Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/flynn/hubauth

Flynn OAuth 2.0 authentication/authorization server
https://github.com/flynn/hubauth

Last synced: 2 months ago
JSON representation

Flynn OAuth 2.0 authentication/authorization server

Host: GitHub
URL: https://github.com/flynn/hubauth
Owner: flynn
License: apache-2.0
Created: 2020-02-15T00:58:28.000Z (almost 5 years ago)
Default Branch: master
Last Pushed: 2024-02-18T11:54:53.000Z (11 months ago)
Last Synced: 2024-08-01T10:17:34.005Z (5 months ago)
Language: Go
Homepage:
Size: 447 KB
Stars: 2
Watchers: 6
Forks: 3
Open Issues: 6
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome - flynn/hubauth - Flynn OAuth 2.0 authentication/authorization server (others)

README

# hubauth

Hubauth is a service that provides Single Sign-On for Flynn clusters. It operates as an OAuth 2.0 server that the Flynn CLI and Dashboard interact with, and issues signed tokens that the Flynn controller consumes.

Users are authenticated using G Suite via OpenID Connect, and their group membership is checked to determine which clusters (audiences) they have access to.

The service is deployed on Google Cloud Run, and uses Firestore in Datastore mode as the database.

Cloud Key Management Service is used to store signing keys.

## Testing

The test environment can be built in Docker by running:

```
docker build -t hubauth-test -f test.Dockerfile .
```

The tests can be run with:

```
docker run --rm -v `pwd`:/app hubauth-test
```

## Deployment in testing

Create docker tag for gcr.io and push the image:

```
docker build -t us.gcr.io//hubauth-dev:latest -f build.Dockerfile .
docker push us.gcr.io/ Cryptographic Keys

Create a KMS keyring:
- name: `hubauth-keyring`
- location: `global`
Create a KMS key:
- name: `refresh_key`
- type: `software Asymmetric sign key`

And save its `version 1` resource name

In Security > Secret manager:
Create secrets
- `HUBAUTH_COOKIE_KEY_SECRET`: secure random value
- `HUBAUTH_CODE_KEY_SECRET`: secure random value

And save their resource IDs

### In IAM

Grant default compute account the roles:
- Cloud KMS CryptoKey Signer/Verifier
- Cloud Trace Agent
- Cloud Datastore User
- Errors Writer
- Service Account Token Creator
- Monitoring Metric Writer
- Cloud Run Invoker
- Secret Manager Secret Accessor

### In Cloud Run

Create service:
- Name: `hubauth-ext`
- Allows unauthenticated invocations
- Select the previously pushed docker image

Then edit & deploy new revision:
- Container command: `/app/hubauth-ext`
- Variables:
- PROJECT_ID: current GCP project id
- REFRESH_KEY: set it to the KMS refresh_key resource name saved previously
- COOKIE_KEY_SECRET: set to the resource ID from `HUBAUTH_COOKIE_KEY_SECRET`
- CODE_KEY_SECRET: set to the resource ID from `HUBAUTH_CODE_KEY_SECRET`
- KMS_LOCATION: `global`
- KMS_KEYRING: `hubauth-keyring`

And save the deployment URL

Create service:
- Name: `hubauth-int`
- Allows unauthenticated invocations
- Select the previously pushed docker image

Then edit & deploy new revision:
- Container command: `/app/hubauth-int`
- Variables:
- PROJECT_ID: current GCP project id

And save the deployment URL

### In APIs & Services

Enable the APIs:
- Cloud Run Admin API
- Cloud Trace API
- Secret Manager API
- Cloud Key Management Service (KMS) API
- IAM Service Account Credentials API
- Cloud Scheduler API
- Admin SDK
- Cloud Functions API

Create OAUTH Consent screen:
- Application type: `internal`
- Application name: `hubauth`
- Authorized domains: add the cloud run url for hubauth-ext

Create OAUTH Credential:
- Type: `web application`
- Name: `hubauth`
- Authorized url: add the cloud run url for hubauth-ext: `/rp/google`

Save `Client ID` and `Client secret`

### In Cloud RUN

Create a new deployment for `hubauth-ext`, and set the following variables:
- BASE_URL: add the cloud run url for hubauth-ext
- RP_GOOGLE_CLIENT_ID: the previously saved `Client ID`
- RP_GOOGLE_CLIENT_SECRET: the previously saved `Client secret`

### In Cloud Scheduler

Create a new job:
- Name: `hubauth-cron`
- Frequency: `0 */1 * * *`
- URL: use the hubauth-int URL: `/cron`

## Hubauth CLI

Configure gcloud auth application-default with the following command, and follow the browser instructions:

```
gcloud auth application-default login
```

You'll need to create a client, and audience and ask an admin for setting up the policy (it requires allowing your app and user on org level, and allow the compute service account oauth ClientID on GSuite domain).

### Example commands

```
# create client
go run cmd/hubauth/main.go --project-id="" clients create \
--redirect-uris http://localhost \
--refresh-token-expiry 3600

# list clients
go run cmd/hubauth/main.go --project-id="" clients list

# create audience
go run cmd/hubauth/main.go --project-id="" audiences create \
--audience-url https://localhost \
--client-ids EhEKBkNsaWVudBCAgIDo14eBCg \
--kms-location global \
--kms-keyring hubauth

# list audiences
go run cmd/hubauth/main.go --project-id="" audiences list

# set audience policy
go run cmd/hubauth/main.go --project-id="" audiences set-policy \
--audience-url https://localhost \
--domain domain.io \
--api-user [email protected] \
--groups group1,group2

go run cmd/hubauth/main.go --project-id="" audiences key \
--audience-url https://localhost \
--kms-location global \
--kms-keyring hubauth
```