- User requests access to an ONAP service via Istio Ingress Gateway, e.g. "https://sdc-fe-ui.simpledemo.onap.org"
- The request arrives at the Gateway, which uses the "AuthorizationPolicy" to delegate the authorization to the "external" auth component: oauth2-proxy
- "oauth2-proxy" is configured to act as client of the OICD Identity provider "Keycloak"
- If the user is not authenticated, it redirects the client to Keycloak Login page
- When the user is authenticated successfully with keycloak, the oauth2-proxy receives a JWToken including a "groups" claim for Authorization.
- oauth2-proxy evaluates the "groups" against the configured membership (e.g. "admins"). If the “admins” group is found in the JWT groups claim,
oauth2-proxy puts the Token into a Cookie and sends it back to the requesting client - our User.
- The User will now be forwarded to the actual application. If the application supports it, we can configure the application to look into the headers
we inject with oauth2-proxy. This allows us to set for example the "prefered_username" or "email" attributes in the application - info we get from the ID token claims.
Add the Oauth2 proxy as ExternalAuthProvider via the Mesh-Config (see ONAP on ServiceMesh setup guide):
Add Client to ONAP realm
Will be part of the REALM imported in the OOM component "platform/keycloak-init" (https://git.onap.org/oom/tree/kubernetes/platform/components/keycloak-init)
Add Client "oauth-proxy":
- Client ID: "oauth2-proxy"
- Name: "Oauth2 Proxy"
- Valid redirect URIs: "*"
- Client secret: generate and note value
Add Client scope "groups":
with "Group Membership" mapper:
Add "groups" scope to "oatuth2-proxy" client scope:
Create Group "admins" and add user to group:
The ready configured oauth2-proxy will be part of the OOM component "platform/oauth2-proxy"
Configure oauth2-proxy via values.yaml using "alphaConfig"
Enable AuthN+AuthZ for ONAP SDC-UI
In "London" additional configuration in the OOM values.yaml and _ingress.tpl will be done to generate the needed resource settings.
Here is the manual instruction to enable the Ingress redirection to the oauth2-proxy for SDC-FE.
- Create a "AuthorizationPolicy" for sdc-fe
In case of gateway-api the solution is a bit different, as the selector is different (e.g. when a common gateway is used):
Launch SDC-FE URL :