opal
opal copied to clipboard
Published
20 hours ago •
permitio
permitio
Enable OAuth2 authentication
Hello OPAL team. Following PR is enabling OAuth2 authentication for both server and client. Client would send access token generated by Client Credentials grant and server would validate this token by either calling introspect endpoint or reading JWT signature. Please note that I'm not python developer. Any suggestions are welcomed. There's also missing documentation.
To configure OPAL client Docker container.
environment:
- OPAL_AUTH_TYPE=oauth2
- OPAL_OAUTH2_CLIENT_ID=$OAUTH2_CLIENT_ID
- OPAL_OAUTH2_CLIENT_SECRET=$OAUTH2_CLIENT_SECRET
- OPAL_OAUTH2_TOKEN_URL=https://example.com/token
# Choose either introspect or JWT validation
# If you wish to use introspect endpoint for token validation
- OPAL_OAUTH2_INTROSPECT_URL=https://example.com/introspect
# Validate JWT signature instead of calling introspect endpoint
- OPAL_OAUTH2_OPENID_CONFIGURATION_URL=https://example.com/.well-known/openid-configuration
- OPAL_OAUTH2_EXACT_MATCH_CLAIMS=foo=bar
- OPAL_OAUTH2_REQUIRED_CLAIMS=client_id,iat,exp
To configure OPAL server Docker container.
environment:
- OPAL_AUTH_TYPE=oauth2
- OPAL_OAUTH2_TOKEN_URL=https://example.com/token
# Choose either introspect or JWT validation
# If you wish to use introspect endpoint for token validation
- OPAL_OAUTH2_INTROSPECT_URL=https://example.com/introspect
# Validate JWT signature instead of calling introspect endpoint
- OPAL_OAUTH2_OPENID_CONFIGURATION_URL=https://example.com/.well-known/openid-configuration
- OPAL_OAUTH2_EXACT_MATCH_CLAIMS=foo=bar
- OPAL_OAUTH2_REQUIRED_CLAIMS=client_id,iat,exp
- OPAL_OAUTH2_JWT_ALGORITHM=RS256
- OPAL_OAUTH2_JWT_AUDIENCE=some_audience
- OPAL_OAUTH2_JWT_ISSUER=some_issuer
Let me know what you think.
