chore: Integrate authentication library (#81)

Fixes #2. High-level changes: - Integrate [`mock-oauth2-server`](https://github.com/navikt/mock-oauth2-server) in development. - Integrate fork of [`fastify-auth0-verify`](https://github.com/nearform/fastify-auth0-verify). See #82. #84 will actually use `request.user` to enforce authorisation, so no endpoint is being updated to enforce authorisation here. # Testing This PR can be verified by creating the dummy route `GET /authn` as follows: ```diff diff --git a/src/services/routes/healthcheck.routes.ts b/src/services/routes/healthcheck.routes.ts index 7b7abe7..6cf48d3 100644 --- a/src/services/routes/healthcheck.routes.ts +++ b/src/services/routes/healthcheck.routes.ts @@ -20,5 +20,15 @@ export default function registerRoutes( }, }); + fastify.route({ + method: ['GET'], + url: '/authn', + preValidation: fastify.authenticate, + + async handler(request, reply): Promise<void> { + await reply.code(HTTP_STATUS_CODES.OK).send(request.user); + }, ``` Then making requests to it as follows: ```http ### Make anonymous request GET http://veraid-authority.default.10.103.177.106.sslip.io/authn ### Make authenticated request with invalid credentials GET http://veraid-authority.default.10.103.177.106.sslip.io/authn Authorization: Bearer INVALID_TOKEN ### Make authenticated request with valid credentials GET http://veraid-authority.default.10.103.177.106.sslip.io/authn Authorization: Bearer <VALID-TOKEN-HERE> ``` `<VALID-TOKEN-HERE>` can be obtained with: ```http ### Authenticate with authorisation server (client credentials) POST http://mock-authz-server.default.10.103.177.106.sslip.io/default/token Content-Type: application/x-www-form-urlencoded grant_type=client_credentials&client_id=admin@example.com&client_secret=s3cr3t ```
relaycorp · Apr 10, 2023 · fa02bb5 · fa02bb5
1 parent 7059ed0
commit fa02bb5
Show file tree

Hide file tree

Showing 9 changed files with 572 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -2,6 +2,15 @@
 
 VeraId Certificate Authority (CA) server.
 
+## Environment variables
+
+- `AUTHORITY_VERSION` (required). The version of this server.
+- `MONGODB_URI` (required).
+- OAuth2 authentication:
+  - `OAUTH2_JWKS_URL` (required). The URL to the JWKS endpoint of the authorisation server.
+  - Either `OAUTH2_TOKEN_ISSUER` or `OAUTH2_TOKEN_ISSUER_REGEX` (required). The (URL of the) authorisation server.
+  - `OAUTH2_TOKEN_AUDIENCE` (required). The identifier of the current instance of this server (typically its public URL).
+
 ## Development
 
 This app requires the following system dependencies:

diff --git a/k8s/mock-authz-server.yml b/k8s/mock-authz-server.yml
@@ -0,0 +1,13 @@
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: mock-authz-server
+spec:
+  template:
+    spec:
+      containers:
+        - name: mock-oauth2-server
+          image: ghcr.io/navikt/mock-oauth2-server:0.5.8
+          readinessProbe:
+            httpGet:
+              path: /default/.well-known/openid-configuration
diff --git a/k8s/service.yml b/k8s/service.yml
@@ -29,6 +29,13 @@ spec:
             - name: MONGODB_URI
               value: mongodb://$(MONGODB_USERNAME):$(MONGODB_PASSWORD)@mongodb
 
+            - name: OAUTH2_JWKS_URL
+              value: http://mock-authz-server.default/default/jwks
+            - name: OAUTH2_TOKEN_AUDIENCE
+              value: default
+            - name: OAUTH2_TOKEN_ISSUER_REGEX
+              value: ^http://[^/]+/default$
+
             # Mock AWS KMS (used by WebCrypto KMS)
             - name: KMS_ADAPTER
               value: AWS