Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable OAuth2 authentication #602

Closed
wants to merge 107 commits into from
Closed

Enable OAuth2 authentication #602

wants to merge 107 commits into from

Conversation

ojecborec
Copy link

Hello OPAL team. Following PR is enabling OAuth2 authentication for both server and client. Client would send access token generated by Client Credentials grant and server would validate this token by either calling introspect endpoint or reading JWT signature.
Please note that I'm not python developer. Any suggestions are welcomed. There's also missing documentation.

To configure OPAL client Docker container.

environment:
  - OPAL_AUTH_TYPE=oauth2
  - OPAL_OAUTH2_CLIENT_ID=$OAUTH2_CLIENT_ID
  - OPAL_OAUTH2_CLIENT_SECRET=$OAUTH2_CLIENT_SECRET
  - OPAL_OAUTH2_TOKEN_URL=https://example.com/token
  # Choose either introspect or JWT validation
  # If you wish to use introspect endpoint for token validation
  - OPAL_OAUTH2_INTROSPECT_URL=https://example.com/introspect
  # Validate JWT signature instead of calling introspect endpoint
  - OPAL_OAUTH2_OPENID_CONFIGURATION_URL=https://example.com/.well-known/openid-configuration
  - OPAL_OAUTH2_EXACT_MATCH_CLAIMS=foo=bar
  - OPAL_OAUTH2_REQUIRED_CLAIMS=client_id,iat,exp

To configure OPAL server Docker container.

environment:
  - OPAL_AUTH_TYPE=oauth2
  - OPAL_OAUTH2_TOKEN_URL=https://example.com/token
  # Choose either introspect or JWT validation
  # If you wish to use introspect endpoint for token validation
  - OPAL_OAUTH2_INTROSPECT_URL=https://example.com/introspect
  # Validate JWT signature instead of calling introspect endpoint
  - OPAL_OAUTH2_OPENID_CONFIGURATION_URL=https://example.com/.well-known/openid-configuration
  - OPAL_OAUTH2_EXACT_MATCH_CLAIMS=foo=bar
  - OPAL_OAUTH2_REQUIRED_CLAIMS=client_id,iat,exp
  - OPAL_OAUTH2_JWT_ALGORITHM=RS256
  - OPAL_OAUTH2_JWT_AUDIENCE=some_audience
  - OPAL_OAUTH2_JWT_ISSUER=some_issuer

Let me know what you think.

@netlify Netlify
Copy link

netlify bot commented Jun 25, 2024
edited
Loading

Deploy Preview for opal-docs canceled.

Name Link
🔨 Latest commit 971da7f
🔍 Latest deploy log https://app.netlify.com/sites/opal-docs/deploys/66bde6d7df5a1f00080c0e95

obsd and others added 26 commits June 25, 2024 17:45
@obsd
Removing secrets from policy_store/config route and deprecating this …
cfb206c 
…route
@obsd
make exclude API params configureable to not break OSS
fe3ed70
@obsd
fix lint
e49bc26
@obsd
Merge pull request permitio#603 from permitio/oded/per-10149-remove-o…
00aea98 
…ld-routes-from-the-pdp-opal

Removing data from policy_store/config route and deprecating this route
@obsd
Fix env var description
bca6cb5
@danyi1212
dan/per-10181-release-a-new-opal-client-cedar-version (permitio#605)
0d34580 
* Added missing build steps for permitio/opal-client-cedar docker image

* Added missing test steps for permitio/opal-client-cedar docker image
@danyi1212
Update tests.yml
5857f64
@roekatz
BasePolicyWatcherTask: Signal stop if broadcaster fails to connect
3fba32e
@roekatz
Random documentation fixes
73ea4d5
@roekatz
Fix tests to explicitly choose 'master' as default branch
36e6dc1 
The tests rely on that, and this value also depends on local git configuration
@roekatz
Tests: Change test server ports to avoid collisions
03c011f
@roekatz
Dokcer test: No need to build test image for client cedar since we do…
6d80630 
…n't test it
@obsd
Merge pull request permitio#604 from permitio/oded/per-10149-remove-o…
384df7e 
…ld-routes-from-the-pdp-opal-1

Fix env var description
@roekatz
Merge pull request permitio#606 from permitio/rk/raise-broadcaster-co…
6fff757 
…nn-failure-from-watcher-task

BasePolicyWatcherTask: Signal stop if broadcaster fails to connect
@roekatz
Revert "BasePolicyWatcherTask: Signal stop if broadcaster fails to co…
c3cf66b 
…nnect"

This reverts commit 3fba32e.
@danyi1212 @obsd @roekatz
dan/per-10201-fix-opal-server-077-failures (permitio#607)
94f9874 
* Changed pygit2 requirement

* dan/per-10181-release-a-new-opal-client-cedar-version (permitio#605)

* Added missing build steps for permitio/opal-client-cedar docker image

* Added missing test steps for permitio/opal-client-cedar docker image

* Update tests.yml

* Fix env var description

* BasePolicyWatcherTask: Signal stop if broadcaster fails to connect

* Random documentation fixes

* Fix tests to explicitly choose 'master' as default branch

The tests rely on that, and this value also depends on local git configuration

* Tests: Change test server ports to avoid collisions

* Dokcer test: No need to build test image for client cedar since we don't test it

---------

Co-authored-by: Oded <oded@permit.io>
Co-authored-by: roekatz <roe@roekatz.com>
@snyk-bot
fix: requirements.txt to reduce vulnerabilities
93161a0 
The following vulnerabilities are fixed by pinning transitive dependencies:
- https://snyk.io/vuln/SNYK-PYTHON-ZIPP-7430899
@roekatz
Merge pull request permitio#610 from permitio/rk/revert-broadcast-con…
b3d4625 
…n-failure-handling

Revert "BasePolicyWatcherTask: Signal stop if broadcaster fails to connect"
@roekatz
Bump version to 0.7.8
9f3efba
@roekatz
Merge pull request permitio#615 from permitio/rk/bump-ver-0.7.8
b8c8306 
Bump version to 0.7.8
@roekatz
CI: Remove unnecessary (and buggy) build of cedar & standalone client…
5f0a821 
… for testing
@roekatz
Merge pull request permitio#616 from permitio/rk/fix-release-flow
362380b 
Remove buggy build of cedar-client for testing
@roekatz
CI: Comment out failing opal cedar client build
0f79bcd
@roekatz
Merge pull request permitio#617 from permitio/rk/fix-release-flow
ff0f350 
CI: Comment out failing opal cedar client build
@danyi1212
Changed relative imports to absolute
8b691d9
@danyi1212
Renamed redis_utils module
38446a8
@roekatz
Copy link
Collaborator

roekatz commented Aug 15, 2024

@ojecborec Rebasing on top of master as @asafc suggested, should also fix the missing docker-compose issue (as it was already fixed in master). And of course enable us to review the change (cause currently most of the diff is master changes rather than your own branch changes).

Ondrej Scecina added 17 commits August 15, 2024 10:43
Rebase feature branch onto updated master
3553535 
# Conflicts:
#	packages/opal-common/opal_common/authentication/jwk.py
#	packages/opal-common/opal_common/authentication/oauth2.py
#	packages/requires.txt
Enable OAuth2 authentication.
7b42622
Rebase to master
1d1b4a2
Enable OAuth2 authentication.
16e5fde
Remove unused imports
7100f97
Enable OAuth2 authentication.
806cd5b
Enable OAuth2 authentication.
47421cb
Enable OAuth2 authentication.
3621a9d
Merge remote-tracking branch 'origin/oauth2' into oauth2
f260bcf 
# Conflicts:
#	packages/requires.txt
Rebase feature branch onto updated master
016df4b 
# Conflicts:
#	packages/opal-common/opal_common/authentication/jwk.py
#	packages/opal-common/opal_common/authentication/oauth2.py
#	packages/requires.txt
Enable OAuth2 authentication.
091c617
Rebase to master
3dc7396
Enable OAuth2 authentication.
608582f
Remove unused imports
00d8bee
Enable OAuth2 authentication.
41427f5
Enable OAuth2 authentication.
1451ff1
Merge remote-tracking branch 'origin/oauth2' into oauth2
971da7f
@ojecborec ojecborec mentioned this pull request Aug 16, 2024
Open
@ojecborec
Copy link
Author

ojecborec commented Aug 16, 2024
edited
Loading

Hello @roekatz @asafc. It was easier for me to create the new branch. See #646 for reference.

@roekatz
Copy link
Collaborator

roekatz commented Aug 23, 2024

Replaced by #646

@roekatz roekatz closed this Aug 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@obsd obsd Awaiting requested review from obsd

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@ojecborec @orweis @obsd @asafc @roekatz @danyi1212 @snyk-bot @EliMoshkovich @venuDreddy