credential-service

module

v0.0.0-...-46f36e0 Latest Latest Go to latest Published: Aug 14, 2024 License: MIT

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

README ¶

Credential Service

Credential Service is an API that exchanges authentication tokens from auth systems (think Auth0, Azure AD B2C, Firebase Auth, etc) for ecosystem-specific tokens, such that they can be used with any RMI service. The API is defined in an OpenAPI v3 spec, and currently only supports Azure AD B2C ID tokens as input.

The service currently has two main credential-exchanging endpoints:

CreateAPIKey - Creates a new API key, returns it in the response body.
- Intended to be used for programmatically accessing RMI APIs
- POST /login/apikey
CookieLogin - Creates a new API key, returns it in a Set-Cookie response
- Intended to be used for web clients
- POST /login/cookie

Things to note:

Only Azure AD B2C is supported as a source of exchangable user ID tokens at the moment, see the server main.go and the azjwt package for more details.

Running the Credential Service

Run the server against an Azure AD B2C instance:

bazel run //scripts:run_server -- --use_azure_auth

Run the server against a local JWT issuer, see the cmd/server README for more details:

bazel run //scripts:run_server

You can access the API via curl, see the cmd/server README for more details and exact commands.

Deploying

This repo doesn't currently have deployment via GitHub Actions. To manually deploy the service:

az acr login --name rmisa
bazel run  --@io_bazel_rules_go//go/config:pure //cmd/server:push_image

# If you get an unauthenticated error from the above command, you can run:
bazel build  --@io_bazel_rules_go//go/config:pure //cmd/server:image_tarball
docker load < bazel-bin/cmd/server/image_tarball/tarball.tar
docker tag <sha from previous step, without 'sha256:' prefix> rmisa.azurecr.io/credsrv
docker push rmisa.azurecr.io/credsrv


# Now that the updated image has been pushed, deploy it with something like:
az containerapp update \
  -g rmi-credsrv-dev \
  -n credsrv-dev \
  -i rmisa.azurecr.io/credsrv:latest

Security

Please report security issues to security@siliconally.org, or by using one of the contact methods available on our Contact Us page.

Contributing

Contribution guidelines can be found on our website.

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
allowlist Package allowlist provides basic capabilities for authorizing email addresses against a domain allowlist.	Package allowlist provides basic capabilities for authorizing email addresses against a domain allowlist.
authn
localjwt Package localjwt implements JWT authentication using local keys, which is meant for local development.	Package localjwt implements JWT authentication using local keys, which is meant for local development.
azure
azjwt Package azjwt implements JWT authentication against Azure, which has some minor peculiarities that require special handling, see https://github.com/lestrrat-go/jwx/issues/395	Package azjwt implements JWT authentication against Azure, which has some minor peculiarities that require special handling, see https://github.com/lestrrat-go/jwx/issues/395
cmd
server command Command server runs the credential-exchanging service API.	Command server runs the credential-exchanging service API.
server/testcredsrv
server/usersrv Package usersrv implements the User API interface, user.StrictServerInterface, which is auto-generated from the OpenAPI 3 spec, and describes a basic mechanism for exchanging auth provider (Firebase Auth, Cognito, Azure B2C, etc) tokens for app-specific tokens.	Package usersrv implements the User API interface, user.StrictServerInterface, which is auto-generated from the OpenAPI 3 spec, and describes a basic mechanism for exchanging auth provider (Firebase Auth, Cognito, Azure B2C, etc) tokens for app-specific tokens.
tools/genjwt command Command genjwt creates and signs JWT tokens using local keypairs.	Command genjwt creates and signs JWT tokens using local keypairs.
tools/keygen command Command keygen is a simple CLI tool for generating ED25519 key pairs, which can be used for issuing (i.e.	Command keygen is a simple CLI tool for generating ED25519 key pairs, which can be used for issuing (i.e.
flagext Package flagext provides shared helpers that implement the flag.Value interface.	Package flagext provides shared helpers that implement the flag.Value interface.
httpreq Package httpreq provides basic middleware for allowing OpenAPI endpoint handlers to access raw *http.Request fields.	Package httpreq provides basic middleware for allowing OpenAPI endpoint handlers to access raw *http.Request fields.
keyutil Package keyutil provides some simple wrappers for serializing + deserializing cryptographic keys.	Package keyutil provides some simple wrappers for serializing + deserializing cryptographic keys.
secrets Package secrets validates and parses all sensitive configuration.	Package secrets validates and parses all sensitive configuration.
siteverify Package siteverify provides utilities for verifying a token contains the expected site.	Package siteverify provides utilities for verifying a token contains the expected site.
tokenctx