Author: Alex Ellis
Objective: Log into UI portal using JWT token and social login.
See the official docs
You will need a domain-name, you can buy one at namecheap.com for around 1 USD.
Once you have this you'll need two DNS entries - one for the gateway and one for the auth plugin.
i.e.
- auth.myfaas.club
- gw.myfaas.club
Note: Wherever you see these URLs below, you must change them to match what you have picked for your own domain.
-
Sign up for Auth0 - this will be free
-
Create a tenant - I called mine
alexellis
-
Add your application "Regular Web Application" - I called mine "openfaas gateway"
-
Use Google as the only available login method
-
Setup two
Allowed Callback URLs
for your application:
http://auth.myfaas.club/validate, http://auth.myfaas.club/callback
- Gather all your secrets and config
Populate your tenant info below:
export client_id="your-client-id"
export client_secret="your-secret"
export cookie_domain=".myfaas.club"
export base_host="http://auth.myfaas.club"
export port=9000
export authorize_url="https://alexellis.eu.auth0.com/authorize"
export welcome_page_url="http://gw.myfaas.club:8080"
export public_key_path="" # leave blank
export audience="https://alexellis.eu.auth0.com/api/v2/"
export token_url="https://alexellis.eu.auth0.com/oauth/token"
export scopes="openid profile email read:current_user admin:openfaas"
export jwks_url="https://alexellis.eu.auth0.com/.well-known/jwks.json"
./oidc-plugin-linux
The authorize_url
and jwks_url
contain my personal tenant
URL, remember to customise this.
For cookie_domain
- set the root URL of both of your sub-domains, this is so that the cookie set by the auth service can be used by the gateway.
Download / obtain the binary for oidc-plugin
https://github.com/alexellis/oidc-plugin-dist
Use
git clone
or github RAW
Now execute it in the same directory:
./oidc-plugin-darwin
# or
./oidc-plugin-linux
For me the easy way to do this is to setup a DigitalOcean account.
- Deploy OpenFaaS on a small Kubernetes cluster using DOKS - use the LoadBalancer option so that you get a public IP for your gateway
- Buy a cheap 1 USD domain, or configure an existing one to use the DO nameservers
- Use inlets.dev and the provisioning script for DigitalOcean -
curl -SLs https://get.inlets.dev | sudo sh
- Use
doctl compute domain create
to setup a sub-domain for your gateway and one for your inlets exit node
Run the oidc-plugin
on your local machine and connect to your inlets.dev exit node using the inlets client
command.
- Setup a DNS entry for your auth server and gateway
These could technically be /etc/hosts
file entries if that's easier.
I used https://inlets.dev to expose my auth service and deployed OpenFaaS using helm to DigitalOcean Kubernetes - curl -SLs https://get.inlets.dev | sudo sh
- Edit your gateway deployment:
kubectl edit -n openfaas deploy/gateway
Set the external auth URL to the URL of your auth server in the auth_proxy_url
variable.
i.e. using the domain from base_host
, for me, it was: http://auth.myfaas.club/validate
- name: auth_proxy_url
value: http://auth.myfaas.club/validate
Now visit your OpenFaaS gateway using welcome_page_url
such as http://gw.myfaas.club:8080
Open Chrome tools or your dev tools and find your token.
- Validate the token
Visit jwt.io and paste in the token to check that it's valid and to view your claims.
- Share the gateway URL
Try to share the URL with a friend or co-worker. Can they log in?
Thank you to @viveksyngh for running through the instructions on DO and validating them.