Skip to content

Instantly share code, notes, and snippets.

@alexellis

alexellis/OAuth2-openfaas.md

Last active October 21, 2019 15:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save alexellis/117301462366cc7cdb6aa7a9237d371d to your computer and use it in GitHub Desktop.
Save alexellis/117301462366cc7cdb6aa7a9237d371d to your computer and use it in GitHub Desktop.
Download ZIP
OpenFaaS OAuth2 with Auth0
Raw
OAuth2-openfaas.md

OAuth2 with OpenFaaS

Author: Alex Ellis

Objective: Log into UI portal using JWT token and social login.

Update

See the official docs

Configure two domains

You will need a domain-name, you can buy one at namecheap.com for around 1 USD.

Once you have this you'll need two DNS entries - one for the gateway and one for the auth plugin.

i.e.

  • auth.myfaas.club
  • gw.myfaas.club

Note: Wherever you see these URLs below, you must change them to match what you have picked for your own domain.

Configure Auth0

  • Sign up for Auth0 - this will be free

  • Create a tenant - I called mine alexellis

  • Add your application "Regular Web Application" - I called mine "openfaas gateway"

  • Use Google as the only available login method

  • Setup two Allowed Callback URLs for your application:

http://auth.myfaas.club/validate, http://auth.myfaas.club/callback
  • Gather all your secrets and config

Populate your tenant info below:

export client_id="your-client-id"                                      
export client_secret="your-secret"  
export cookie_domain=".myfaas.club"
export base_host="http://auth.myfaas.club"
export port=9000
export authorize_url="https://alexellis.eu.auth0.com/authorize"
export welcome_page_url="http://gw.myfaas.club:8080"
export public_key_path="" # leave blank
export audience="https://alexellis.eu.auth0.com/api/v2/"
export token_url="https://alexellis.eu.auth0.com/oauth/token"

export scopes="openid profile email read:current_user admin:openfaas"
export jwks_url="https://alexellis.eu.auth0.com/.well-known/jwks.json"

./oidc-plugin-linux

The authorize_url and jwks_url contain my personal tenant URL, remember to customise this.

For cookie_domain - set the root URL of both of your sub-domains, this is so that the cookie set by the auth service can be used by the gateway.

Download / obtain the binary for oidc-plugin

https://github.com/alexellis/oidc-plugin-dist

Use git clone or github RAW

Now execute it in the same directory:

./oidc-plugin-darwin
# or
./oidc-plugin-linux

Configure OpenFaaS

A) The easy way

For me the easy way to do this is to setup a DigitalOcean account.

Get free credit here

  • Deploy OpenFaaS on a small Kubernetes cluster using DOKS - use the LoadBalancer option so that you get a public IP for your gateway
  • Buy a cheap 1 USD domain, or configure an existing one to use the DO nameservers
  • Use inlets.dev and the provisioning script for DigitalOcean - curl -SLs https://get.inlets.dev | sudo sh
  • Use doctl compute domain create to setup a sub-domain for your gateway and one for your inlets exit node

Run the oidc-plugin on your local machine and connect to your inlets.dev exit node using the inlets client command.

B) The bespoke way

  • Setup a DNS entry for your auth server and gateway

These could technically be /etc/hosts file entries if that's easier.

I used https://inlets.dev to expose my auth service and deployed OpenFaaS using helm to DigitalOcean Kubernetes - curl -SLs https://get.inlets.dev | sudo sh

Configure the gateway to point at the auth plugin

  • Edit your gateway deployment:
kubectl edit -n openfaas deploy/gateway

Set the external auth URL to the URL of your auth server in the auth_proxy_url variable.

i.e. using the domain from base_host, for me, it was: http://auth.myfaas.club/validate

        - name: auth_proxy_url
          value: http://auth.myfaas.club/validate

Attempt to log-in

Now visit your OpenFaaS gateway using welcome_page_url such as http://gw.myfaas.club:8080

Open Chrome tools or your dev tools and find your token.

  • Validate the token

Visit jwt.io and paste in the token to check that it's valid and to view your claims.

  • Share the gateway URL

Try to share the URL with a friend or co-worker. Can they log in?

@alexellis
Copy link
Author

Thank you to @viveksyngh for running through the instructions on DO and validating them.

@prahaladdarkin
Copy link

prahaladdarkin commented Jul 15, 2019
edited

@alexellis @viveksyngh I wanted to confirm that the inlets.dev needs to be run on my local laptop?

@prahaladdarkin
Copy link

@alexellis @viveksyngh Never mind the above question - I checked this excellent video on inlets by @alexellis - https://www.youtube.com/watch?v=jrAqqe8N3q4&feature=youtu.be

@alexellis
Copy link
Author

Hi there 👋 you can now use the docs for this:

OAuth2 support in the API Gateway (alpha)

@itsmurugappan
Copy link

Hi Alex,

I am getting the cert error ("x509: certificate signed by unknown authority") when I run ./oidc-plugin-darwin.
Is there a flag i need to set to skip tls-verify. My jwks_url is https.

@prahaladdarkin
Copy link

Thanks Alex. Will try this tomorrow and over the weeked

@alexellis
Copy link
Author

@itsmurugappan is your URL not a valid / trusted cert?

@itsmurugappan
Copy link

itsmurugappan commented Jul 18, 2019
edited

@itsmurugappan is your URL not a valid / trusted cert?

yes. Is there any way to skip tls verify ?

@alexellis
Copy link
Author

Hi @itsmurugappan, I've built and published a new version which achieves what you wanted.

https://github.com/alexellis/oidc-plugin-dist

Alex

@alexellis
Copy link
Author

@itsmurugappan PTAL

@itsmurugappan
Copy link

Sure. I will do.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment