feat(auth-app): make service optional plus docu

Signed-off-by: jkoberg <jkoberg@owncloud.com>

ocis/pkg/runtime/service/service.go

@@ -3,7 +3,6 @@ package service
 import (
 	"context"
 	"fmt"
-	authapp "github.com/owncloud/ocis/v2/services/auth-app/pkg/command"
 	"net"
 	"net/http"
 	"net/rpc"
@@ -14,6 +13,8 @@ import (
 	"syscall"
 	"time"
 
+	authapp "github.com/owncloud/ocis/v2/services/auth-app/pkg/command"
+
 	"github.com/cenkalti/backoff"
 	"github.com/cs3org/reva/v2/pkg/events/stream"
 	"github.com/cs3org/reva/v2/pkg/logger"
@@ -161,11 +162,6 @@ func NewService(options ...Option) (*Service, error) {
 		cfg.AppRegistry.Commons = cfg.Commons
 		return appRegistry.Execute(cfg.AppRegistry)
 	})
-	reg(3, opts.Config.AuthApp.Service.Name, func(ctx context.Context, cfg *ociscfg.Config) error {
-		cfg.AuthApp.Context = ctx
-		cfg.AuthApp.Commons = cfg.Commons
-		return authapp.Execute(cfg.AuthApp)
-	})
 	reg(3, opts.Config.AuthBasic.Service.Name, func(ctx context.Context, cfg *ociscfg.Config) error {
 		cfg.AuthBasic.Context = ctx
 		cfg.AuthBasic.Commons = cfg.Commons
@@ -330,6 +326,11 @@ func NewService(options ...Option) (*Service, error) {
 		cfg.Audit.Commons = cfg.Commons
 		return audit.Execute(cfg.Audit)
 	})
+	areg(opts.Config.AuthApp.Service.Name, func(ctx context.Context, cfg *ociscfg.Config) error {
+		cfg.AuthApp.Context = ctx
+		cfg.AuthApp.Commons = cfg.Commons
+		return authapp.Execute(cfg.AuthApp)
+	})
 	areg(opts.Config.Policies.Service.Name, func(ctx context.Context, cfg *ociscfg.Config) error {
 		cfg.Policies.Context = ctx
 		cfg.Policies.Commons = cfg.Commons

services/auth-app/README.md

@@ -1,3 +1,30 @@
 # Auth-App
 
-TBD
+The auth-app service provides authentication for 3rd party apps.
+
+## The `auth` Service Family
+
+ocis uses serveral authentication services for different use cases. All services that start with `auth-` are part of the authentication service family. Each member authenticates requests with different scopes. As of now, these services exist:
+  -   `auth-basic` handles basic authentication
+  -   `auth-bearer` handles oidc authentication
+  -   `auth-machine` handles interservice authentication when a user is impersonated
+  -   `auth-service` handles interservice authentication when using service accounts
+  -   `auth-app` handles authentication of external 3rd party apps
+
+## Optional Service
+
+This service is an optional service that will not run with default settings. To start use it, two envvars need to be set:
+```bash
+OCIS_ADD_RUN_SERVICES=auth-app # to start the service. Alternatively you can start the service explicitly via the command line.
+PROXY_ENABLE_APP_AUTH=true # to allow app authentication. This envvar goes to the proxy service in case of a distributed environment.
+```
+
+## App Tokens
+
+App Tokens are used to authenticate 3rd party apps. To be able to use an app token, one must first create a token via cli.
+
+```bash
+ocis auth-app create --user-name={user-name} --expiration={token-expiration}
+```
+
+Once generated, these tokens can be used to authenticate requests to the oCIS services. They can be passed in any request as `Basic Auth` header.

services/auth-basic/README.md

@@ -13,6 +13,7 @@ ocis uses serveral authentication services for different use cases. All services
   -   `auth-bearer` handles oidc authentication
   -   `auth-machine` handles interservice authentication when a user is impersonated
   -   `auth-service` handles interservice authentication when using service accounts
+  -   `auth-app` handles authentication of external 3rd party apps
 
 ## Auth Managers
 

services/auth-bearer/README.md

@@ -9,6 +9,7 @@ ocis uses serveral authentication services for different use cases. All services
   -   `auth-bearer` handles oidc authentication
   -   `auth-machine` handles interservice authentication when a user is impersonated
   -   `auth-service` handles interservice authentication when using service accounts
+  -   `auth-app` handles authentication of external 3rd party apps
 
 ## Built in OpenID Connect Identity Provider
 

services/auth-machine/README.md

@@ -7,6 +7,7 @@ ocis uses serveral authentication services for different use cases. All services
   -   `auth-bearer` handles oidc authentication
   -   `auth-machine` handles interservice authentication when a user is impersonated
   -   `auth-service` handles interservice authentication when using service accounts
+  -   `auth-app` handles authentication of external 3rd party apps
 
 ## User Impersonation
 

services/auth-service/README.md

@@ -9,6 +9,7 @@ ocis uses serveral authentication services for different use cases. All services
   -   `auth-bearer` handles oidc authentication
   -   `auth-machine` handles interservice authentication when a user is impersonated
   -   `auth-service` handles interservice authentication when using service accounts
+  -   `auth-app` handles authentication of external 3rd party apps
 
 ## Service Accounts
 

services/proxy/pkg/command/server.go

@@ -294,10 +294,12 @@ func loadMiddlewares(logger log.Logger, cfg *config.Config,
 		})
 	}
 
-	authenticators = append(authenticators, middleware.AppAuthAuthenticator{
-		Logger:              logger,
-		RevaGatewaySelector: gatewaySelector,
-	})
+	if cfg.AuthMiddleware.AllowAppAuth {
+		authenticators = append(authenticators, middleware.AppAuthAuthenticator{
+			Logger:              logger,
+			RevaGatewaySelector: gatewaySelector,
+		})
+	}
 	authenticators = append(authenticators, middleware.PublicShareAuthenticator{
 		Logger:              logger,
 		RevaGatewaySelector: gatewaySelector,

services/proxy/pkg/config/config.go

@@ -91,6 +91,7 @@ var (
 // AuthMiddleware configures the proxy http auth middleware.
 type AuthMiddleware struct {
 	CredentialsByUserAgent map[string]string `yaml:"credentials_by_user_agent"`
+	AllowAppAuth           bool              `yaml:"allow_app_auth" env:"PROXY_ENABLE_APP_AUTH" desc:"Allow app authentication. This can be used to authenticate 3rd party applications. Note that auth-app service must be running for this feature to work." introductionVersion:"%NEXT%"`
 }
 
 // PoliciesMiddleware configures the proxy's policies middleware.