Auth Bearer Service Configuration

Introduction

The Infinite Scale Auth Bearer service authenticates OpenID Connect bearer tokens.

Configuration

Environment Variables

The auth-bearer extension is configured via the following environment variables:

  • latest

  • 2.0.0

Environment variables for the auth-bearer service
Name Type Default Value Description

OCIS_TRACING_ENABLED
AUTH_BEARER_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_TYPE
AUTH_BEARER_TRACING_TYPE

string

The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now.

OCIS_TRACING_ENDPOINT
AUTH_BEARER_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
AUTH_BEARER_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
AUTH_BEARER_LOG_LEVEL

string

The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace".

OCIS_LOG_PRETTY
AUTH_BEARER_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
AUTH_BEARER_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE
AUTH_BEARER_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

AUTH_BEARER_DEBUG_ADDR

string

127.0.0.1:9149

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

AUTH_BEARER_DEBUG_TOKEN

string

Token to secure the metrics endpoint.

AUTH_BEARER_DEBUG_PPROF

bool

false

Enables pprof, which can be used for profiling.

AUTH_BEARER_DEBUG_ZPAGES

bool

false

Enables zpages, which can be used for collecting and viewing in-memory traces.

AUTH_BEARER_GRPC_ADDR

string

127.0.0.1:9148

The bind address of the GRPC service.

OCIS_GRPC_TLS_ENABLED

bool

false

Activates TLS for the grpc based services using the server certifcate and key configured via OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY. If OCIS_GRPC_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with OCIS_GRPC_CLIENT_TLS_MODE=insecure.

OCIS_GRPC_TLS_CERTIFICATE

string

Path/File name of the TLS server certificate (in PEM format) for the grpc services.

OCIS_GRPC_TLS_KEY

string

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the grpc services.

AUTH_BEARER_GRPC_PROTOCOL

string

tcp

The transport protocol of the GRPC service.

OCIS_JWT_SECRET
AUTH_BEARER_JWT_SECRET

string

The secret to mint and validate jwt tokens.

REVA_GATEWAY

string

127.0.0.1:9142

The CS3 gateway endpoint.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

AUTH_BEARER_SKIP_USER_GROUPS_IN_TOKEN

bool

false

Disables the encoding of the user’s group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.

OCIS_URL
OCIS_OIDC_ISSUER
AUTH_BEARER_OIDC_ISSUER

string

https://localhost:9200

URL of the OIDC issuer. It defaults to URL of the builtin IDP.

OCIS_INSECURE
AUTH_BEARER_OIDC_INSECURE

bool

false

Allow insecure connections to the OIDC issuer.

AUTH_BEARER_OIDC_ID_CLAIM

string

preferred_username

Name of the claim, which holds the user identifier.

AUTH_BEARER_OIDC_UID_CLAIM

string

Name of the claim, which holds the UID.

AUTH_BEARER_OIDC_GID_CLAIM

string

Name of the claim, which holds the GID.

Environment variables for the auth-bearer service
Name Type Default Value Description

OCIS_TRACING_ENABLED
AUTH_BEARER_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_TYPE
AUTH_BEARER_TRACING_TYPE

string

The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now.

OCIS_TRACING_ENDPOINT
AUTH_BEARER_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
AUTH_BEARER_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
AUTH_BEARER_LOG_LEVEL

string

The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace".

OCIS_LOG_PRETTY
AUTH_BEARER_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
AUTH_BEARER_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE
AUTH_BEARER_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

AUTH_BEARER_DEBUG_ADDR

string

127.0.0.1:9149

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

AUTH_BEARER_DEBUG_TOKEN

string

Token to secure the metrics endpoint.

AUTH_BEARER_DEBUG_PPROF

bool

false

Enables pprof, which can be used for profiling.

AUTH_BEARER_DEBUG_ZPAGES

bool

false

Enables zpages, which can be used for collecting and viewing in-memory traces.

AUTH_BEARER_GRPC_ADDR

string

127.0.0.1:9148

The bind address of the GRPC service.

OCIS_GRPC_TLS_ENABLED

bool

false

Activates TLS for the grpc based services using the server certifcate and key configured via OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY. If OCIS_GRPC_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with OCIS_GRPC_CLIENT_TLS_MODE=insecure.

OCIS_GRPC_TLS_CERTIFICATE

string

Path/File name of the TLS server certificate (in PEM format) for the grpc services.

OCIS_GRPC_TLS_KEY

string

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the grpc services.

AUTH_BEARER_GRPC_PROTOCOL

string

tcp

The transport protocol of the GRPC service.

OCIS_JWT_SECRET
AUTH_BEARER_JWT_SECRET

string

The secret to mint and validate jwt tokens.

REVA_GATEWAY

string

127.0.0.1:9142

The CS3 gateway endpoint.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

AUTH_BEARER_SKIP_USER_GROUPS_IN_TOKEN

bool

false

Disables the encoding of the user’s group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.

OCIS_URL
OCIS_OIDC_ISSUER
AUTH_BEARER_OIDC_ISSUER

string

https://localhost:9200

URL of the OIDC issuer. It defaults to URL of the builtin IDP.

OCIS_INSECURE
AUTH_BEARER_OIDC_INSECURE

bool

false

Allow insecure connections to the OIDC issuer.

AUTH_BEARER_OIDC_ID_CLAIM

string

preferred_username

Name of the claim, which holds the user identifier.

AUTH_BEARER_OIDC_UID_CLAIM

string

Name of the claim, which holds the UID.

AUTH_BEARER_OIDC_GID_CLAIM

string

Name of the claim, which holds the GID.

YAML Example

  • latest

  • 2.0.0

# Autogenerated
# Filename: auth-bearer-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9149
  token: ""
  pprof: false
  zpages: false
grpc:
  addr: 127.0.0.1:9148
  tls:
    enabled: false
    cert: ""
    key: ""
  protocol: tcp
token_manager:
  jwt_secret: ""
reva:
  address: 127.0.0.1:9142
  tls:
    mode: ""
    cacert: ""
skip_user_groups_in_token: false
oidc:
  issuer: https://localhost:9200
  insecure: false
  id_claim: preferred_username
  uid_claim: ""
  gid_claim: ""
# Autogenerated
# Filename: auth-bearer-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9149
  token: ""
  pprof: false
  zpages: false
grpc:
  addr: 127.0.0.1:9148
  tls:
    enabled: false
    cert: ""
    key: ""
  protocol: tcp
token_manager:
  jwt_secret: ""
reva:
  address: 127.0.0.1:9142
  tls:
    mode: ""
    cacert: ""
skip_user_groups_in_token: false
oidc:
  issuer: https://localhost:9200
  insecure: false
  id_claim: preferred_username
  uid_claim: ""
  gid_claim: ""