The Authentication Support Service is a generic service that can provides support to offload a service from authentication , and fetching and /refreshing of an authorization token to be used for any service.
A POD running a Service can include this as running in a sidecar container. The container will This Authentication Support Service will then make sure that a valid token is available to the service via by means of a local file (in the POD).
The service will Service can then just read the token from a file and insert it into the HTTP header of each REST call.
The component The Authentication Support Service currently supports authorization authentication using a private shared key and the . The used authorization authentication provider used for testing is Keycloak.
The component is configured by means of the following environment variables:
CERT_PATH the file path to an x.509 cert to be used for TLS.
CERT_KEY_PATH the file path to a file containing the private key of the cert.
ROOT_CA_CERTS_PATH optional file path to a file containing the trusted (CA) certs used by the Authentication Provider.
LOG_LEVEL an optional level of the log (Info, Debug, Trace, Warn, Error). Defaults to Info.
CREDS_GRANT_TYPE used for authentication, Client Credentials grant type.
CREDS_CLIENT_SECRET used for authentication, Client Secret.
CREDS_CLIENT_ID used for authentication, Client ID.
OUTPUT_FILE the file path of the file in which the fetched authorization token shall be stored.
AUTH_SERVICE_URL used for authentication, the URL to the authentication service.
REFRESH_MARGIN_SECONDS defines how long time in advance the token is refreshed (before it expires). Default is 5 seconds.
The Authentication Support Service is available as a docker image (example path to staging repo)
nexus3.o-ran-sc.org:10004/o-ran-sc_nonrtric-auth-token-fetch
A typical useage of the image in kubernetes as a sidecar container may look like this where the application container and the sidecar container share an "emptyDir" volume. This volume is shared between the containers during the lifetime of the pod.
Deployment manifest example
Code Block | ||||
---|---|---|---|---|
| ||||
......
containers:
- name: informationservice
image: nexus3.o-ran-sc.org:10004/o-ran-sc_nonrtric-information-coordinator-service:1.3.0
imagePullPolicy: Always
ports:
- name: http
containerPort: 8083
- name: https
containerPort: 8434
volumeMounts:
- mountPath: /token-cache
name: token-cache-volume
- name: authsidecar
image: nexus3.o-ran-sc.org:10004/o-ran-sc/nonrtric-auth-token-fetch:1.0.0
imagePullPolicy: Always
env:
- name: CREDS_GRANT_TYPE
value: client_credentials
- name: CREDS_CLIENT_SECRET
value: XXXXXXX
- name: CREDS_CLIENT_ID
value: icsc
- name: OUTPUT_FILE
value: /token-cache/jwt.txt
- name: AUTH_SERVICE_URL
value: http://keycloak.keycloak:80/realms/nrtrealm/protocol/openid-connect/token
volumeMounts:
- mountPath: /token-cache
name: token-cache-volume
volumes:
- name: token-cache-volume
emptyDir: {}
|
View file | ||||
---|---|---|---|---|
|