...
The Authentication Support Service is a generic service that provides support to offload a service from authentication and fetching/refreshing of an authorization token.
A POD running a Service can include this running in a sidecar container. This Authorization Authentication Support Service will then make sure that a valid token is available to the service by means of a local file (in the POD).
The Service can then just read the token from a file and insert it into the HTTP header of each REST call.
The Authorization The Authentication Support Service currently supports authorization authentication using a private shared key. The used authorization authentication provider used for testing is Keycloak.
...
CERT_PATH the file path to an x.509 cert to be used for TLS.
CERT_KEY_PATH the file path to a file containing the private key of the cert.
ROOT_CA_CERTS_PATH optional file path to a file containing the trusted (CA) certs used by the Authentication Provider.
LOG_LEVEL an optional level of the log (Info, Debug, Trace, Warn, Error). Defaults to Info.
CREDS_GRANT_TYPE used for authorizationauthentication, Client Credentials grant type.
CREDS_CLIENT_SECRET used for authorizationauthentication, Client Secret.
CREDS_CLIENT_ID used for authorizationauthentication, Client ID.
OUTPUT_FILE the file path of the file to put in which the fetched authorization token shall be stored.
AUTH_SERVICE_URL used for authorizationauthentication, the URL to the authorization authentication service.
REFRESH_MARGIN_SECONDS defines how long time in advance the token is refreshed (before it expires). Default is 5 seconds.
The Authentication Support Service is available as a docker image (example path to staging repo)
nexus3.o-ran-sc.org:10004/o-ran-sc_nonrtric-auth-token-fetch
A typical useage of the image in kubernetes as a sidecar container may look like this where the application container and the sidecar container share an "emptyDir" volume. This volume is shared between the containers during the lifetime of the pod.
Deployment manifest example
Code Block | ||||
---|---|---|---|---|
| ||||
...... containers: - name: informationservice image: nexus3.o-ran-sc.org:10004/o-ran-sc_nonrtric-information-coordinator-service:1.3.0 imagePullPolicy: Always ports: - name: http containerPort: 8083 - name: https containerPort: 8434 volumeMounts: - mountPath: /token-cache name: token-cache-volume - name: authsidecar image: nexus3.o-ran-sc.org:10004/o-ran-sc/nonrtric-auth-token-fetch:1.0.0 imagePullPolicy: Always env: - name: CREDS_GRANT_TYPE value: client_credentials - name: CREDS_CLIENT_SECRET value: XXXXXXX - name: CREDS_CLIENT_ID value: icsc - name: OUTPUT_FILE value: /token-cache/jwt.txt - name: AUTH_SERVICE_URL value: http://keycloak.keycloak:80/realms/nrtrealm/protocol/openid-connect/token volumeMounts: - mountPath: /token-cache name: token-cache-volume volumes: - name: token-cache-volume emptyDir: {} |
View file | ||||
---|---|---|---|---|
|