Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable OAuth2 authentication #602

Closed
wants to merge 107 commits into from
Closed

Conversation

ojecborec
Copy link

Hello OPAL team. Following PR is enabling OAuth2 authentication for both server and client. Client would send access token generated by Client Credentials grant and server would validate this token by either calling introspect endpoint or reading JWT signature.
Please note that I'm not python developer. Any suggestions are welcomed. There's also missing documentation.

To configure OPAL client Docker container.

environment:
  - OPAL_AUTH_TYPE=oauth2
  - OPAL_OAUTH2_CLIENT_ID=$OAUTH2_CLIENT_ID
  - OPAL_OAUTH2_CLIENT_SECRET=$OAUTH2_CLIENT_SECRET
  - OPAL_OAUTH2_TOKEN_URL=https://example.com/token
  # Choose either introspect or JWT validation
  # If you wish to use introspect endpoint for token validation
  - OPAL_OAUTH2_INTROSPECT_URL=https://example.com/introspect
  # Validate JWT signature instead of calling introspect endpoint
  - OPAL_OAUTH2_OPENID_CONFIGURATION_URL=https://example.com/.well-known/openid-configuration
  - OPAL_OAUTH2_EXACT_MATCH_CLAIMS=foo=bar
  - OPAL_OAUTH2_REQUIRED_CLAIMS=client_id,iat,exp

To configure OPAL server Docker container.

environment:
  - OPAL_AUTH_TYPE=oauth2
  - OPAL_OAUTH2_TOKEN_URL=https://example.com/token
  # Choose either introspect or JWT validation
  # If you wish to use introspect endpoint for token validation
  - OPAL_OAUTH2_INTROSPECT_URL=https://example.com/introspect
  # Validate JWT signature instead of calling introspect endpoint
  - OPAL_OAUTH2_OPENID_CONFIGURATION_URL=https://example.com/.well-known/openid-configuration
  - OPAL_OAUTH2_EXACT_MATCH_CLAIMS=foo=bar
  - OPAL_OAUTH2_REQUIRED_CLAIMS=client_id,iat,exp
  - OPAL_OAUTH2_JWT_ALGORITHM=RS256
  - OPAL_OAUTH2_JWT_AUDIENCE=some_audience
  - OPAL_OAUTH2_JWT_ISSUER=some_issuer

Let me know what you think.

Copy link

netlify bot commented Jun 25, 2024

Deploy Preview for opal-docs canceled.

Name Link
🔨 Latest commit 971da7f
🔍 Latest deploy log https://app.netlify.com/sites/opal-docs/deploys/66bde6d7df5a1f00080c0e95

obsd and others added 26 commits June 25, 2024 17:45
…ld-routes-from-the-pdp-opal

Removing data from policy_store/config route and deprecating this route
* Added missing build steps for permitio/opal-client-cedar docker image

* Added missing test steps for permitio/opal-client-cedar docker image
The tests rely on that, and this value also depends on local git configuration
…ld-routes-from-the-pdp-opal-1

Fix env var description
…nn-failure-from-watcher-task

BasePolicyWatcherTask: Signal stop if broadcaster fails to connect
* Changed pygit2 requirement

* dan/per-10181-release-a-new-opal-client-cedar-version (permitio#605)

* Added missing build steps for permitio/opal-client-cedar docker image

* Added missing test steps for permitio/opal-client-cedar docker image

* Update tests.yml

* Fix env var description

* BasePolicyWatcherTask: Signal stop if broadcaster fails to connect

* Random documentation fixes

* Fix tests to explicitly choose 'master' as default branch

The tests rely on that, and this value also depends on local git configuration

* Tests: Change test server ports to avoid collisions

* Dokcer test: No need to build test image for client cedar since we don't test it

---------

Co-authored-by: Oded <oded@permit.io>
Co-authored-by: roekatz <roe@roekatz.com>
The following vulnerabilities are fixed by pinning transitive dependencies:
- https://snyk.io/vuln/SNYK-PYTHON-ZIPP-7430899
…n-failure-handling

Revert "BasePolicyWatcherTask: Signal stop if broadcaster fails to connect"
Remove buggy build of cedar-client for testing
CI: Comment out failing opal cedar client build
@roekatz
Copy link
Collaborator

roekatz commented Aug 15, 2024

@ojecborec Rebasing on top of master as @asafc suggested, should also fix the missing docker-compose issue (as it was already fixed in master). And of course enable us to review the change (cause currently most of the diff is master changes rather than your own branch changes).

@ojecborec
Copy link
Author

ojecborec commented Aug 16, 2024

Hello @roekatz @asafc. It was easier for me to create the new branch. See #646 for reference.

@roekatz
Copy link
Collaborator

roekatz commented Aug 23, 2024

Replaced by #646

@roekatz roekatz closed this Aug 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants