You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* authn-authz: fix CORS issue and refine doc
* add cors policy in the configuration
* reflect helm chart related changes
* clearify the three options for authentication and authorization in
readme
Signed-off-by: Ruoyu Ying <[email protected]>
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
---------
Signed-off-by: Ruoyu Ying <[email protected]>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Copy file name to clipboardExpand all lines: authN-authZ/auth-istio/README.md
+34-20Lines changed: 34 additions & 20 deletions
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,13 @@
2
2
3
3
In enterprise settings not only do we want to identify who is using a service but also what they are entitled to use. This is where authentication and authorization comes in. In contrast, API tokens provide full access by virtue of possession as long as they are valid/not expired. With that aside, we first provide the solution on AuthN and AuthZ in OPEA using Istio and JWT tokens. Another option is to leverage the oauth2-proxy with various OIDC providers for authentication and authorization. Using oauth2-proxy with Istio ensures secure, scalable access control, centralizes user management, and provides seamless single sign-on capabilities, improving overall security and user experience in complex microservices environments.
4
4
5
-
Currently we provide three kinds of setups for authentication and authorization: via fake JWT token, via JWT token generated by OIDC providers and via oauth2-proxy and OIDC providers. And here we use the chatQnA pipeline as an example.
5
+
Currently we provide three kinds of setups for authentication and authorization. Note: Please complete the steps in the [prerequisite](#prerequisite) before proceeding with these tasks. :
6
+
7
+
-[via fake JWT token with curl](#perform-authentication-and-authorization-via-fake-jwt-tokens)
8
+
-[via JWT token generated by OIDC providers with curl](#perform-authentication-and-authorization-via-jwt-tokens-generated-by-oidc-provider)
9
+
-[via oauth2-proxy and OIDC providers with UI](#perform-authentication-and-authorization-via-oauth2-proxy-and-oidc-provider-and-ui)
10
+
11
+
Here we use the chatQnA pipeline as an example.
6
12
7
13
## Prerequisite
8
14
@@ -15,7 +21,7 @@ Before composing an OPEA pipeline with authN & authZ, user need to install Istio
15
21
# deploy ChatQnA pipeline. You can either leverage GMC or the ChatQnA helm chart.
16
22
kubectl create ns chatqa
17
23
# here's the command to leverage GMC custom resource for ChatQnA deployment.
**Note:** Double check if the host ip captured is the correct ip.
@@ -223,7 +236,7 @@ The user management is done via Keycloak and the configuration steps look like t
223
236
224
237

225
238
226
-
2. Create a new client called `chatqna` and set `Client authentication` to 'On'. Set "http://chatqna-ui.com:${INGRESS_PORT}/*" in the `Valid redirect URIs` part. Note that `INGRESS_PORT` and `INGRESS_HOST` shall be exported following the guide [here](https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports). Under the Credentials tab you will now be able to locate `<your client's secret>`, which will be used in the oauth2-proxy configs.
239
+
2. Create a new client called `chatqna` and set `Client authentication` to 'On'. Set the value of `$URL` with "/\* " (e.g. "http://chatqna-ui.com:${INGRESS_PORT}/*") in the `Valid redirect URIs` part. Note that `INGRESS_PORT` and `INGRESS_HOST` shall be exported following the guide [here](https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports). Under the Credentials tab you will now be able to locate `<your client's secret>`, which will be used in the oauth2-proxy configs.
**Validate authentication and authorization with UI service**
@@ -315,4 +327,6 @@ sudo sed -i '1i\127.0.0.1 chatqna-service.com' /etc/hosts
315
327
sudo sed -i '1i\127.0.0.1 chatqna-ui.com' /etc/hosts
316
328
```
317
329
318
-
Open browser with address "chatqna-ui.com:${INGRESS_PORT}". Login with user `bob` and its credentials shall return a 403 error. Login with user `mary` and its credentials shall able to access the ChatQnA service.
330
+
Open browser with address `"chatqna-ui.com:${INGRESS_PORT}"`if using GMC based deployment. Otherwise, open the browser with address `"chatqna-service.com:${INGRESS_PORT}"`.
331
+
332
+
Login with user `bob` and its credentials shall return a 403 error. Login with user `mary` and its credentials shall able to access the ChatQnA service.
0 commit comments