work on configuring beacon OIDC for data access

etc/bento.env

@@ -391,7 +391,7 @@ BENTO_PUBLIC_PORTAL_URL=${BENTOV2_PORTAL_PUBLIC_URL}
 BENTO_BEACON_CONTAINER_NAME=${BENTOV2_PREFIX}-beacon
 BENTO_BEACON_NETWORK=${BENTOV2_PREFIX}-beacon-net
 BENTO_BEACON_IMAGE=ghcr.io/bento-platform/bento_beacon
-BENTO_BEACON_VERSION=0.15.2
+BENTO_BEACON_VERSION=pr-107
 BENTO_BEACON_VERSION_DEV=${BENTO_BEACON_VERSION}-dev
 BENTO_BEACON_INTERNAL_PORT=${BENTO_STD_SERVICE_INTERNAL_PORT}
 BENTO_BEACON_EXTERNAL_PORT=5000
@@ -404,7 +404,6 @@ BENTO_BEACON_CONFIG_DIR=${PWD}/lib/beacon/config
 BENTO_BEACON_GOHAN_BASE_URL=http://${BENTOV2_GOHAN_API_CONTAINER_NAME}:${BENTOV2_GOHAN_API_INTERNAL_PORT}
 BENTO_BEACON_KATSU_TIMEOUT=60
 BENTO_BEACON_GOHAN_TIMEOUT=60
-BENTO_BEACON_OIDC_ISSUER=${BENTOV2_AUTH_PUBLIC_URL}/auth/realms/${BENTOV2_AUTH_REALM}
 
 # cBioPortal
 

etc/bento_deploy.env

@@ -51,13 +51,17 @@ BENTOV2_AUTH_TEST_PASSWORD=
 BENTO_AUTH_DB_PASSWORD=  # TODO: SET ME WHEN DEPLOYING!
 BENTO_AUTHZ_DB_PASSWORD=  # TODO: SET ME WHEN DEPLOYING!
 
+#  - Aggregation/Beacon client ID/secret; client within BENTOV2_AUTH_REALM
+BENTO_AGGREGATION_CLIENT_ID=aggregation
+BENTO_AGGREGATION_CLIENT_SECRET=  # TODO: SET ME WHEN DEPLOYING!
+
 #  - WES Client ID/secret; client within BENTOV2_AUTH_REALM
 BENTO_WES_CLIENT_ID=wes
 BENTO_WES_CLIENT_SECRET=  # TODO: SET ME WHEN DEPLOYING!
 
 #  - Grafana Client ID/secret; client within BENTOV2_AUTH_REALM
 BENTO_GRAFANA_CLIENT_ID=grafana
-BENTO_GRAFANA_CLIENT_SECRET=
+BENTO_GRAFANA_CLIENT_SECRET=  # TODO: SET ME WHEN DEPLOYING IF GRAFANA IS ENABLED!
 # ---------------------------------------------------------------------
 
 BENTO_WEB_CUSTOM_HEADER=

etc/bento_dev.env

@@ -51,6 +51,10 @@ BENTOV2_AUTH_ADMIN_PASSWORD=
 BENTOV2_AUTH_TEST_USER=
 BENTOV2_AUTH_TEST_PASSWORD=
 
+#  - Aggregation/Beacon client ID/secret; client within BENTOV2_AUTH_REALM
+BENTO_AGGREGATION_CLIENT_ID=aggregation
+BENTO_AGGREGATION_CLIENT_SECRET=
+
 #  - WES Client ID/secret; client within BENTOV2_AUTH_REALM
 BENTO_WES_CLIENT_ID=wes
 BENTO_WES_CLIENT_SECRET=

etc/default_config.env

@@ -78,6 +78,9 @@ BENTOV2_AUTH_TEST_PASSWORD=
 #  - Auth (Keycloak) DB credentials
 BENTO_AUTH_DB_PASSWORD=
 BENTO_AUTHZ_DB_PASSWORD=
+#  - Aggregation/Beacon client ID/secret; secret to be filled by local.env - client within BENTOV2_AUTH_REALM
+BENTO_AGGREGATION_CLIENT_ID=aggregation
+BENTO_AGGREGATION_CLIENT_SECRET=
 #  - cBioPortal Client ID/secret; secret to be filled by local.env - client within BENTOV2_AUTH_REALM
 BENTO_CBIOPORTAL_CLIENT_ID=cbioportal
 BENTO_CBIOPORTAL_CLIENT_SECRET=

lib/beacon/docker-compose.beacon.yaml

@@ -15,16 +15,18 @@ services:
       - BENTO_BEACON_DEBUGGER_INTERNAL_PORT
       - BENTO_BEACON_DEBUGGER_EXTERNAL_PORT
       - CONFIG_ABSOLUTE_PATH=/config/
-      - OIDC_ISSUER=${BENTO_BEACON_OIDC_ISSUER}
-      - CLIENT_ID=${BENTOV2_AUTH_CLIENT_ID}
       - BEACON_BASE_URL=${BENTOV2_PUBLIC_URL}/api/beacon
       - BENTO_BEACON_VERSION=${BENTO_BEACON_VERSION}
       - BENTO_PUBLIC_CLIENT_NAME
       - BENTOV2_DOMAIN
       - BENTOV2_PUBLIC_URL
       - BENTO_BEACON_UI_ENABLED
-      - BENTO_AUTHZ_SERVICE_URL
       - DRS_URL=${BENTOV2_PUBLIC_URL}/api/drs
+      # Authorization
+      - BENTO_AUTHZ_SERVICE_URL
+      - BENTO_OPENID_CONFIG_URL
+      - BEACON_CLIENT_ID=BENTO_AGGREGATION_CLIENT_ID
+      - BEACON_CLIENT_SECRET=BENTO_AGGREGATION_CLIENT_SECRET
     volumes:
       - ${BENTO_BEACON_CONFIG_DIR}:/config:ro
     networks: 

py_bentoctl/auth_helper.py

@@ -37,6 +37,8 @@
 AUTH_TEST_PASSWORD = os.getenv("BENTOV2_AUTH_TEST_PASSWORD")
 AUTH_CONTAINER_NAME = os.getenv("BENTOV2_AUTH_CONTAINER_NAME")
 
+AGGREGATION_CLIENT_ID = os.getenv("BENTO_AGGREGATION_CLIENT_ID")
+
 CBIOPORTAL_CLIENT_ID = os.getenv("BENTO_CBIOPORTAL_CLIENT_ID")
 
 WES_CLIENT_ID = os.getenv("BENTO_WES_CLIENT_ID")
@@ -459,6 +461,16 @@ def set_include_client_roles_in_id_tokens(token: str):
         elif roles_mapper["config"]["id.token.claim"] == "true":
             warn("    The 'client roles' scope mapper already includes roles in the ID token.")
 
+    def create_aggregation_client_if_needed(token: str) -> None:
+        create_client_and_secret_for_service(
+            AGGREGATION_CLIENT_ID,
+            "BENTO_AGGREGATION_CLIENT_SECRET",
+            None,
+            token,
+            is_service_account=True,
+            to_restart="Aggregation and Beacon",
+        )
+
     # noinspection PyUnusedLocal
     def create_cbioportal_client_if_needed(token: str) -> None:
         create_client_and_secret_for_service(
@@ -544,6 +556,10 @@ def success():
     create_web_client_if_needed(access_token)
     success()
 
+    info(f"  Creating aggregation/Beacon client: {AGGREGATION_CLIENT_ID}")
+    create_aggregation_client_if_needed(access_token)
+    success()
+
     # TODO: if cBioPortal ever needs auth implemented, re-enable this and set up Bento Gateway to handle cBioPortal
     #  client authorization.
     #   - David L, 2024-03-25