Skip to content
/ infra-auth-lib Public

Auth Library for infra&automation services for OIDC

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

stackrox/infra-auth-lib

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
.github
.github
 
 
auth
auth
 
 
config
config
 
 
docs
docs
 
 
generated
generated
 
 
proto/api/v1
proto/api/v1
 
 
service
service
 
 
ui
ui
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
buf.gen.yaml
buf.gen.yaml
 
 
buf.lock
buf.lock
 
 
buf.yaml
buf.yaml
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

infra-auth-lib

Auth Library for infra&automation services for OIDC.

How to create the OIDC configuration file

Create an OIDC application on your identity provider. Remember client ID, client secret, issuer, and which endpoint(s) you configured.

Generate a session secret with:

python3 -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'

Create the file. Your oidc.yaml config can look like this, if the IDP provides a well-known openid configuration.

issuer: https://idp.company.corp

If your IDP does not provide the configuration file, can still configure this manually. Your oidc.yaml may look like:

offlineProviderConfig: true
issuer: https://idp.company.corp
authUrl: https://idp.company.corp/oauth/authorize
tokenUrl: https://idp.company.corp/oauth/token
userInfoUrl: https://idp.company.corp/oauth/userinfo
jwksUrl: https://idp.company.corp/oauth/discovery/keys
algorithms:
  - RS256

In any case, add client and session information, endpoint, additional access token claims, allowed email suffix, and blocked email addresses to this file:

clientID: awesome-application-id
clientSecret: Y0xZeFNYVVNkLWJMRWJ0cXNzbmk4QUNna3o1dGUyOTZsUWRCcjFBak51Yz0K
sessionSecret: Tf12qmXZ5y3kWK5M9wmc_dXjN0GUwhtEcErixd07n1U=
endpoint: your-app.company.corp
accessTokenClaims:
  - value: https://idp.company.corp
    op: eq
    path: iss
  - value: authorized-users
    op: in
    path: realm_access.roles
allowedEmailSuffix: "@company.com"
emailBlockList:
  - donotreply@invalid.domain

How it works

Login flow for humans

Auth Flow for Login

This displays the initial login flow. For subsequent access, if the token stored in the cookie is still valid, the hop to the identity provider is skipped.

The authentication middleware in the backend transforms the user token into a service account, which can be accessed from the context in the request handlers.

Human access to backend with Service Account Token

Auth Flow for Humans with Service Account Token

Humans can access their service account token through the UI (or calling the /token endpoint directly). They authenticate this request with their user token, provided by the identity provider.

The returned service account token can be used for subsequent API requests.

Technical user access to backend with Service Account Token

Auth Flow for Generating Service Account Tokens for Technical Users

An administrator calls the /create-token with the admin password from the server configuration. In this request, they must specify a name, description and an email address.

The returned service account token can be used for subsequent API requests.

About

Auth Library for infra&automation services for OIDC

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 2

v0.0.4 Latest
Oct 12, 2023
+ 1 release

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages