Versions Compared

Old Version 4

changes.mady.by.user Patrik Buhr

Saved on

compared with

New Version Current

changes.mady.by.user Björn Magnusson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Image RemovedImage Added


The Authentication Support Service is a generic service that can provides support to offload a service from authentication , and fetching and /refreshing of an authorization token to be used for any service.
A POD running a Service can include this as running in a sidecar container. The container will This Authentication Support Service will then make sure that a valid token is available to the service via by means of a local file (in the POD).

The service will Service can then just read the token from a file and insert it into the HTTP header of each REST call.

The component The Authentication Support Service currently supports authorization authentication using a private shared key and the . The used authorization authentication provider used for testing is Keycloak.

...

CERT_PATH  the file path to an x.509 cert to be used for TLS.
CERT_KEY_PATH the file path to a file containing the private key of the cert.
ROOT_CA_CERTS_PATH optional file path to a file containing the trusted (CA) certs used by the Authentication Provider.
LOG_LEVEL an optional level of the log (Info, Debug, Trace, Warn, Error). Defaults to Info.
CREDS_GRANT_TYPE used for authorizationauthentication, Client Credentials grant type.
CREDS_CLIENT_SECRET used for authorizationauthentication, Client Secret.
CREDS_CLIENT_ID used for authorizationauthentication, Client ID.
OUTPUT_FILE the file path of the file to put in which the fetched authorization token shall be stored.
AUTH_SERVICE_URL used for authorizationauthentication, the URL to the authorization authentication service.
REFRESH_MARGIN_SECONDS defines how long time in advance the token is refreshed (before it expires). Default is 5 seconds.


The Authentication Support Service is available as a docker image (example path to staging repo)

nexus3.o-ran-sc.org:10004/o-ran-sc_nonrtric-auth-token-fetch

A typical useage of the image in kubernetes as a sidecar container may look like this where the application container and the sidecar container share an "emptyDir" volume. This volume is shared between the containers during the lifetime of the pod.

Deployment manifest example

Code Block
languageyml
titleExample yaml
     ...... 
     containers:
      - name: informationservice
        image: nexus3.o-ran-sc.org:10004/o-ran-sc_nonrtric-information-coordinator-service:1.3.0
        imagePullPolicy: Always
        ports:
        - name: http
          containerPort: 8083
        - name: https
          containerPort: 8434
        volumeMounts:
        - mountPath: /token-cache
          name: token-cache-volume
      - name: authsidecar
        image: nexus3.o-ran-sc.org:10004/o-ran-sc/nonrtric-auth-token-fetch:1.0.0
        imagePullPolicy: Always
        env:
        - name: CREDS_GRANT_TYPE
          value: client_credentials
        - name: CREDS_CLIENT_SECRET
          value: XXXXXXX
        - name: CREDS_CLIENT_ID
          value: icsc
        - name: OUTPUT_FILE
          value: /token-cache/jwt.txt
        - name: AUTH_SERVICE_URL
          value: http://keycloak.keycloak:80/realms/nrtrealm/protocol/openid-connect/token
        volumeMounts:
        - mountPath: /token-cache
          name: token-cache-volume
      volumes:
      - name: token-cache-volume
        emptyDir: {}







View file
nameAuthentificationSupport.odp
height250