker that will help with the setup as we have in the docker folder for our other main setup options?

CC @danyi1212 @roekatz

obsd avatar Jul 28 '24 10:07 obsd

Sorry for taking so long. I've added 2 examples. One when working with Opaque tokens and the other one with JWT ones. There should be no conflicts at the moment.

ojecborec avatar Aug 01 '24 16:08 ojecborec

I'm still thinking of the peer_type claim that's required when calling some OPAL resources. If you're working in environment where adding extra peer_type claim is not possible.

ojecborec avatar Aug 01 '24 17:08 ojecborec

@obsd Should I reformat source code according to pre-commit checks? The reason I'm asking is that one suggestion (black) is

-            logger.info("OPAL is running in secure mode - will authenticate API requests.")
+            logger.info(
+                "OPAL is running in secure mode - will authenticate API requests."
+            )

but I see a lot of single liners in existing code which makes me thinking that single line is OK and there's nothing to do.

ojecborec avatar Aug 08 '24 12:08 ojecborec

Another failed check is related to Docker

Run docker-compose -f docker/docker-compose-test.yml up -d
/home/runner/work/_temp/a65f8803-da9f-[4](https://github.com/permitio/opal/actions/runs/10261658660/job/28508688878?pr=602#step:8:5)62f-8a3e-f4677041d951.sh: line 1: docker-compose: command not found
Error: Process completed with exit code 127.

Not sure how can I handle missing docker-compose.

ojecborec avatar Aug 08 '24 12:08 ojecborec

@roekatz is the best to answer here

obsd avatar Aug 08 '24 15:08 obsd

Hi @ojecborec thanks for the contribution. The PR is currently too big to review due to conflicts. Could you rebase on the main branch so we can review your changes separately? Thanks!

asafc avatar Aug 14 '24 17:08 asafc

@ojecborec Rebasing on top of master as @asafc suggested, should also fix the missing docker-compose issue (as it was already fixed in master). And of course enable us to review the change (cause currently most of the diff is master changes rather than your own branch changes).

roekatz avatar Aug 15 '24 08:08 roekatz

Hello @roekatz @asafc. It was easier for me to create the new branch. See https://github.com/permitio/opal/pull/646 for reference.

ojecborec avatar Aug 16 '24 06:08 ojecborec

Replaced by #646

roekatz avatar Aug 23 '24 13:08 roekatz