From 6c02af77781d397e210811b6b317cc8803468c02 Mon Sep 17 00:00:00 2001 From: Charles d'Avernas Date: Wed, 14 Aug 2024 15:25:36 +0200 Subject: [PATCH 1/5] - Refactor the OAuth2 authentication policy - Add the OIDC authentication policy - Add the schema for the Digest authentication Signed-off-by: Charles d'Avernas --- dsl-reference.md | 107 ++++++++++++++++++++-- schema/workflow.yaml | 209 +++++++++++++++++++++++++++++++------------ 2 files changed, 253 insertions(+), 63 deletions(-) diff --git a/dsl-reference.md b/dsl-reference.md index 60e5f111..fb6985ce 100644 --- a/dsl-reference.md +++ b/dsl-reference.md @@ -37,6 +37,7 @@ - [Certificate](#certificate-authentication) - [Digest](#digest-authentication) - [OAUTH2](#oauth2-authentication) + - [OpenIdConnect](#openidconnect-authentication) + [Extension](#extension) + [Error](#error) - [Standard Error Types](#standard-error-types) @@ -1107,6 +1108,7 @@ Defines the mechanism used to authenticate users and workflows attempting to acc | certificate | [`certificateAuthentication`](#certificate-authentication) | `no` | The `certificate` authentication scheme to use, if any.
Required if no other property has been set, otherwise ignored. | | digest | [`digestAuthentication`](#digest-authentication) | `no` | The `digest` authentication scheme to use, if any.
Required if no other property has been set, otherwise ignored. | | oauth2 | [`oauth2`](#oauth2-authentication) | `no` | The `oauth2` authentication scheme to use, if any.
Required if no other property has been set, otherwise ignored. | +| oidc | [`oidc`](#openidconnect-authentication) | `no` | The `oidc` authentication scheme to use, if any.
Required if no other property has been set, otherwise ignored. | ##### Examples @@ -1205,19 +1207,59 @@ do: #### Digest Authentication +Defines the fundamentals of a 'digest' authentication. + +##### Properties + +| Property | Type | Required | Description | +|----------|:----:|:--------:|-------------| +| username | `string` | `yes` | The username to use. | +| password | `string` | `yes` | The password to use. | + +##### Examples + +```yaml +document: + dsl: '1.0.0-alpha1' + namespace: test + name: digest-authentication-example + version: '0.1.0' +use: + authentications: + sampleDigest: + digest: + username: admin + password: password123 +do: + - sampleTask: + call: http + with: + method: get + endpoint: + uri: https://secured.fake.com/sample + authentication: + use: sampleDigest +``` #### OAUTH2 Authentication -Defines the fundamentals of an 'oauth2' authentication +Defines the fundamentals of an 'oauth2' authentication. ##### Properties -| Property | Type | Required | Description | -|----------|:----:|:--------:|-------------| -| authority | [`uri-template`](#uri-template) | `yes` | The URI that references the OAuth2 authority to use. | -| grant | `string` | `yes` | The grant type to use. | -| client.id | `string` | `yes` | The client id to use. | +| Name | Type | Required | Description | +|:-----|:----:|:--------:|:------------| +| authority | `uri-template` | `yes` | The URI that references the authority to use when making OAUTH2 calls. | +| endpoints.token | `uri-template` | `no` | The relative path to the endpoint for OAUTH2 token requests.
Defaults to `/oauth2/token`. | +| endpoints.revocation | `uri-template` | `no` | The relative path to the endpoint used to invalidate tokens.
Defaults to `/oauth2/revoke`. | +| endpoints.introspection | `uri-template` | `no` | The relative path to the endpoint used to validate and obtain information about a token, typically to check its validity and associated metadata.
Defaults to `/oauth2/introspect`. | +| grant | `string` | `yes` | The grant type to use.
Supported values are `authorization_code`, `client_credentials`, `password`, `refresh_token` and `urn:ietf:params:oauth:grant-type:token-exchange`. | +| client.id | `string` | `no` | The client id to use.
Required if the `client.authentication` method has **not** been set to `none`. | | client.secret | `string` | `no` | The client secret to use, if any. | +| client.assertion | `string` | `no` | A JWT containing a signed assertion with your application credentials.
Required when `client.authentication` has been set to `private_key_jwt`. | +| client.authentication | `string` | `no` | The client authentication method to use.
Supported values are `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt` or `none`.
Defaults to `client_secret_post`. | +| request.encoding | `string` | `no` | The encoding of the token request.
Supported values are `application/x-www-form-urlencoded` and `application/json`.
Defaults to application/x-www-form-urlencoded. | +| issuers | `uri-template[]` | `no` | A list that contains that contains valid issuers that will be used to check against the issuer of generated tokens. | | scopes | `string[]` | `no` | The scopes, if any, to request the token for. | | audiences | `string[]` | `no` | The audiences, if any, to request the token for. | | username | `string` | `no` | The username to use. Used only if the grant type is `Password`. | @@ -1242,7 +1284,9 @@ do: uri: https://secured.fake.com/sample authentication: oauth2: - authority: http://keycloak/realms/fake-authority/.well-known/openid-configuration + authority: http://keycloak/realms/fake-authority + endpoints: + token: /oauth2/token grant: client-credentials client: id: workflow-runtime @@ -1262,6 +1306,55 @@ Represents the definition of an OAUTH2 token | token | `string` | `yes` | The security token to use to use. | | type | `string` | `yes` | The type of security token to use. | +#### OpenIdConnect Authentication + +Defines the fundamentals of an 'oidc' authentication. + +##### Properties + +| Name | Type | Required | Description | +|:-----|:----:|:--------:|:------------| +| authority | `uri-template` | `yes` | The URI that references the authority to use when making OpenIdConnect calls. | +| grant | `string` | `yes` | The grant type to use.
Supported values are `authorization_code`, `client_credentials`, `password`, `refresh_token` and `urn:ietf:params:oauth:grant-type:token-exchange`. | +| client.id | `string` | `no` | The client id to use.
Required if the `client.authentication` method has **not** been set to `none`. | +| client.secret | `string` | `no` | The client secret to use, if any. | +| client.assertion | `string` | `no` | A JWT containing a signed assertion with your application credentials.
Required when `client.authentication` has been set to `private_key_jwt`. | +| client.authentication | `string` | `no` | The client authentication method to use.
Supported values are `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt` or `none`.
Defaults to `client_secret_post`. | +| request.encoding | `string` | `no` | The encoding of the token request.
Supported values are `application/x-www-form-urlencoded` and `application/json`.
Defaults to application/x-www-form-urlencoded. | +| issuers | `uri-template[]` | `no` | A list that contains that contains valid issuers that will be used to check against the issuer of generated tokens. | +| scopes | `string[]` | `no` | The scopes, if any, to request the token for. | +| audiences | `string[]` | `no` | The audiences, if any, to request the token for. | +| username | `string` | `no` | The username to use. Used only if the grant type is `Password`. | +| password | `string` | `no` | The password to use. Used only if the grant type is `Password`. | +| subject | [`oauth2Token`](#oauth2-token) | `no` | The security token that represents the identity of the party on behalf of whom the request is being made. | +| actor | [`oauth2Token`](#oauth2-token) | `no` | The security token that represents the identity of the acting party. | + +##### Examples + +```yaml +document: + dsl: '1.0.0-alpha1' + namespace: test + name: oidc-authentication-example + version: '0.1.0' +do: + - sampleTask: + call: http + with: + method: get + endpoint: + uri: https://secured.fake.com/sample + authentication: + oidc: + authority: http://keycloak/realms/fake-authority/.well-known/openid-configuration + grant: client_credentials + client: + id: workflow-runtime + secret: "**********" + scopes: [ api ] + audiences: [ runtime ] +``` + ### Extension Holds the definition for extending functionality, providing configuration options for how an extension extends and interacts with other components. diff --git a/schema/workflow.yaml b/schema/workflow.yaml index 86e33868..d7bcb2b3 100644 --- a/schema/workflow.yaml +++ b/schema/workflow.yaml @@ -822,7 +822,7 @@ $defs: description: The configuration of the basic authentication policy. unevaluatedProperties: false oneOf: - - title: BasicAuthenticationData + - title: BasicAuthenticationProperties description: Inline configuration of the basic authentication policy. properties: username: @@ -845,7 +845,7 @@ $defs: description: The configuration of the bearer authentication policy. unevaluatedProperties: false oneOf: - - title: BearerAuthenticationData + - title: BearerAuthenticationProperties description: Inline configuration of the bearer authentication policy. properties: token: @@ -856,6 +856,29 @@ $defs: title: BearerAuthenticationPolicySecret description: Secret based configuration of the bearer authentication policy. required: [ bearer ] + - title: DigestAuthenticationPolicy + description: Use digest authentication. + properties: + digest: + type: object + title: DigestAuthenticationPolicyConfiguration + description: The configuration of the digest authentication policy. + unevaluatedProperties: false + oneOf: + - title: BasicAuthenticationProperties + description: Inline configuration of the digest authentication policy. + properties: + username: + type: string + description: The username to use. + password: + type: string + description: The password to use. + required: [ username, password ] + - $ref: '#/$defs/secretBasedAuthenticationPolicy' + title: DigestAuthenticationPolicySecret + description: Secret based configuration of the digest authentication policy. + required: [ digest ] - title: OAuth2AuthenticationPolicy description: Use OAuth2 authentication. properties: @@ -865,65 +888,139 @@ $defs: description: The configuration of the OAuth2 authentication policy. unevaluatedProperties: false oneOf: - - title: OAuth2AutenthicationData - description: Inline configuration of the OAuth2 authentication policy. - properties: - authority: - type: string - format: uri-template - title: OAuth2AutenthicationDataAuthority - description: The URI that references the OAuth2 authority to use. - grant: - type: string - title: OAuth2AutenthicationDataGrant - description: The grant type to use. - client: - type: object - title: OAuth2AutenthicationDataClient - description: The definition of an OAuth2 client. - unevaluatedProperties: false + - type: object + title: OAuth2ConnectAuthenticationProperties + description: The inline configuration of the OAuth2 authentication policy. + allOf: + - $ref: '#/$defs/oauth2AuthenticationProperties' + - type: object properties: - id: - type: string - title: ClientId - description: The client id to use. - secret: - type: string - title: ClientSecret - description: The client secret to use, if any. - required: [ id ] - scopes: - type: array - title: OAuth2AutenthicationDataScopes - description: The scopes, if any, to request the token for. - items: - type: string - audiences: - type: array - title: OAuth2AutenthicationDataAudiences - description: The audiences, if any, to request the token for. - items: - type: string - username: - type: string - title: OAuth2AutenthicationDataUsername - description: The username to use. Used only if the grant type is Password. - password: - type: string - title: OAuth2AutenthicationDataPassword - description: The password to use. Used only if the grant type is Password. - subject: - $ref: '#/$defs/oauth2Token' - title: OAuth2AutenthicationDataSubject - description: The security token that represents the identity of the party on behalf of whom the request is being made. - actor: - $ref: '#/$defs/oauth2Token' - title: OAuth2AutenthicationDataActor - description: The security token that represents the identity of the acting party. + endpoints: + type: object + title: OAuth2AuthenticationPropertiesEndpoints + description: The endpoint configurations for OAuth2. + properties: + token: + type: string + format: uri-template + default: /oauth2/token + title: OAuth2TokenEndpoint + description: The relative path to the token endpoint. Defaults to `/oauth2/token`. + revocation: + type: string + format: uri-template + default: /oauth2/revoke + title: OAuth2RevocationEndpoint + description: The relative path to the revocation endpoint. Defaults to `/oauth2/revoke`. + introspection: + type: string + format: uri-template + default: /oauth2/introspect + title: OAuth2IntrospectionEndpoint + description: The relative path to the introspection endpoint. Defaults to `/oauth2/introspect`. - $ref: '#/$defs/secretBasedAuthenticationPolicy' title: OAuth2AuthenticationPolicySecret description: Secret based configuration of the OAuth2 authentication policy. required: [ oauth2 ] + - title: OpenIdConnectAuthenticationPolicy + description: Use OpenIdConnect authentication. + properties: + oidc: + type: object + title: OpenIdConnectAuthenticationPolicyConfiguration + description: The configuration of the OpenIdConnect authentication policy. + unevaluatedProperties: false + oneOf: + - $ref: '#/$defs/oauth2AuthenticationProperties' + title: OpenIdConnectAuthenticationProperties + description: The inline configuration of the OpenIdConnect authentication policy. + - $ref: '#/$defs/secretBasedAuthenticationPolicy' + title: OpenIdConnectAuthenticationPolicySecret + description: Secret based configuration of the OpenIdConnect authentication policy. + required: [ oidc ] + oauth2AuthenticationProperties: + type: object + title: OAuth2AutenthicationData + description: Inline configuration of the OAuth2 authentication policy. + properties: + authority: + type: string + format: uri-template + title: OAuth2AutenthicationDataAuthority + description: The URI that references the OAuth2 authority to use. + grant: + type: string + enum: [ authorization_code, client_credentials, password, refresh_token, 'urn:ietf:params:oauth:grant-type:token-exchange'] + title: OAuth2AutenthicationDataGrant + description: The grant type to use. + client: + type: object + title: OAuth2AutenthicationDataClient + description: The definition of an OAuth2 client. + unevaluatedProperties: false + properties: + id: + type: string + title: ClientId + description: The client id to use. + secret: + type: string + title: ClientSecret + description: The client secret to use, if any. + assertion: + type: string + title: ClientAssertion + description: A JWT containing a signed assertion with your application credentials. + authentication: + type: string + enum: [ client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, none ] + default: client_secret_post + title: ClientAuthentication + description: The authentication method to use to authenticate the client. + request: + type: object + title: OAuth2TokenRequest + description: The configuration of an OAuth2 token request + properties: + encoding: + type: string + enum: [ 'application/x-www-form-urlencoded', 'application/json' ] + default: 'application/x-www-form-urlencoded' + title: Oauth2TokenRequestEncoding + issuers: + type: array + title: OAuth2Issuers + description: A list that contains that contains valid issuers that will be used to check against the issuer of generated tokens. + items: + type: string + scopes: + type: array + title: OAuth2AutenthicationDataScopes + description: The scopes, if any, to request the token for. + items: + type: string + audiences: + type: array + title: OAuth2AutenthicationDataAudiences + description: The audiences, if any, to request the token for. + items: + type: string + username: + type: string + title: OAuth2AutenthicationDataUsername + description: The username to use. Used only if the grant type is Password. + password: + type: string + title: OAuth2AutenthicationDataPassword + description: The password to use. Used only if the grant type is Password. + subject: + $ref: '#/$defs/oauth2Token' + title: OAuth2AutenthicationDataSubject + description: The security token that represents the identity of the party on behalf of whom the request is being made. + actor: + $ref: '#/$defs/oauth2Token' + title: OAuth2AutenthicationDataActor + description: The security token that represents the identity of the acting party. oauth2Token: type: object title: OAuth2TokenDefinition From 11baa9ea882d532b2cbf60b23f084935455a20f8 Mon Sep 17 00:00:00 2001 From: Charles d'Avernas Date: Wed, 14 Aug 2024 15:35:57 +0200 Subject: [PATCH 2/5] Fixes examples Signed-off-by: Charles d'Avernas --- dsl-reference.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dsl-reference.md b/dsl-reference.md index fb6985ce..27fb3908 100644 --- a/dsl-reference.md +++ b/dsl-reference.md @@ -148,7 +148,7 @@ use: petStoreOAuth2: oauth2: authority: https://petstore.swagger.io/.well-known/openid-configuration - grant: client-credentials + grant: client_credentials client: id: workflow-runtime secret: "**********" @@ -1287,7 +1287,7 @@ do: authority: http://keycloak/realms/fake-authority endpoints: token: /oauth2/token - grant: client-credentials + grant: client_credentials client: id: workflow-runtime secret: "**********" From ca21f3a18006acef1e94e634bc48bd2aee5a8617 Mon Sep 17 00:00:00 2001 From: Charles d'Avernas Date: Wed, 14 Aug 2024 16:15:27 +0200 Subject: [PATCH 3/5] Update dsl-reference.md Co-authored-by: Ricardo Zanini <1538000+ricardozanini@users.noreply.github.com> --- dsl-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dsl-reference.md b/dsl-reference.md index 27fb3908..b3086464 100644 --- a/dsl-reference.md +++ b/dsl-reference.md @@ -1249,7 +1249,7 @@ Defines the fundamentals of an 'oauth2' authentication. | Name | Type | Required | Description | |:-----|:----:|:--------:|:------------| -| authority | `uri-template` | `yes` | The URI that references the authority to use when making OAUTH2 calls. | +| authority | `uri-template` | `yes` | The URI that references the authority to use when making OAuth2 calls. | | endpoints.token | `uri-template` | `no` | The relative path to the endpoint for OAUTH2 token requests.
Defaults to `/oauth2/token`. | | endpoints.revocation | `uri-template` | `no` | The relative path to the endpoint used to invalidate tokens.
Defaults to `/oauth2/revoke`. | | endpoints.introspection | `uri-template` | `no` | The relative path to the endpoint used to validate and obtain information about a token, typically to check its validity and associated metadata.
Defaults to `/oauth2/introspect`. | From efac038f3244e3547426b9f6b9604d96d45660c2 Mon Sep 17 00:00:00 2001 From: Charles d'Avernas Date: Wed, 14 Aug 2024 16:15:35 +0200 Subject: [PATCH 4/5] Update dsl-reference.md Co-authored-by: Ricardo Zanini <1538000+ricardozanini@users.noreply.github.com> --- dsl-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dsl-reference.md b/dsl-reference.md index b3086464..7960aa3b 100644 --- a/dsl-reference.md +++ b/dsl-reference.md @@ -1250,7 +1250,7 @@ Defines the fundamentals of an 'oauth2' authentication. | Name | Type | Required | Description | |:-----|:----:|:--------:|:------------| | authority | `uri-template` | `yes` | The URI that references the authority to use when making OAuth2 calls. | -| endpoints.token | `uri-template` | `no` | The relative path to the endpoint for OAUTH2 token requests.
Defaults to `/oauth2/token`. | +| endpoints.token | `uri-template` | `no` | The relative path to the endpoint for OAuth2 token requests.
Defaults to `/oauth2/token`. | | endpoints.revocation | `uri-template` | `no` | The relative path to the endpoint used to invalidate tokens.
Defaults to `/oauth2/revoke`. | | endpoints.introspection | `uri-template` | `no` | The relative path to the endpoint used to validate and obtain information about a token, typically to check its validity and associated metadata.
Defaults to `/oauth2/introspect`. | | grant | `string` | `yes` | The grant type to use.
Supported values are `authorization_code`, `client_credentials`, `password`, `refresh_token` and `urn:ietf:params:oauth:grant-type:token-exchange`. | From 4b059c1682041b339648c99562b53467c07078eb Mon Sep 17 00:00:00 2001 From: Charles d'Avernas Date: Wed, 21 Aug 2024 15:55:59 +0200 Subject: [PATCH 5/5] Added examples Signed-off-by: Charles d'Avernas --- examples/oauth2.yaml | 22 ++++++++++++++++++++++ examples/oidc.yaml | 19 +++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 examples/oauth2.yaml create mode 100644 examples/oidc.yaml diff --git a/examples/oauth2.yaml b/examples/oauth2.yaml new file mode 100644 index 00000000..7848354a --- /dev/null +++ b/examples/oauth2.yaml @@ -0,0 +1,22 @@ +document: + dsl: 1.0.0-alpha1 + namespace: examples + name: oauth2-authentication + version: 1.0.0-alpha1 +do: + - getPet: + call: http + with: + method: get + endpoint: + uri: https://petstore.swagger.io/v2/pet/{petId} + authentication: + oauth2: + authority: http://keycloak/realms/fake-authority + endpoints: #optional + token: /auth/token #defaults to /oauth2/token + introspection: /auth/introspect #defaults to /oauth2/introspect + grant: client_credentials + client: + id: workflow-runtime-id + secret: workflow-runtime-secret \ No newline at end of file diff --git a/examples/oidc.yaml b/examples/oidc.yaml new file mode 100644 index 00000000..5ce2ba89 --- /dev/null +++ b/examples/oidc.yaml @@ -0,0 +1,19 @@ +document: + dsl: 1.0.0-alpha1 + namespace: examples + name: oidc-authentication + version: 1.0.0-alpha1 +do: + - getPet: + call: http + with: + method: get + endpoint: + uri: https://petstore.swagger.io/v2/pet/{petId} + authentication: + oidc: + authority: http://keycloak/realms/fake-authority #endpoints are resolved using the OIDC configuration located at '/.well-known/openid-configuration' + grant: client_credentials + client: + id: workflow-runtime-id + secret: workflow-runtime-secret \ No newline at end of file