Auth-App
The auth-app service provides authentication for 3rd party apps.
ocis uses serveral authentication services for different use cases. All services that start with auth-
are part of the authentication service family. Each member authenticates requests with different scopes. As of now, these services exist:
auth-app
handles authentication of external 3rd party appsauth-basic
handles basic authenticationauth-bearer
handles oidc authenticationauth-machine
handles interservice authentication when a user is impersonatedauth-service
handles interservice authentication when using service accounts
Because this service is not started automatically, a manual start needs to be initiated which can be done in several ways. To configure the service usage, an environment variable for the proxy service needs to be set to allow app authentication.
OCIS_ADD_RUN_SERVICES=auth-app # deployment specific. Add the service to the manual startup list, use with binary deployments. Alternatively you can start the service explicitly via the command line.
PROXY_ENABLE_APP_AUTH=true # mandatory, allow app authentication. In case of a distributed environment, this envvar needs to be set in the proxy service.
App Tokens are used to authenticate 3rd party access via https like when using curl (apps) to access an API endpoint. These apps need to authenticate themselves as no logged in user authenticates the request. To be able to use an app token, one must first create a token. There are different options of creating a token.
Replace the user-name
with an existing user. For the token-expiration
, you can use any time abbreviation from the following list: h, m, s
. Examples: 72h
or 1h
or 1m
or 1s.
Default is 72h
.
ocis auth-app create --user-name={user-name} --expiration={token-expiration}
Once generated, these tokens can be used to authenticate requests to ocis. They are passed as part of the request as Basic Auth
header.
The auth-app
service provides an API to create (POST), list (GET) and delete (DELETE) tokens at the /auth-app/tokens
endpoint.
When using curl for the respective command, you need to authenticate with a header. To do so, get from the browsers developer console the currently active bearer token. Consider that this token has a short lifetime. In any example, replace <your host[:port]>
with the URL:port of your Infinite Scale instance, and {token}
{value}
accordingly. Note that the active bearer token authenticates the user the token was issued for.
-
Create a token
The POST request requires:- A
expiry
key/value pair in the form ofexpiry=<number><h|m|s>
Example:expiry=72h
- An active bearer token
curl --request POST 'https://<your host:9200>/auth-app/tokens?expiry={value}' \ --header 'accept: application/json' \ --header 'authorization: Bearer {token}'
Example output:
{ "token": "3s2K7816M4vuSpd5", "expiration_date": "2024-08-08T13:42:42.796888022+02:00", "created_date": "2024-08-07T13:42:42+02:00", "label": "Generated via API" }
- A
-
List tokens
The GET request only requires an active bearer token for authentication:
Note that--request GET
is technically not required because it is curl default.curl --request GET 'https://<your host:9200>/auth-app/tokens' \ --header 'accept: application/json' \ --header 'authorization: Bearer {token}'
Example output:
[ { "token": "$2a$11$EyudDGAJ18bBf5NG6PL9Ru9gygZAu0oPyLawdieNjGozcbXyyuUhG", "expiration_date": "2024-08-08T13:44:31.025199075+02:00", "created_date": "2024-08-07T13:44:31+02:00", "label": "Generated via Impersonation API" }, { "token": "$2a$11$dfRBQrxRMPg8fvyvkFwaX.IPoIUiokvhzK.YNI/pCafk0us3MyPzy", "expiration_date": "2024-08-08T13:46:41.936052281+02:00", "created_date": "2024-08-07T13:46:42+02:00", "label": "Generated via Impersonation API" } ]
-
Delete a token
The DELETE request requires:- A
token
key/value pair in the form oftoken=<token_issued>
Example:token=Z3s2K7816M4vuSpd5
- An active bearer token
curl --request DELETE 'https://<your host:9200>/auth-app/tokens?token={value}' \ --header 'accept: application/json' \ --header 'authorization: Bearer {token}'
- A
When setting the environment variable AUTH_APP_ENABLE_IMPERSONATION
to true
, admins will be able to use the /auth-app/tokens
endpoint to create tokens for other users but using their own bearer token for authentication. This can be important for migration scenarios, but should not be considered for regular tasks on a production system for security reasons.
To impersonate, the respective requests from the CLI commands above extend with the following parameters, where you can use one or the other:
-
The
userID
in the form of:userID={value}
Example:
userID=4c510ada- ... -42cdf82c3d51
-
The
userName
in the form of:userName={value}
Example:
userName=einstein
Example:
A final create request would then look like:
curl --request POST 'https://<your host:9200>/auth-app/tokens?expiry={value}&userName={value}' \
--header 'accept: application/json' \
--header 'authorization: Bearer {token}'
|
|
Name | Type | Default Value | Description |
---|---|---|---|
OCIS_TRACING_ENABLED AUTH_APP_TRACING_ENABLED |
bool | false | Activates tracing. |
OCIS_TRACING_TYPE AUTH_APP_TRACING_TYPE |
string | The type of tracing. Defaults to ‘’, which is the same as ‘jaeger’. Allowed tracing types are ‘jaeger’ and ’’ as of now. | |
OCIS_TRACING_ENDPOINT AUTH_APP_TRACING_ENDPOINT |
string | The endpoint of the tracing agent. | |
OCIS_TRACING_COLLECTOR AUTH_APP_TRACING_COLLECTOR |
string | The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. | |
OCIS_LOG_LEVEL AUTH_APP_LOG_LEVEL |
string | The log level. Valid values are: ‘panic’, ‘fatal’, ’error’, ‘warn’, ‘info’, ‘debug’, ’trace’. | |
OCIS_LOG_PRETTY AUTH_APP_LOG_PRETTY |
bool | false | Activates pretty log output. |
OCIS_LOG_COLOR AUTH_APP_LOG_COLOR |
bool | false | Activates colorized log output. |
OCIS_LOG_FILE AUTH_APP_LOG_FILE |
string | The path to the log file. Activates logging to this file if set. | |
AUTH_APP_DEBUG_ADDR | string | 127.0.0.1:9245 | Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. |
AUTH_APP_DEBUG_TOKEN | string | Token to secure the metrics endpoint. | |
AUTH_APP_DEBUG_PPROF | bool | false | Enables pprof, which can be used for profiling. |
AUTH_APP_DEBUG_ZPAGES | bool | false | Enables zpages, which can be used for collecting and viewing traces in-memory. |
AUTH_APP_GRPC_ADDR | string | 127.0.0.1:9246 | The bind address of the GRPC service. |
OCIS_GRPC_PROTOCOL AUTH_APP_GRPC_PROTOCOL |
string | tcp | The transport protocol of the GRPC service. |
AUTH_APP_HTTP_ADDR | string | 127.0.0.1:9247 | The bind address of the HTTP service. |
AUTH_APP_HTTP_ROOT | string | / | Subdirectory that serves as the root for this HTTP service. |
OCIS_CORS_ALLOW_ORIGINS AUTH_APP_CORS_ALLOW_ORIGINS |
[]string | [*] | A list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details. |
OCIS_CORS_ALLOW_METHODS AUTH_APP_CORS_ALLOW_METHODS |
[]string | [GET POST DELETE] | A list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details. |
OCIS_CORS_ALLOW_HEADERS AUTH_APP_CORS_ALLOW_HEADERS |
[]string | [Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest] | A list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details. |
OCIS_CORS_ALLOW_CREDENTIALS AUTH_APP_CORS_ALLOW_CREDENTIALS |
bool | true | Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. |
OCIS_HTTP_TLS_ENABLED | bool | false | Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true. |
OCIS_HTTP_TLS_CERTIFICATE | string | Path/File name of the TLS server certificate (in PEM format) for the http services. | |
OCIS_HTTP_TLS_KEY | string | Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services. | |
OCIS_JWT_SECRET AUTH_APP_JWT_SECRET |
string | The secret to mint and validate jwt tokens. | |
OCIS_REVA_GATEWAY | string | com.owncloud.api.gateway | The CS3 gateway endpoint. |
OCIS_GRPC_CLIENT_TLS_MODE | string | TLS mode for grpc connection to the go-micro based grpc services. Possible values are ‘off’, ‘insecure’ and ‘on’. ‘off’: disables transport security for the clients. ‘insecure’ allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). ‘on’ enables transport security, including server certificate verification. | |
OCIS_GRPC_CLIENT_TLS_CACERT | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. | |
AUTH_APP_SKIP_USER_GROUPS_IN_TOKEN | bool | false | Disables the encoding of the user’s group memberships in the access token. This reduces the token size, especially when users are members of a large number of groups. |
OCIS_MACHINE_AUTH_API_KEY AUTH_APP_MACHINE_AUTH_API_KEY |
string | The machine auth API key used to validate internal requests necessary to access resources from other services. | |
AUTH_APP_ENABLE_IMPERSONATION | bool | false | Allows admins to create app tokens for other users. Used for migration. Do NOT use in productive deployments. |