authN-authZ: add oauth2-proxy support for authentication and authorization together with GMC #291
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Please do NOT merge before #260 got merged. I need to do a rebase for this. |
Ruoyu-y
changed the title
irisdingbj
reviewed
Aug 12, 2024
| # then deploy oauth2-proxy | ||
| export REALM=<YOUR_REALM_NAME> | ||
| export CLIENT=<YOUR_CLIENT_NAME> | ||
| envsubst < $(pwd)/config/authN-authZ/oauth2_install.yaml | kubectl -n chatqa apply -f - |
There was a problem hiding this comment.
Does it matter if we have istio sidecar injeciton for oauth2-proxy and keycloak or not? better to have this info in the steps
There was a problem hiding this comment.
Thanks for the notice. Let me add that
irisdingbj
approved these changes
Aug 13, 2024
zhlsunshine
reviewed
Aug 14, 2024
|
|
||
| <img src="./docs/create_realm.png" width="600" height="300"> | ||
|
|
||
| 2. Create a new client called `chatqna` and set `Client authentication` to 'On'. Set "http://chatqna-ui.com:${INGRESS_PORT}/*" in the `Valid redirect URIs` part. Under the Credentials tab you will now be able to locate `<your client's secret>`, which will be used in the oauth2-proxy configs. |
There was a problem hiding this comment.
Hi @Ruoyu-y, we may need to tell user how to obtain this INGRESS_PORT, by executing shell command or a link of Istio?
There was a problem hiding this comment.
The same to INGRESS_HOST
There was a problem hiding this comment.
At the top of the readme, I am redirecting them to the istio website to do that. Maybe i can just add the notice again here.
zhlsunshine
reviewed
Aug 14, 2024
|
|
||
| <img src="./docs/create_user.png" width="600" height="300"> | ||
|
|
||
| 5. Create a new Client Scope with the name `groups` in Keycloak with `Include in Token Scope` set as `On`. Include a mapper of type `Group Membership` and set the `Token Claim Name` to `groups`. If the "Full group path" option is selected, you need to include a "/" separator in the group names defined in the --allowed-group option of OAuth2 Proxy. Example: "/groupname". After creating the Client Scope named `groups` you will need to attach it to your client. Go to Clients and find `<your client's id> -> Client scopes` and add client scope and select `groups` and choose `Optional` and you should now have a client that maps group memberships into the JWT tokens so that Oauth2 Proxy may evaluate them. |
There was a problem hiding this comment.
Suggested change
| 5. Create a new Client Scope with the name `groups` in Keycloak with `Include in Token Scope` set as `On`. Include a mapper of type `Group Membership` and set the `Token Claim Name` to `groups`. If the "Full group path" option is selected, you need to include a "/" separator in the group names defined in the --allowed-group option of OAuth2 Proxy. Example: "/groupname". After creating the Client Scope named `groups` you will need to attach it to your client. Go to Clients and find `<your client's id> -> Client scopes` and add client scope and select `groups` and choose `Optional` and you should now have a client that maps group memberships into the JWT tokens so that Oauth2 Proxy may evaluate them. | |
| 6. Create a new Client Scope with the name `groups` in Keycloak with `Include in Token Scope` set as `On`. Include a mapper of type `Group Membership` and set the `Token Claim Name` to `groups`. If the "Full group path" option is selected, you need to include a "/" separator in the group names defined in the --allowed-group option of OAuth2 Proxy. Example: "/groupname". After creating the Client Scope named `groups` you will need to attach it to your client. Go to Clients and find `<your client's id> -> Client scopes` and add client scope and select `groups` and choose `Optional` and you should now have a client that maps group memberships into the JWT tokens so that Oauth2 Proxy may evaluate them. |
There was a problem hiding this comment.
Thanks for comment. Will revise.
zhlsunshine
reviewed
Aug 14, 2024
|
|
||
| <img src="./docs/attach_group_scope.png" width="600" height="300"> | ||
|
|
||
| 6. Create two groups `user` and `viewer` by navigating to Groups -> Create group. Assign role `user` to group `user` and role `viewer` to group `viewer` and add user `mary` as a member of group `user` and `bob` as a member of group `viewer`. |
There was a problem hiding this comment.
Suggested change
| 6. Create two groups `user` and `viewer` by navigating to Groups -> Create group. Assign role `user` to group `user` and role `viewer` to group `viewer` and add user `mary` as a member of group `user` and `bob` as a member of group `viewer`. | |
| 7. Create two groups `user` and `viewer` by navigating to Groups -> Create group. Assign role `user` to group `user` and role `viewer` to group `viewer` and add user `mary` as a member of group `user` and `bob` as a member of group `viewer`. |
* Add more descriptions for the authentication and authorization part * change the sample authorization to perform on role Signed-off-by: Ruoyu Ying <ruoyu.ying@intel.com>
* add the yamls for configurations of oauth2 * add oauth2-proxy installation guide * update documentations Signed-off-by: Ruoyu Ying <ruoyu.ying@intel.com>
for more information, see https://pre-commit.ci
|
@Ruoyu-y plz remove the draft status from this PR so that we can get it merged |
zhlsunshine
approved these changes
Aug 16, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Support GUI-based authentication and authorization with the help of Istio, oauth2-proxy and OIDC provider.
Issues
#169
Type of change
List the type of change like below. Please delete options that are not relevant.
Dependencies
oauth2-proxy
Tests
n/a