From 97331fff29c206baf7786484d15393f68ff38a88 Mon Sep 17 00:00:00 2001 From: "Ware, Joseph (DLSLtd,RAL,LSCI)" Date: Fri, 10 Jan 2025 16:38:56 +0000 Subject: [PATCH] Adjust examples --- docs/source/explanations/security.md | 32 ++++++++++------------------ example_configs/google_auth.yml | 20 ++--------------- example_configs/orcid_auth.yml | 15 +++---------- 3 files changed, 16 insertions(+), 51 deletions(-) diff --git a/docs/source/explanations/security.md b/docs/source/explanations/security.md index df4fd0c29..d42b670a5 100644 --- a/docs/source/explanations/security.md +++ b/docs/source/explanations/security.md @@ -238,39 +238,29 @@ pip install httpx 3. It is recommended to set the Client Secret as an environment variable, such as `OIDC_CLIENT_SECRET`, and reference that from configuration file as shown below. -4. Obtain the OIDC provider's public key(s). These are published by the OIDC provider. - Starting from a URL like: +4. Get the OIDC provider's well-known endpoint. These are expected shared configuration values published by the OIDC provider. + Typically it is a URL like: * [https://accounts.google.com/.well-known/openid-configuration](https://accounts.google.com/.well-known/openid-configuration) * [https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration](https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) * [https://orcid.org/.well-known/openid-configuration](https://orcid.org/.well-known/openid-configuration) - Navigate to the link under the key `jwks_uri`. These public key(s) are designed - to prevent man-in-the-middle attacks. They may be rotated over time. - The configuration file(s) must include the following. ```yaml authentication: providers: - - provider: SOME_NAME_HERE + - provider: example.com authenticator: tiled.authenticators:OIDCAuthenticator args: - # All of these are given by the OIDC provider you register - # your application. - client_id: ... - client_secret: ${OIDC_CLIENT_SECRET} # reference an environment variable - # These come from the OIDC provider as described above. - token_uri: ... - authorization_endpoint: ... - public_keys: - - kty: ... - e: ... - use: ... - kid: ... - n: ... - alg: ... - confirmation_message: "You have logged in with ... as {id}." + # Values should come from your OIDC provider configuration + # The audience claim is checked by the OIDC Client (Tiled) + # It checks that the Authentication header that you are passed has not been intercepted + # And that elevated claims from other services do not apply here + audience: tiled # or similar + client_id: tiled_client + client_secret: ${OIDC_CLIENT_SECRET} # referencing an environment variable + well_known_uri: example.com/.well-known/openid-configuration ``` There are example configurations for ORCID and Google in the directory diff --git a/example_configs/google_auth.yml b/example_configs/google_auth.yml index d940b0917..aafa996a9 100644 --- a/example_configs/google_auth.yml +++ b/example_configs/google_auth.yml @@ -4,27 +4,11 @@ authentication: - provider: google authenticator: tiled.authenticators:OIDCAuthenticator args: + audience: tiled # something unique to ensure received headers are for you # These values come from https://console.cloud.google.com/apis/credential client_id: ${GOOGLE_CLIENT_ID} client_secret: ${GOOGLE_CLIENT_SECRET} - # These values come from https://accounts.google.com/.well-known/openid-configuration - # Obtain them directly from Google. They may change over time. - token_uri: "https://oauth2.googleapis.com/token" - authorization_endpoint: "https://accounts.google.com/o/oauth2/v2/auth" - public_keys: - - alg: RS256 - e: AQAB - kid: ee1b9f88cfe3151ddd284a61bf8cecf659b130cf - kty: RSA - n: rTOxVQCdPMM6n3XRW7VW5e8bGCoimxT-m4cUyaTtLCIf1IqFJRhzc3rgdxsdpg5fjj1Ln2yG_r-3FbkFYJw1ebOCwJ_xlrIeL7FZWqKHl2u5tPKhYkBpPsh-SFZrlEv6X6W2tLcXaFs_8qeHbEasW3A7S6SiS6vMLvcEgufvHSHM1W61U6R9wzOo0lr3rBBOahZFr2Vym8P3eZZ9u_i07RFEqUEFhHXnHYHMLY2Ch9-JbZlCRVbBOfTxCPdOqOkZyFQfGOMj5XLbPHXLSBlmsNzFSv3KgPhZgvmfK113VUN3RFgnDZ5q_-4FK82j_L0FrYZUPRGBA9Crlvtxg_LJWQ - use: sig - - alg: RS256 - e: AQAB - kid: 77cc0ef4c7181cf4c0dcef7b60ae28cc9022c76b - kty: RSA - n: yCR1Za9HjpT49GymRQlYSsNg8z7PZGFh5a26IaCo86xPuAcf6VumrKYG6aK9Y1Bh9qJ9MBV1oajmatTuXtc-FtqwqH9Jzbb_-mCYGylx08Mqr83ydV_fIa64ilpVlBz_LHDeDKIYNepQLGqlMNQ6iVuM9MX9NesN3_twudqgz_Ll3FZkpi0DsVOIwV-fOP3zH6h_e0YPbIIjIcxCUs3Pe0rkcjUVRf3yDfPQTjaNtUh9Qg6DGIi1xe5DU0egLvQv6CdbR3wMxNDp8unhForCaenlD8ulzB_tZT0ft6uxPOHEx29FpH6mzfIsbcTZ7VaBfw6KYUaPsZOCcspY14exow - use: sig - confirmation_message: "You have logged in with Google as {id}." + well_known_uri: https://accounts.google.com/.well-known/openid-configuration trees: # Just some arbitrary example data... # The point of this example is the authenticaiton above. diff --git a/example_configs/orcid_auth.yml b/example_configs/orcid_auth.yml index e9e049995..47a8be65e 100644 --- a/example_configs/orcid_auth.yml +++ b/example_configs/orcid_auth.yml @@ -4,21 +4,12 @@ authentication: - provider: orcid authenticator: tiled.authenticators:OIDCAuthenticator args: + audience: tiled # something unique to ensure received headers are for you # These values come from https://orcid.org/developer-tools client_id: ${ORCID_CLIENT_ID} client_secret: ${ORCID_CLIENT_SECRET} - # These values come from https://orcid.org/.well-known/openid-configuration - # Obtain them directly from ORCID. They may change over time. - token_uri: "https://orcid.org/oauth/token" - authorization_endpoint: "https://orcid.org/oauth/authorize" - public_keys: - - kty: "RSA" - e: "AQAB" - use: "sig" - kid: "production-orcid-org-7hdmdswarosg3gjujo8agwtazgkp1ojs" - n: "jxTIntA7YvdfnYkLSN4wk__E2zf_wbb0SV_HLHFvh6a9ENVRD1_rHK0EijlBzikb-1rgDQihJETcgBLsMoZVQqGj8fDUUuxnVHsuGav_bf41PA7E_58HXKPrB2C0cON41f7K3o9TStKpVJOSXBrRWURmNQ64qnSSryn1nCxMzXpaw7VUo409ohybbvN6ngxVy4QR2NCC7Fr0QVdtapxD7zdlwx6lEwGemuqs_oG5oDtrRuRgeOHmRps2R6gG5oc-JqVMrVRv6F9h4ja3UgxCDBQjOVT1BFPWmMHnHCsVYLqbbXkZUfvP2sO1dJiYd_zrQhi-FtNth9qrLLv3gkgtwQ" - alg: RS256 - confirmation_message: "You have logged in with ORCID as {id}." + well_known_uri: https://orcid.org/.well-known/openid-configuration + trees: # Just some arbitrary example data... # The point of this example is the authenticaiton above.