Closed fishfree closed 5 months ago
We're working on native support. The latest corpus-frontend dev version can already log in using OIDC, but BlackLab support isn't finished yet. In the meantime, you can use something like oauth2-proxy. You can configure BlackLab to use a forwarded header as username, corpus-frontend doesn't need any configuration, it receives the username back from BlackLab.
E.g. blacklab-server.yaml:
authentication:
system:
class: AuthRequestAttribute
attributeName: x-forwarded-email # header set by oauth2-proxy
@KCMertens Thank you! Can the corpus-frontend OIDC authenticate against third-party OAuth2 Server besides BlackLab server?
Yes, in fact you will have to, our intent is to make BlackLab server act as a Resource Server, so it will just consume access tokens but not issue them.
@KCMertens Thank you! I tried a lot, but no luck. I'm not good at understanding the OAUTH protocol. Would you please share a copy of working configs of Corpus-frontend & BlackLab & oauth2-proxy & nginx reverse proxy?
Use 4-alpha5
:
I actually found an issue where authentication wasn't read as I had assumed in BlackLab, and the corpus-frontend didn't always send it correctly either, apologies for that.
The exact config depends on your needs, such as which Identity Provider you're using (google, github, privately hosted keycloak, etc). It's out of scope to explain oauth2/oidc here, there's plenty of tutorials online, but you don't have to know the exact ins and outs to get something working.
Here's an example setup using oauth2-proxy
, you'll need to replace client_id
, client_secret
, oidc_issuer_url
and redirect_url
with your own settings.
When I use this with our own keycloak server, it works, though I haven't tried it with google, github, or any of those, it should just work.
# docker-compose.yml
services:
blacklab:
image: instituutnederlandsetaal/blacklab-frontend:4-alpha5
container_name: blacklab
volumes:
- ./blacklab-server.yml:/etc/blacklab/blacklab-server.yaml
- ./corpus-frontend.properties:/etc/blacklab/corpus-frontend.properties
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy # bitnami version on dockerhub doesn't support upstreams through env vars
container_name: oauth2-proxy
depends_on:
- redis
ports:
- 80:80
environment:
OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:80
OAUTH2_PROXY_UPSTREAMS: http://blacklab:8080
# Generic OpenId Connect, if you have a specific provider in mind,
# See https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/
OAUTH2_PROXY_PROVIDER: oidc
# Change these to your own values
OAUTH2_PROXY_CLIENT_ID: blacklab
OAUTH2_PROXY_CLIENT_SECRET: secret
OAUTH2_PROXY_COOKIE_SECRET: secret # unused as we're using redis, but required anyway
OAUTH2_PROXY_OIDC_ISSUER_URL: # e.g. https://accounts.google.com/ (the proxy will automatically append .well-known/openid-configuration to this URL)
OAUTH2_PROXY_REDIRECT_URL: http://localhost/oauth2/callback # domain is where you'll be serving corpus-frontend/blacklab, path should always be /oauth2/callback. This is the URL you'll need to set in your OIDC provider callback setting
OAUTH2_PROXY_EMAIL_DOMAINS: "*" # can be used to restrict access to users with a specific email domain (such as your employer or institution's domain)
# Redis settings, these should work
OAUTH2_PROXY_SESSION_STORE_TYPE: redis
OAUTH2_PROXY_REDIS_CONNECTION_URL: redis://redis:6379
redis:
image: redis:7.0-alpine
container_name: redis
# blacklab-server.yaml
---
configVersion: 2
indexLocations:
- /data/index
userIndexes: /data/user-index
# How to determine current user
# (you only need this if you want per-user private indices or authorization)
authentication:
system:
class: AuthRequestAttribute
attributeName: x-forwarded-email
attributeType: header
# corpus-frontend.properties
auth.source.type=header
auth.source.name=x-forwarded-email
auth.target.type=header
auth.target.name=x-forwarded-email
To add on, this setup doesn't use nginx-proxy
, I just exposed oauth2-proxy
on port 80, though I think you can just change that and add nginx-proxy on top
@KCMertens Thank you very much! I will try later. Now I cannot figure out one point in your docker-compose.yml
file: the blacklab
service does not expose a port, how to access the corpus-frontend web interfacce?
Oauth2-proxy proxies it, check the OAUTH2_PROXY_UPSTREAMS setting
Thank you very much for your explanation and sharing! @KCMertens
For example: OAuth / CAS. I need to use corpus-frontend as a auth-client against some authentication server, i.e. OAuth 2 server / CAS server, etc.