From 11103a422075e4bfdad1bb3f63d46d1a5fb002e4 Mon Sep 17 00:00:00 2001 From: jkoberg Date: Mon, 15 Jul 2024 10:51:04 +0200 Subject: [PATCH] feat(auth-app): make service optional plus docu Signed-off-by: jkoberg --- ocis/pkg/runtime/service/service.go | 13 +++++++------ services/auth-app/README.md | 29 +++++++++++++++++++++++++++- services/auth-basic/README.md | 1 + services/auth-bearer/README.md | 1 + services/auth-machine/README.md | 1 + services/auth-service/README.md | 1 + services/proxy/pkg/command/server.go | 10 ++++++---- services/proxy/pkg/config/config.go | 1 + 8 files changed, 46 insertions(+), 11 deletions(-) diff --git a/ocis/pkg/runtime/service/service.go b/ocis/pkg/runtime/service/service.go index f41e2099e..d42604b7e 100644 --- a/ocis/pkg/runtime/service/service.go +++ b/ocis/pkg/runtime/service/service.go @@ -3,7 +3,6 @@ package service import ( "context" "fmt" - authapp "github.com/owncloud/ocis/v2/services/auth-app/pkg/command" "net" "net/http" "net/rpc" @@ -14,6 +13,8 @@ import ( "syscall" "time" + authapp "github.com/owncloud/ocis/v2/services/auth-app/pkg/command" + "github.com/cenkalti/backoff" "github.com/cs3org/reva/v2/pkg/events/stream" "github.com/cs3org/reva/v2/pkg/logger" @@ -161,11 +162,6 @@ func NewService(options ...Option) (*Service, error) { cfg.AppRegistry.Commons = cfg.Commons return appRegistry.Execute(cfg.AppRegistry) }) - reg(3, opts.Config.AuthApp.Service.Name, func(ctx context.Context, cfg *ociscfg.Config) error { - cfg.AuthApp.Context = ctx - cfg.AuthApp.Commons = cfg.Commons - return authapp.Execute(cfg.AuthApp) - }) reg(3, opts.Config.AuthBasic.Service.Name, func(ctx context.Context, cfg *ociscfg.Config) error { cfg.AuthBasic.Context = ctx cfg.AuthBasic.Commons = cfg.Commons @@ -330,6 +326,11 @@ func NewService(options ...Option) (*Service, error) { cfg.Audit.Commons = cfg.Commons return audit.Execute(cfg.Audit) }) + areg(opts.Config.AuthApp.Service.Name, func(ctx context.Context, cfg *ociscfg.Config) error { + cfg.AuthApp.Context = ctx + cfg.AuthApp.Commons = cfg.Commons + return authapp.Execute(cfg.AuthApp) + }) areg(opts.Config.Policies.Service.Name, func(ctx context.Context, cfg *ociscfg.Config) error { cfg.Policies.Context = ctx cfg.Policies.Commons = cfg.Commons diff --git a/services/auth-app/README.md b/services/auth-app/README.md index 139ee9225..58ac12f17 100644 --- a/services/auth-app/README.md +++ b/services/auth-app/README.md @@ -1,3 +1,30 @@ # Auth-App -TBD +The auth-app service provides authentication for 3rd party apps. + +## The `auth` Service Family + +ocis uses serveral authentication services for different use cases. All services that start with `auth-` are part of the authentication service family. Each member authenticates requests with different scopes. As of now, these services exist: + - `auth-basic` handles basic authentication + - `auth-bearer` handles oidc authentication + - `auth-machine` handles interservice authentication when a user is impersonated + - `auth-service` handles interservice authentication when using service accounts + - `auth-app` handles authentication of external 3rd party apps + +## Optional Service + +This service is an optional service that will not run with default settings. To start use it, two envvars need to be set: +```bash +OCIS_ADD_RUN_SERVICES=auth-app # to start the service. Alternatively you can start the service explicitly via the command line. +PROXY_ENABLE_APP_AUTH=true # to allow app authentication. This envvar goes to the proxy service in case of a distributed environment. +``` + +## App Tokens + +App Tokens are used to authenticate 3rd party apps. To be able to use an app token, one must first create a token via cli. + +```bash +ocis auth-app create --user-name={user-name} --expiration={token-expiration} +``` + +Once generated, these tokens can be used to authenticate requests to the oCIS services. They can be passed in any request as `Basic Auth` header. diff --git a/services/auth-basic/README.md b/services/auth-basic/README.md index c5afe1063..b293d338a 100644 --- a/services/auth-basic/README.md +++ b/services/auth-basic/README.md @@ -13,6 +13,7 @@ ocis uses serveral authentication services for different use cases. All services - `auth-bearer` handles oidc authentication - `auth-machine` handles interservice authentication when a user is impersonated - `auth-service` handles interservice authentication when using service accounts + - `auth-app` handles authentication of external 3rd party apps ## Auth Managers diff --git a/services/auth-bearer/README.md b/services/auth-bearer/README.md index 024f6caa1..63eef5fa0 100644 --- a/services/auth-bearer/README.md +++ b/services/auth-bearer/README.md @@ -9,6 +9,7 @@ ocis uses serveral authentication services for different use cases. All services - `auth-bearer` handles oidc authentication - `auth-machine` handles interservice authentication when a user is impersonated - `auth-service` handles interservice authentication when using service accounts + - `auth-app` handles authentication of external 3rd party apps ## Built in OpenID Connect Identity Provider diff --git a/services/auth-machine/README.md b/services/auth-machine/README.md index b06664054..bafdfcff5 100644 --- a/services/auth-machine/README.md +++ b/services/auth-machine/README.md @@ -7,6 +7,7 @@ ocis uses serveral authentication services for different use cases. All services - `auth-bearer` handles oidc authentication - `auth-machine` handles interservice authentication when a user is impersonated - `auth-service` handles interservice authentication when using service accounts + - `auth-app` handles authentication of external 3rd party apps ## User Impersonation diff --git a/services/auth-service/README.md b/services/auth-service/README.md index b34057d14..e2338ab6e 100644 --- a/services/auth-service/README.md +++ b/services/auth-service/README.md @@ -9,6 +9,7 @@ ocis uses serveral authentication services for different use cases. All services - `auth-bearer` handles oidc authentication - `auth-machine` handles interservice authentication when a user is impersonated - `auth-service` handles interservice authentication when using service accounts + - `auth-app` handles authentication of external 3rd party apps ## Service Accounts diff --git a/services/proxy/pkg/command/server.go b/services/proxy/pkg/command/server.go index ebc388104..d83b61372 100644 --- a/services/proxy/pkg/command/server.go +++ b/services/proxy/pkg/command/server.go @@ -294,10 +294,12 @@ func loadMiddlewares(logger log.Logger, cfg *config.Config, }) } - authenticators = append(authenticators, middleware.AppAuthAuthenticator{ - Logger: logger, - RevaGatewaySelector: gatewaySelector, - }) + if cfg.AuthMiddleware.AllowAppAuth { + authenticators = append(authenticators, middleware.AppAuthAuthenticator{ + Logger: logger, + RevaGatewaySelector: gatewaySelector, + }) + } authenticators = append(authenticators, middleware.PublicShareAuthenticator{ Logger: logger, RevaGatewaySelector: gatewaySelector, diff --git a/services/proxy/pkg/config/config.go b/services/proxy/pkg/config/config.go index 9c067c45d..611cd4ac6 100644 --- a/services/proxy/pkg/config/config.go +++ b/services/proxy/pkg/config/config.go @@ -91,6 +91,7 @@ var ( // AuthMiddleware configures the proxy http auth middleware. type AuthMiddleware struct { CredentialsByUserAgent map[string]string `yaml:"credentials_by_user_agent"` + AllowAppAuth bool `yaml:"allow_app_auth" env:"PROXY_ENABLE_APP_AUTH" desc:"Allow app authentication. This can be used to authenticate 3rd party applications. Note that auth-app service must be running for this feature to work." introductionVersion:"%NEXT%"` } // PoliciesMiddleware configures the proxy's policies middleware.