Skip to content

Commit

Permalink
bearer token config i.s.o. dvproxy
Browse files Browse the repository at this point in the history
  • Loading branch information
ErykKul committed Oct 1, 2024
1 parent c0abcd2 commit 9818836
Show file tree
Hide file tree
Showing 15 changed files with 30 additions and 123 deletions.
2 changes: 1 addition & 1 deletion AUTHENTICATION_ARCH.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,5 @@ Steps needed to get it running:
- make a `.env` file inside the `dev-authn-env` directory (see [example](/dev-authn-env/.env.example))
- change the username inside [/dev-authn-env/keycloak/oauth2-proxy-users-0.json](/dev-authn-env/keycloak/oauth2-proxy-users-0.json) to the username as used in the configured in the `.env` file (mentioned above) Dataverse installation
- `cd` into `dev-authn-env` directory and run `make keycloak-up`
- go to the SPA at http://dataverse-public.localtest.me:9000/, you can log in (password is `password`), etc.
- go to the SPA at http://dataverse-public.localhost:9000/, you can log in (password is `password`), etc.
- see also [docker-compose-keycloak.yml](/dev-authn-env/docker-compose-keycloak.yml) and the configuration files ([oauth2-proxy-keycloak.cfg](/dev-authn-env/oauth2-proxy-keycloak.cfg) etc.)
5 changes: 1 addition & 4 deletions dev-authn-env/.env.example
Original file line number Diff line number Diff line change
@@ -1,6 +1,3 @@
REGISTRY=docker.io
FRONTEND_VERSION=architecture/authentication-conversation-starter
DATAVERSE_SERVER=https://beta.dataverse.org
API_KEY=secret_api_key
UNBLOCK_KEY=secret_unblock_key
USER_HEADER=X-Forwarded-Preferred-Username
DATAVERSE_SERVER=http://172.17.0.1:8080/api
39 changes: 10 additions & 29 deletions dev-authn-env/docker-compose-keycloak.yml
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
# see: https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/local-environment/docker-compose-keycloak.yaml
# This docker-compose file can be used to bring up an example instance of oauth2-proxy
# for manual testing and exploration of features.
# Alongside OAuth2-Proxy, this file also starts Keycloak to act as the identity provider,
# dvproxy as an example upstream.
# Alongside OAuth2-Proxy, this file also starts Keycloak to act as the identity provider
#
# This can either be created using docker-compose
# docker-compose -f docker-compose-keycloak.yaml <command>
# Or:
# make keycloak-<command> (eg. make keycloak-up, make keycloak-down)
#
# Access public SPA http://dataverse-public.localtest.me:9000/
# Access public API http://dataverse-public.localtest.me:9000/api/v1/users/:me
# Access public SPA http://dataverse-public.localhost:9000/
# Access public API http://dataverse-public.localhost:9000/api/v1/users/:me
# click on "Log In" and login with [email protected], password=password, or use:
# Access authenticated SPA http://oauth2-proxy.localtest.me:4180/ to initiate a login cycle using [email protected], password=password
# Access authenticated API http://oauth2-proxy.localtest.me:4180/api/v1/users/:me to initiate a login cycle using [email protected], password=password
# Access http://keycloak.localtest.me:9080 with the same credentials to check out the settings
# Access authenticated SPA http://oauth2-proxy.localhost:4180/ to initiate a login cycle using [email protected], password=password
# Access authenticated API http://oauth2-proxy.localhost:4180/api/v1/users/:me to initiate a login cycle using [email protected], password=password
# Access http://keycloak.localhost:9080 with the same credentials to check out the settings
services:

# secured access
Expand Down Expand Up @@ -56,7 +55,7 @@ services:
networks:
keycloak:
aliases:
- keycloak.localtest.me
- keycloak.localhost

dataverse:
container_name: 'dataverse'
Expand All @@ -67,29 +66,11 @@ services:
network: host
args:
CONFIG: authn
DATAVERSE_SERVER: ${DATAVERSE_SERVER}
networks:
dataverse:
aliases:
- dataverse.localtest.me
depends_on:
- dvproxy

dvproxy:
container_name: 'dvproxy'
hostname: dvproxy
build:
context: ./dvproxy
dockerfile: ./Dockerfile
network: host
restart: on-failure
environment:
DATAVERSE_SERVER: ${DATAVERSE_SERVER}
API_KEY: ${API_KEY}
UNBLOCK_KEY: ${UNBLOCK_KEY}
USER_HEADER: ${USER_HEADER}
networks:
- dataverse
privileged: false
- dataverse.localhost

# public access

Expand All @@ -108,7 +89,7 @@ services:
networks:
dataverse:
aliases:
- dataverse-public.localtest.me
- dataverse-public.localhost

networks:
dataverse:
Expand Down
15 changes: 0 additions & 15 deletions dev-authn-env/dvproxy/Dockerfile

This file was deleted.

52 changes: 0 additions & 52 deletions dev-authn-env/dvproxy/app/main.go

This file was deleted.

5 changes: 0 additions & 5 deletions dev-authn-env/dvproxy/go.mod

This file was deleted.

2 changes: 0 additions & 2 deletions dev-authn-env/dvproxy/go.sum

This file was deleted.

2 changes: 1 addition & 1 deletion dev-authn-env/frontend/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,5 @@ FROM nginx:1.27.1-alpine
COPY --from=builder /app/dist /usr/share/nginx/html
ARG CONFIG=public
COPY ./dev-authn-env/frontend/${CONFIG}/nginx.conf /etc/nginx/conf.d/default.conf
ARG DATAVERSE_SERVER=http://dvproxy:5050/api
ARG DATAVERSE_SERVER=http://172.17.0.1:8080
RUN sed -i -e 's@DATAVERSE_SERVER@'"$DATAVERSE_SERVER"'@' /etc/nginx/conf.d/default.conf
2 changes: 1 addition & 1 deletion dev-authn-env/frontend/authn/.env
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
VITE_DATAVERSE_BACKEND_URL=http://oauth2-proxy.localtest.me:4180
VITE_DATAVERSE_BACKEND_URL=http://oauth2-proxy.localhost:4180
STORYBOOK_CHROMATIC_BUILD=false
2 changes: 1 addition & 1 deletion dev-authn-env/frontend/authn/nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ server {
server_name dataverse-authn;

location /api {
proxy_pass http://dvproxy:5050/api;
proxy_pass DATAVERSE_SERVER;
}

location / {
Expand Down
2 changes: 1 addition & 1 deletion dev-authn-env/frontend/public/.env
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
VITE_DATAVERSE_BACKEND_URL=http://localhost:9000
VITE_DATAVERSE_AUTHN_URL=http://oauth2-proxy.localtest.me:4180
VITE_DATAVERSE_AUTHN_URL=http://oauth2-proxy.localhost:4180
STORYBOOK_CHROMATIC_BUILD=false
2 changes: 1 addition & 1 deletion dev-authn-env/keycloak/oauth2-proxy-realm.json
Original file line number Diff line number Diff line change
Expand Up @@ -661,7 +661,7 @@
"clientAuthenticatorType": "client-secret",
"secret": "72341b6d-7065-4518-a0e4-50ee15025608",
"redirectUris": [
"http://oauth2-proxy.localtest.me:4180/oauth2/callback"
"http://oauth2-proxy.localhost:4180/oauth2/callback"
],
"webOrigins": [],
"notBefore": 0,
Expand Down
4 changes: 2 additions & 2 deletions dev-authn-env/keycloak/oauth2-proxy-users-0.json
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
{
"id": "3356c0a0-d4d5-4436-9c5a-2299c71c08ec",
"createdTimestamp": 1591297959169,
"username": "[email protected]",
"email": "admin@example.com",
"username": "dataverseAdmin",
"email": "dataverse@mailinator.com",
"enabled": true,
"totp": false,
"emailVerified": true,
Expand Down
10 changes: 5 additions & 5 deletions dev-authn-env/oauth2-proxy-keycloak.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
email_domains="example.com"
cookie_secure="false"
upstreams="http://dataverse"
cookie_domains=["oauth2-proxy.localtest.me:4080", "dataverse.localtest.me:8000", "keycloak.localtest.me:9080"] # Required so cookie can be read on all subdomains.
whitelist_domains=[".localtest.me"] # Required to allow redirection back to original requested target.
cookie_domains=["oauth2-proxy.localhost:4080", "dataverse.localhost:8000", "keycloak.localhost:9080"] # Required so cookie can be read on all subdomains.
whitelist_domains=[".localhost"] # Required to allow redirection back to original requested target.
skip_jwt_bearer_tokens="true" # will skip requests that have verified JWT bearer tokens (the token must have aud that matches this client id or one of the extras from extra-jwt-issuers)
pass_access_token="true"
set_xauthrequest="true"
Expand All @@ -13,10 +13,10 @@ pass_authorization_header="true"
# keycloak provider
client_secret="72341b6d-7065-4518-a0e4-50ee15025608"
client_id="oauth2-proxy"
redirect_url="http://oauth2-proxy.localtest.me:4180/oauth2/callback"
redirect_url="http://oauth2-proxy.localhost:4180/oauth2/callback"

# in this case oauth2-proxy is going to visit
# http://keycloak.localtest.me:9080/realms/oauth2-proxy/.well-known/openid-configuration for configuration
oidc_issuer_url="http://keycloak.localtest.me:9080/realms/oauth2-proxy"
# http://keycloak.localhost:9080/realms/oauth2-proxy/.well-known/openid-configuration for configuration
oidc_issuer_url="http://keycloak.localhost:9080/realms/oauth2-proxy"
provider="oidc"
provider_display_name="Keycloak"
9 changes: 6 additions & 3 deletions dev-env/docker-compose-dev.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,10 @@ services:
DATAVERSE_DB_HOST: postgres
DATAVERSE_DB_PASSWORD: secret
DATAVERSE_DB_USER: ${DATAVERSE_DB_USER}
DATAVERSE_FEATURE_API_SESSION_AUTH: 1
DATAVERSE_AUTH_OIDC_ENABLED: "1"
DATAVERSE_AUTH_OIDC_CLIENT_ID: oauth2-proxy
DATAVERSE_AUTH_OIDC_CLIENT_SECRET: 72341b6d-7065-4518-a0e4-50ee15025608
DATAVERSE_AUTH_OIDC_AUTH_SERVER_URL: http://keycloak.localhost:9080/realms/oauth2-proxy
JVM_ARGS: -Ddataverse.pid.providers=fake
-Ddataverse.pid.default-provider=fake
-Ddataverse.pid.fake.type=FAKE
Expand All @@ -66,8 +69,8 @@ services:
-Ddataverse.files.s3.connection-pool-size=2048
-Ddataverse.files.s3.custom-endpoint-region=us-east-1
-Ddataverse.files.s3.custom-endpoint-url=https://s3.us-east-1.amazonaws.com
expose:
- '8080'
ports:
- '8080:8080'
networks:
- dataverse
depends_on:
Expand Down

0 comments on commit 9818836

Please sign in to comment.