Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #26168: Add OAuth2 Bearer token with client_credentials flow for Rudder API authentication #783

Merged
merged 1 commit into from
Jan 27, 2025
Merged

Fixes #26168: Add OAuth2 Bearer token with client_credentials flow for Rudder API authentication #783

merged 1 commit into from
Jan 27, 2025
+1,121 −300

Conversation

fanf
Copy link
Member

@fanf fanf commented Jan 13, 2025
edited
Loading

https://issues.rudder.io/issues/26168

Implements the possibility to use Rudder API with a JWT token.

From an arch point of view, we use spring-security. We add the corresponding filter in the API security chain if our rudder config has at least one JWT (oauth2api) provider configured and enabled.

The configuration file is simpler that for OIDC and use the same format with a "jwt" in place of "oauth2" in the first part of the path (see below for an example).
This fact lead me to (massively) refactor the config parsing part of the code, so that we are sure the common idioms are parsed similarly.
I also added tenants parsing here, since it's exactly the same than for roles. Here again, care was taken to make the parsing as similar as possible.

The JWT filter is quite simple, and most of the logic goes into the converter that takes the authenticated token and convert it into RudderUserDetails.

NOTE: for now, it seems that we can have only one JWT registration, since spring security doesn't seem able to manage several JWT key URL. So all client must be in the same domain.

Here again, there is a lot of simirality with OIDC, so again code was share when possible.

image

Config example for JWT:

# Identity of the registration, used Rudder-side for logs etc. 
rudder.auth.jwt.provider.registrations=someidp
# A human name when the registration must be conveyed to end user. 
rudder.auth.jwt.provider.someidp.name=Some ID
# The single most important property for a JWT token: where a located the
# IdP public keys that will be used to check the JWT signature. 
rudder.auth.jwt.provider.someidp.uri.jwkSet="https://someidp/oauth2/v1/keys"

# Audiance is a way to restrict to scope of a JWT token to a set of APIs. 
# For rudder, we only have one scope (by default io.rudder.api). You can 
# specify an other audience here, and rudder will check for that one in place 
# of the default one in JWTs. 
# 
rudder.auth.jwt.provider.someidp.audience=openid email profile groups

# This part is for mapping roles. It's the same behavior than for OIDC: 
# - we have an attribute in the token that hold an array of IdP provided roles:
#   [rudder_admin, rudder_readonly]
# - we can use directly these roles or use an additionnal step of mapping on rudder side, 
#   or even restrict the available roles only to the one mapped: 
#   ...rudder_admin -> administrator
#   ...rudder_readonly -> readonly
# 
rudder.auth.jwt.provider.someidp.roles.enabled=true
rudder.auth.jwt.provider.someidp.roles.attribute=customroles
rudder.auth.jwt.provider.someidp.roles.override=true
rudder.auth.jwt.provider.someidp.roles.mapping.enforced=true
rudder.auth.jwt.provider.someidp.roles.mapping.entitlements.rudder_admin=administrator
rudder.auth.jwt.provider.someidp.roles.mapping.entitlements.rudder_readonly=readonly

# This part is for mapping tenants to which the token has access (if enabled). 
# The mapping is similar than roles on the corresponding attribute. 
rudder.auth.jwt.provider.someidp.tenants.enabled=true
rudder.auth.jwt.provider.someidp.tenants.attribute=customtenants
rudder.auth.jwt.provider.someidp.tenants.override=true
rudder.auth.jwt.provider.someidp.tenants.mapping.enforced=true
rudder.auth.jwt.provider.someidp.tenants.mapping.entitlements.rudder_TA=TA
rudder.auth.jwt.provider.someidp.tenants.mapping.entitlements.rudder_TB=TB
# you can use tenants dedicated syntax to tell "all tenants" or "none tenants"
rudder.auth.jwt.provider.someidp.tenants.mapping.entitlements.rudder_no_tenants=-
rudder.auth.jwt.provider.someidp.tenants.mapping.entitlements.rudder_all_tenants=*

@fanf fanf force-pushed the ust_26168/add_oauth2_bearer_token_with_client_credentials_flow_for_rudder_api_authentication branch 2 times, most recently from 07bdad8 to 24b8e03 Compare January 17, 2025 21:17
@fanf
Copy link
Member Author

fanf commented Jan 22, 2025

PR updated with a new commit

@fanf fanf force-pushed the ust_26168/add_oauth2_bearer_token_with_client_credentials_flow_for_rudder_api_authentication branch from 30e2ada to 25b6ba6 Compare January 22, 2025 22:03
@fanf
Copy link
Member Author

fanf commented Jan 22, 2025

PR updated with a new commit

fanf
fanf commented Jan 22, 2025
View reviewed changes
auth-backends/src/main/resources/applicationContext-security-auth-oauth2Api.xml
@@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this file is needed since the JWT filter is a new rudder backend, and for now, they are looked-up by the existence of that file (which is a scare from another time).

@fanf
Copy link
Member Author

fanf commented Jan 22, 2025

PR updated with a new commit

@fanf fanf force-pushed the ust_26168/add_oauth2_bearer_token_with_client_credentials_flow_for_rudder_api_authentication branch from b52b52d to 47d30f7 Compare January 22, 2025 23:32
@fanf fanf marked this pull request as ready for review January 23, 2025 16:12
clarktsiory
clarktsiory reviewed Jan 24, 2025
View reviewed changes
Copy link
Contributor

@clarktsiory clarktsiory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM !
The refactoring is nice !
A few questions and considerations but once they addressed it can be merged

auth-backends/src/main/scala/bootstrap/rudder/plugin/AuthBackendsConf.scala Outdated Show resolved Hide resolved
auth-backends/src/main/scala/bootstrap/rudder/plugin/AuthBackendsConf.scala Outdated Show resolved Hide resolved
auth-backends/src/main/scala/com/normation/plugins/authbackends/Oauth2Authentication.scala Outdated Show resolved Hide resolved
auth-backends/src/main/scala/bootstrap/rudder/plugin/AuthBackendsConf.scala Outdated Show resolved Hide resolved
auth-backends/src/main/scala/bootstrap/rudder/plugin/AuthBackendsConf.scala Outdated Show resolved Hide resolved
@fanf fanf force-pushed the ust_26168/add_oauth2_bearer_token_with_client_credentials_flow_for_rudder_api_authentication branch from 5b139e4 to ffadfef Compare January 26, 2025 21:40
@fanf fanf requested a review from clarktsiory January 26, 2025 21:41
@fanf
Copy link
Member Author

fanf commented Jan 27, 2025

PR updated with a new commit

@Normation-Quality-Assistant
Copy link
Contributor

OK, squash merging this PR

@Normation-Quality-Assistant Normation-Quality-Assistant force-pushed the ust_26168/add_oauth2_bearer_token_with_client_credentials_flow_for_rudder_api_authentication branch from a4df336 to 36ffebe Compare January 27, 2025 15:52
@Normation-Quality-Assistant Normation-Quality-Assistant merged commit 36ffebe into Normation:branches/rudder/8.3 Jan 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clarktsiory clarktsiory clarktsiory approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fanf @Normation-Quality-Assistant @clarktsiory