OIDC/OAuth2 authentication support #3
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mrtamm
changed the title
|
I updated the PR description to include the fact that now the OIDC |
|
I updated authentication test I also reviewed linter errors, and fixed one linter issue in my changes. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added support for performing JWT-based user authentication (#2). The service API just validates that the provided Bearer token is issued by the configured OIDC service, the token is valid (calls introspection endpoint), and optionally can also check for specific values in audience (
aud) and scope (scope) claims.Note that the authentication just permits the request but does not associate the executed task with that specific user.
To verify that the token has not been invalidated before expiring, Funnel server also calls the
introspection_endpointdefined in the OIDC configuration JSON (unless it's missing from there). For this call,ClientIdandClientSecret(specified in the YAML configuration file) are also sent in Basic authentication format (unless the client information is not defined in the configuration file).The command-line client picks the JWT value from environment variable:
FUNNEL_SERVER_BEARER. However, when there are also Basic credentials defined in the environment variables, these will be preferred over JWT.Basic authentication is still supported. Note that RPC service (provided at port 9090) goes through the same authentication validation steps. Therefore, enabled OIDC-based authentication without Basic authentication credentials is problematic, since the server's RPC client would also need a JWT. To overcome this obstacle, the server automatically generates and adds Basic authentication credentials (see: cmd/util/config.go), which will be used with the RPC client. In addition, now the configuration loader also checks that RPC client configuration also has credentials defined (in the file) when at least one Basic credential is defined.
Other minor comments:
github.com/lestrrat-go/jwxlibrary for parsing JWT and loading JWK keys: the good part of this library is that it provides a cache for storing JWK keys and refreshing them periodically after 15 minutes.fmt.Printfor rare scenarios. Not sure if this is the best practice in this project, at least there are something to rely on for debugging.Feel free to comment, change, or make recommendations.