Authenticating with OpenShift OAuth Server
The Social Login feature socialLogin-1.0 can be configured to use the
OAuth server and OAuth Proxy sidecar that are built-in to Red Hat®
OpenShift®
as authentication providers.
The Social Login feature has several pre-configured providers (such as Google, GitHub, or Facebook), but you can also configure additional providers (for example, Instagram, the Red Hat OpenShift OAuth server, and OAuth Proxy sidecar). The first is a standard OAuth Authorization Code flow, where a web browser accessing an app running in Liberty is redirected to the Red Hat OpenShift OAuth server to authenticate. The second accepts an inbound token from the Red Hat OpenShift OAuth Proxy sidecar or obtained from an Red Hat OpenShift API call. This approach requires less cluster-specific configuration.
You can run Liberty in a pod, but in the Authorization Code flow, Liberty can run outside the Red Hat OpenShift cluster. In either mode, an optional JWT can be created for propagation to downstream services.
Using Red Hat OpenShift as a provider differs slightly from other OAuth providers, because it requires a service account token to obtain information about the OAuth tokens. Once the client ID, secret, and token have been obtained from Red Hat OpenShift, Liberty can be configured as shown here:
To enable the feature, add it to the server.xml file.
See the following example server configuration for using Red Hat OpenShift OAuth server.
<server description="social">
<!-- Enable features -->
<featureManager>
<feature>appSecurity-3.0</feature>
<feature>socialLogin-1.0</feature>
</featureManager>
<logging traceSpecification="com.ibm.ws.security.*=all=enabled" maxFiles="8" maxFileSize="200"/>
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="8941" httpsPort="8946" > <tcpOptions soReuseAddr="true" /> </httpEndpoint>
<!-- specify your clientId, clientSecret and userApiToken as liberty variables or environment variables -->
<oauth2Login id="openshiftLogin"
scope="user:full"
clientId="${myclientId}"
clientSecret="${myclientSecret}"
authorizationEndpoint="https://oauth-openshift.apps.papains.os.example.com/oauth/authorize"
tokenEndpoint="https://oauth-openshift.apps.papains.os.example.com/oauth/token"
userNameAttribute="username"
groupNameAttribute="groups"
userApiToken="${serviceAccountToken}"
userApiType="kube"
userApi="https://api.papains.os.example.com:6443/apis/authentication.k8s.io/v1/tokenreviews">
</oauth2Login>
<keyStore id="defaultKeyStore" password="keyspass" />
<!-- more application config would go here -->
</server>
In the sidecar scenario, the configuration changes to accept an inbound token from the sidecar. See the following example server configuration for using the OAuth proxy sidecar:
<!-- specify your userApiToken as a liberty variable or environment variable -->
<!-- note that no clientId or clientSecret are needed -->
<oauth2Login id="openshiftLogin"
scope="user:full"
userNameAttribute="username"
groupNameAttribute="groups"
userApiToken="${serviceAccountToken}"
userApiType="kube"
accessTokenHeaderName="X-Forwarded-Access-Token"
accessTokenRequired="true"
userApi="https://kubernetes.default.svc/apis/authentication.k8s.io/v1/tokenreviews">
</oauth2Login>To use HTTPS communication, either the server must have a key signed by a well-known certificate authority, which Liberty can trust automatically, or the server's public key must be added to the Liberty trust store. Red Hat OpenShift does not provide CA-signed keys by default, so the public key from Red Hat OpenShift OAuth server must be added. To add the public key, you can specify an environment variable in the server.env file. This setting identifies the file containing the public key in PEM format. Liberty reads the file and adds the key to its trust store.
# server.env
# OAuth sidecar scenario: causes the Kubernetes default certificate that is pre-installed in pods to be added to Liberty trust store.
cert_defaultKeyStore=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# OAuth server scenario: causes the public keys from /tmp/trustedcert.pem (obtained separately) to be added to Liberty trust store.
cert_defaultKeyStore=/tmp/trustedcert.pem