Skip to content

Feat/OIDC callback #174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Dec 7, 2023
Merged

Feat/OIDC callback #174

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
80e24b1
Initial info for oidc callbacks
brosenberg42 Nov 30, 2023
cfcbf8a
Fix step 1
brosenberg42 Nov 30, 2023
d178c2c
Address PR issues
brosenberg42 Dec 5, 2023
b7ad252
Address PR issues
brosenberg42 Dec 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 83 additions & 0 deletions docs/docs/OpenID-Connect-Guide.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,8 @@ docker run -p 9090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin
- Capability config:
- "Client authentication" must be enabled.
- "Standard flow" must be enabled.
- "Service accounts roles" must be enabled so that Workflow Manager can include an OAuth token
in job completion callbacks and when communicating with TiesDb.
- Login settings:
- Set "Valid redirect URIs" to
`http://localhost:8080/workflow-manager/login/oauth2/code/provider`
Expand Down Expand Up @@ -189,3 +191,84 @@ included as a bearer token in REST requests to Workflow Manager. For example:
```bash
curl -H "Authorization: Bearer <access-token>" http://localhost:8080/workflow-manager/rest/actions
```


### Use OAuth when sending job complete callbacks and when posting to TiesDb.
1\. Create a client for the callback receiver or TiesDb:

- Use the "Clients" menu to create a new client.
- Capability config:
- The client needs to have "Client authentication" and "Service accounts roles" enabled.
- Configure the callback receiver or TiesDb with the client ID and secret.

2\. Create a client role:

- Use the "Roles" tab to add a role to the client that was just created.

3\. Add the role to the Workflow Manager's client:

- Go to the client details page for the client created for Workflow Manager.
- Go to the "Service accounts roles" tab.
- Click "Assign role".
- Change "Filter by realm roles" to "Filter by clients".
- Assign the role created in step 2.

4\. Run jobs with the `CALLBACK_USE_OIDC` or `TIES_DB_USE_OIDC` job properties set to `TRUE`.


### Test callback authentication

The Python script below can be used to test callback authentication. Before running the script you
must run `pip install Flask-pyoidc==3.14.2`. To run the script, you must set the `OIDC_ISSUER_URI`,
`OIDC_CLIENT_ID`, and `OIDC_CLIENT_SECRET` environment variables. Note that the script configures
the `Flask-pyoidc` package to authenticate Web users, as required by the package, but we are only
testing the authentication of REST clients.

Once the script is running, a user can submit a job via the Workflow Manager Swagger page with the
following fields to test callbacks:
```json
{
"callbackMethod": "POST",
"callbackURL": "http://localhost:5000/api",
"jobProperties": {
"CALLBACK_USE_OIDC": "TRUE"
}
}
```

```python
import json
import logging
import os

from flask import Flask, jsonify
from flask_pyoidc.provider_configuration import ProviderConfiguration, ClientMetadata
from flask_pyoidc import OIDCAuthentication

logging.basicConfig(level=logging.INFO)

app = Flask(__name__)
app.config.update(
OIDC_REDIRECT_URI='http://localhost:5000/redirect_uri',
SECRET_KEY='secret',
DEBUG=True
)

auth = OIDCAuthentication({
'default': ProviderConfiguration(
os.getenv('OIDC_ISSUER_URI'),
client_metadata=ClientMetadata(
os.getenv('OIDC_CLIENT_ID'), os.getenv('OIDC_CLIENT_SECRET'))
)
}, app)

@app.route('/api', methods = ('GET', 'POST'))
@auth.token_auth('default')
def api():
print(type(auth.current_token_identity))
print(json.dumps(auth.current_token_identity, sort_keys=True, indent=4))
return jsonify({'message': 'test message'})

if __name__ == '__main__':
app.run()
```
76 changes: 76 additions & 0 deletions docs/site/OpenID-Connect-Guide/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -345,6 +345,8 @@ <h2 id="example-with-keycloak">Example with Keycloak</h2>
<li>Capability config:<ul>
<li>"Client authentication" must be enabled.</li>
<li>"Standard flow" must be enabled.</li>
<li>"Service accounts roles" must be enabled so that Workflow Manager can include an OAuth token
in job completion callbacks and when communicating with TiesDb.</li>
</ul>
</li>
<li>Login settings:<ul>
Expand Down Expand Up @@ -411,6 +413,80 @@ <h3 id="test-rest-authentication">Test REST authentication</h3>
<p>The response JSON will contain a token in the <code>"access_token"</code> property. That token needs to be
included as a bearer token in REST requests to Workflow Manager. For example:</p>
<pre><code class="language-bash">curl -H &quot;Authorization: Bearer &lt;access-token&gt;&quot; http://localhost:8080/workflow-manager/rest/actions
</code></pre>
<h3 id="use-oauth-when-sending-job-complete-callbacks-and-when-posting-to-tiesdb">Use OAuth when sending job complete callbacks and when posting to TiesDb.</h3>
<p>1. Create a client for the callback receiver or TiesDb:</p>
<ul>
<li>Use the "Clients" menu to create a new client.</li>
<li>Capability config:<ul>
<li>The client needs to have "Client authentication" and "Service accounts roles" enabled.</li>
</ul>
</li>
<li>Configure the callback receiver or TiesDb with the client ID and secret.</li>
</ul>
<p>2. Create a client role:</p>
<ul>
<li>Use the "Roles" tab to add a role to the client that was just created.</li>
</ul>
<p>3. Add the role to the Workflow Manager's client:</p>
<ul>
<li>Go to the client details page for the client created for Workflow Manager.</li>
<li>Go to the "Service accounts roles" tab.</li>
<li>Click "Assign role".</li>
<li>Change "Filter by realm roles" to "Filter by clients".</li>
<li>Assign the role created in step 2.</li>
</ul>
<p>4. Run jobs with the <code>CALLBACK_USE_OIDC</code> or <code>TIES_DB_USE_OIDC</code> job properties set to <code>TRUE</code>.</p>
<h3 id="test-callback-authentication">Test callback authentication</h3>
<p>The Python script below can be used to test callback authentication. Before running the script you
must run <code>pip install Flask-pyoidc==3.14.2</code>. To run the script, you must set the <code>OIDC_ISSUER_URI</code>,
<code>OIDC_CLIENT_ID</code>, and <code>OIDC_CLIENT_SECRET</code> environment variables. Note that the script configures
the <code>Flask-pyoidc</code> package to authenticate Web users, as required by the package, but we are only
testing the authentication of REST clients.</p>
<p>Once the script is running, a user can submit a job via the Workflow Manager Swagger page with the
following fields to test callbacks:</p>
<pre><code class="language-json">{
&quot;callbackMethod&quot;: &quot;POST&quot;,
&quot;callbackURL&quot;: &quot;http://localhost:5000/api&quot;,
&quot;jobProperties&quot;: {
&quot;CALLBACK_USE_OIDC&quot;: &quot;TRUE&quot;
}
}
</code></pre>
<pre><code class="language-python">import json
import logging
import os

from flask import Flask, jsonify
from flask_pyoidc.provider_configuration import ProviderConfiguration, ClientMetadata
from flask_pyoidc import OIDCAuthentication

logging.basicConfig(level=logging.INFO)

app = Flask(__name__)
app.config.update(
OIDC_REDIRECT_URI='http://localhost:5000/redirect_uri',
SECRET_KEY='secret',
DEBUG=True
)

auth = OIDCAuthentication({
'default': ProviderConfiguration(
os.getenv('OIDC_ISSUER_URI'),
client_metadata=ClientMetadata(
os.getenv('OIDC_CLIENT_ID'), os.getenv('OIDC_CLIENT_SECRET'))
)
}, app)

@app.route('/api', methods = ('GET', 'POST'))
@auth.token_auth('default')
def api():
print(type(auth.current_token_identity))
print(json.dumps(auth.current_token_identity, sort_keys=True, indent=4))
return jsonify({'message': 'test message'})

if __name__ == '__main__':
app.run()
</code></pre>

</div>
Expand Down
2 changes: 1 addition & 1 deletion docs/site/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -388,5 +388,5 @@ <h1 id="overview">Overview</h1>

<!--
MkDocs version : 0.17.5
Build Date UTC : 2023-11-29 16:41:29
Build Date UTC : 2023-12-06 17:04:14
-->
14 changes: 12 additions & 2 deletions docs/site/search/search_index.json
View file
Open in desktop

Large diffs are not rendered by default.

54 changes: 27 additions & 27 deletions docs/site/sitemap.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,137 +2,137 @@
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Release-Notes/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/License-And-Distribution/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Acknowledgements/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Install-Guide/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Admin-Guide/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/User-Guide/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/OpenID-Connect-Guide/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Media-Segmentation-Guide/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Feed-Forward-Guide/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Derivative-Media-Guide/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Object-Storage-Guide/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Markup-Guide/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/TiesDb-Guide/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Trigger-Guide/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/REST-API/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Component-API-Overview/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Component-Descriptor-Reference/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/CPP-Batch-Component-API/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Python-Batch-Component-API/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Java-Batch-Component-API/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/GPU-Support-Guide/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Contributor-Guide/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Development-Environment-Guide/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Node-Guide/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/Workflow-Manager-Architecture/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>/CPP-Streaming-Component-API/index.html</loc>
<lastmod>2023-11-29</lastmod>
<lastmod>2023-12-06</lastmod>
<changefreq>daily</changefreq>
</url>
</urlset>