Any authentication plugins?

[fishfree]

For example: OAuth / CAS. I need to use corpus-frontend as a auth-client against some authentication server, i.e. OAuth 2 server / CAS server, etc.

[KCMertens]

We're working on native support. The latest corpus-frontend dev version can already log in using OIDC, but BlackLab support isn't finished yet. In the meantime, you can use something like oauth2-proxy. You can configure BlackLab to use a forwarded header as username, corpus-frontend doesn't need any configuration, it receives the username back from BlackLab.

E.g. blacklab-server.yaml:

authentication:
  system: 
    class: AuthRequestAttribute
    attributeName: x-forwarded-email # header set by oauth2-proxy

[fishfree]

@KCMertens Thank you! Can the corpus-frontend OIDC authenticate against third-party OAuth2 Server besides BlackLab server?

[KCMertens]

Yes, in fact you will have to, our intent is to make BlackLab server act as a Resource Server, so it will just consume access tokens but not issue them.

[fishfree]

@KCMertens Thank you! I tried a lot, but no luck. I'm not good at understanding the OAUTH protocol. Would you please share a copy of working configs of Corpus-frontend & BlackLab & oauth2-proxy & nginx reverse proxy?

[KCMertens]

Use 4-alpha5: I actually found an issue where authentication wasn't read as I had assumed in BlackLab, and the corpus-frontend didn't always send it correctly either, apologies for that.

The exact config depends on your needs, such as which Identity Provider you're using (google, github, privately hosted keycloak, etc). It's out of scope to explain oauth2/oidc here, there's plenty of tutorials online, but you don't have to know the exact ins and outs to get something working.

Here's an example setup using oauth2-proxy, you'll need to replace client_id, client_secret, oidc_issuer_url and redirect_url with your own settings. When I use this with our own keycloak server, it works, though I haven't tried it with google, github, or any of those, it should just work.

# docker-compose.yml
services: 
  blacklab: 
    image: instituutnederlandsetaal/blacklab-frontend:4-alpha5
    container_name: blacklab
    volumes:
      - ./blacklab-server.yml:/etc/blacklab/blacklab-server.yaml
      - ./corpus-frontend.properties:/etc/blacklab/corpus-frontend.properties

  oauth2-proxy: 
    image: quay.io/oauth2-proxy/oauth2-proxy # bitnami version on dockerhub doesn't support upstreams through env vars
    container_name: oauth2-proxy
    depends_on: 
      - redis
    ports: 
      - 80:80

    environment: 
      OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:80
      OAUTH2_PROXY_UPSTREAMS: http://blacklab:8080

      # Generic OpenId Connect, if you have a specific provider in mind, 
      # See https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/
      OAUTH2_PROXY_PROVIDER: oidc

      # Change these to your own values
      OAUTH2_PROXY_CLIENT_ID: blacklab
      OAUTH2_PROXY_CLIENT_SECRET: secret
      OAUTH2_PROXY_COOKIE_SECRET: secret # unused as we're using redis, but required anyway
      OAUTH2_PROXY_OIDC_ISSUER_URL: # e.g. https://accounts.google.com/ (the proxy will automatically append .well-known/openid-configuration to this URL)
      OAUTH2_PROXY_REDIRECT_URL: http://localhost/oauth2/callback # domain is where you'll be serving corpus-frontend/blacklab, path should always be /oauth2/callback. This is the URL you'll need to set in your OIDC provider callback setting
      OAUTH2_PROXY_EMAIL_DOMAINS: "*" # can be used to restrict access to users with a specific email domain (such as your employer or institution's domain)

      # Redis settings, these should work
      OAUTH2_PROXY_SESSION_STORE_TYPE: redis
      OAUTH2_PROXY_REDIS_CONNECTION_URL: redis://redis:6379

  redis:
    image: redis:7.0-alpine
    container_name: redis

# blacklab-server.yaml
---
configVersion: 2
indexLocations:
- /data/index
userIndexes: /data/user-index

# How to determine current user
# (you only need this if you want per-user private indices or authorization)
authentication:
  system: 
    class: AuthRequestAttribute
    attributeName: x-forwarded-email
    attributeType: header

# corpus-frontend.properties
auth.source.type=header
auth.source.name=x-forwarded-email
auth.target.type=header
auth.target.name=x-forwarded-email

[KCMertens]

To add on, this setup doesn't use nginx-proxy, I just exposed oauth2-proxy on port 80, though I think you can just change that and add nginx-proxy on top

[fishfree]

@KCMertens Thank you very much! I will try later. Now I cannot figure out one point in your docker-compose.yml file: the blacklabservice does not expose a port, how to access the corpus-frontend web interfacce?

[KCMertens]

Oauth2-proxy proxies it, check the OAUTH2_PROXY_UPSTREAMS setting

[fishfree]

Thank you very much for your explanation and sharing! @KCMertens