Auth callout - Better doc/guidance to integrate with an OAuth2/OIDC provider

[avanide]

Proposed change

I believe the integration with OAuth2/OIDC should have an improved documentation.

I've read the callout doc (https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_callout), the related design (https://github.com/nats-io/nats-architecture-and-design/blob/main/adr/ADR-26.md), the example (https://natsbyexample.com/examples/auth/callout/cli) and the related github issue (https://github.com/nats-io/nats-server/issues/434).

I have good knowledge of OAuth2/OIDC but not that much in NATS.io (sorry for that). After those readings, I'm not able to clearly understand how callout works with Oauth2&OIDC.

By using OAuth2/OIDC and callout, does it mean:

• Each user with a valid access token from the authorization server will be able to connect to NATS? Is it true whatever the code flow is? (client credentials, Authorization code flow)
• For each user, must we create a user entry in NATS ?
• How does NATS validate access tokens? Local validation or remote token introspection?
• Is there any tutorial/how to which shows how to test OAuth2/OIDC with any well known authorization server (Keycloak, Cognito, Auth0, any other?)?

Sorry for these basic questions and any help will be appreciated.

Use case

• Integrate NATS in a broader auth strategy that relies mainly on Oauth2/OIDC for authentication

Contribution

While I can contribute, I don't have the knowledge on NATS

[YoSev]

We are in the same boat. We have been using Nats for roughly 3 years now using a custom-auth-implementation to authenticate and authorize our users against our own identiy provider and let me tell you, it's annoying to maintain. I remember being part of the Ticket (https://github.com/nats-io/nats-server/issues/434) in November 2022 and until today i could not find an out of the box solution.

It looks like auth_callout aims in that direction but it either lacks functionality or documentation for using and external service to validate authentications and handle authorization.

[derekcollison]

@YoSev we recommend reaching out to Synadia for a commercial engagement to get things rolling. We have many customers who are now using auth callouts. Its design is around a mutual zero-trust, hence secure, back and forth so can be complex to get started with just the ADR etc. Synadia can help tremendously here.

[acmayberry]

Curious about this as well. In an ideal world, I could authenticate with a given JWT issued by an OIDC provider like Keycloak. Then NATs would validate the JWT was issued by a valid issuer by checking the signature against a JWKS endpoint. Then in the authorization configuration, I could definite which subject patterns are allowed for a given claim in the JWT.

I take it this is not possible today? I had hopes this callout feature would allow this.

UPDATE: https://www.youtube.com/watch?v=VvGxrT-jv64

This youtube video answered all my questions and allows me to do exactly what I described.

[derekcollison]

That is very possible today. Why do you think it is not?

[avanide]

That is very possible today. Why do you think it is not?

It seems it is possible however, the doc is

Curious about this as well. In an ideal world, I could authenticate with a given JWT issued by an OIDC provider like Keycloak. Then NATs would validate the JWT was issued by a valid issuer by checking the signature against a JWKS endpoint. Then in the authorization configuration, I could definite which subject patterns are allowed for a given claim in the JWT.

I take it this is not possible today? I had hopes this callout feature would allow this.

UPDATE: https://www.youtube.com/watch?v=VvGxrT-jv64

This youtube video answered all my questions and allows me to do exactly what I described.

Thanks for sharing the video link! Really appreciated

[gedw99]

https://github.com/jr200/nats-iam-broker is working for me