From a542aad99955059392dfd24ae5782df791b7634c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= Date: Fri, 4 Nov 2022 15:05:32 +0100 Subject: [PATCH] [docs-only] add auth bearer readme (#4982) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add auth bearer readme Signed-off-by: Jörn Friedrich Dreyer * Apply suggestions from code review Co-authored-by: Christian Richter <1058116+dragonchaser@users.noreply.github.com> Signed-off-by: Jörn Friedrich Dreyer Co-authored-by: Christian Richter <1058116+dragonchaser@users.noreply.github.com> --- services/auth-basic/README.md | 2 +- services/auth-bearer/README.md | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 services/auth-bearer/README.md diff --git a/services/auth-basic/README.md b/services/auth-basic/README.md index f2a826c77..82db24a70 100644 --- a/services/auth-basic/README.md +++ b/services/auth-basic/README.md @@ -1,6 +1,6 @@ # Auth-Basic Service -The oCIS Auth Basic service provides basic authentication for those clients who cannot handle OIDC. This is a rare case, is usually not necessary and mainly used for tests or development. +The oCIS Auth Basic service provides basic authentication for those clients who cannot handle OpenID Connect. This should only be enabled for tests and development. The `auth-basic` service is responsible for validating authentication of incoming requests. To do so, it will use the configured `auth manager`, see the `Auth Managers` section. Only HTTP basic auth requests to ocis will involve the `auth-basic` service. diff --git a/services/auth-bearer/README.md b/services/auth-bearer/README.md new file mode 100644 index 000000000..a8ece5de9 --- /dev/null +++ b/services/auth-bearer/README.md @@ -0,0 +1,13 @@ +# Auth-Bearer Service + +The oCIS Auth Bearer service communicates with the configured OpenID Connect identity provider to authenticate requests. OpenID Connect is the default authentication mechanism for all clients: web, desktop and mobile. Basic auth is only used for testing and has to be explicity enabled. + +## Built in OpenID Connect identity provider + +A default oCIS deployment will start a [built in OpenID Connect identity provider](https://github.com/owncloud/ocis/tree/master/services/idp) but can be configured to use an external one as well. + +## Scalability + +There is no persistance or caching. The proxy caches verified auth bearer tokens. Requests will be forwarded to the identity provider. Therefore, multiple instances of the `auth-bearer` service can be started without further configuration. Currently, the auth registry used by the gateway can only use a single instance of the service. To use more than one auth provider per deployment you need to scale the gateway. + +This will change when we use the service registry in more places and use micro clients to select an instance of a service.