The Authentication Support Service is a generic service that provides support to offload a service from authentication and fetching/refreshing of an authorization token.
A POD running a Service can include this running in a sidecar container. This Authentication Support Service will then make sure that a valid token is available to the service by means of a local file (in the POD).

The Service can then just read the token from a file and insert it into the HTTP header of each REST call.

The Authentication Support Service currently supports authentication using a private shared key. The used authentication provider used for testing is Keycloak.

The component is configured by means of the following environment variables:

CERT_PATH  the file path to an x.509 cert to be used for TLS.
CERT_KEY_PATH the file path to a file containing the private key of the cert.
ROOT_CA_CERTS_PATH optional file path to a file containing the trusted (CA) certs used by the Authentication Provider.
LOG_LEVEL an optional level of the log (Info, Debug, Trace, Warn, Error). Defaults to Info.
used for authentication, Client Credentials grant type.
CREDS_CLIENT_SECRET used for authentication, Client Secret.
CREDS_CLIENT_ID used for authentication, Client ID.
OUTPUT_FILE the file path of the file in which the fetched authorization token shall be stored.
AUTH_SERVICE_URL used for authentication, the URL to the authentication service.
REFRESH_MARGIN_SECONDS defines how long time in advance the token is refreshed (before it expires). Default is 5 seconds.

The Authentication Support Service is available as a docker image (example path to staging repo)

A typical useage of the image in kubernetes as a sidecar container may look like this where the application container and the sidecar container share an "emptyDir" volume. This volume is shared between the containers during the lifetime of the pod.

Deployment manifest example

Example yaml
      - name: informationservice
        imagePullPolicy: Always
        - name: http
          containerPort: 8083
        - name: https
          containerPort: 8434
        - mountPath: /token-cache
          name: token-cache-volume
      - name: authsidecar
        imagePullPolicy: Always
        - name: CREDS_GRANT_TYPE
          value: client_credentials
        - name: CREDS_CLIENT_SECRET
          value: XXXXXXX
        - name: CREDS_CLIENT_ID
          value: icsc
        - name: OUTPUT_FILE
          value: /token-cache/jwt.txt
        - name: AUTH_SERVICE_URL
          value: http://keycloak.keycloak:80/realms/nrtrealm/protocol/openid-connect/token
        - mountPath: /token-cache
          name: token-cache-volume
      - name: token-cache-volume
        emptyDir: {}


  • No labels