|
1 | | -# labid (very WIP) |
| 1 | +# LabID |
2 | 2 |
|
3 | 3 | Signed JWT token exchange service |
4 | 4 |
|
| 5 | +## Usage |
| 6 | + |
| 7 | +LabID is used from Dapla Lab for exchanging tokens, and from external services |
| 8 | +to validate these tokens. Following is a short description of how to use LabID. |
| 9 | + |
| 10 | +### Servers |
| 11 | + |
| 12 | +LabID is available in all three Dapla Lab environments (dev, test, prod). |
| 13 | +Internally it is always available at `http://labid.labid.svc.cluster.local`. |
| 14 | +External endpoints are available at |
| 15 | + |
| 16 | +| Environment | URL | |
| 17 | +| - | - | |
| 18 | +| dev | https://labid.lab.dapla-dev-external.ssb.no | |
| 19 | +| test | https://labid.lab.dapla-test-external.ssb.no | |
| 20 | +| prod | https://labid.lab.dapla-external.ssb.no | |
| 21 | + |
| 22 | +The external URLs are available from SSB IPs (VPN) and the corresponding Nais |
| 23 | +clusters (nais-test for dev and test, nais-prod for prod). |
| 24 | + |
| 25 | +### Endpoints |
| 26 | +LabID exposes 3 endpoints: `/token`, `/jwks` and |
| 27 | +`/.well-known/openid-configuration`. |
| 28 | + |
| 29 | +#### `/token` (cluster-internal only) |
| 30 | +Lets you exchange a Kubernetes service account token for a LabID token. |
| 31 | +It is only available internally from Dapla Lab services. Python users can use |
| 32 | +[dapla-auth-client](https://github.com/statisticsnorway/dapla-auth-client) to |
| 33 | +perform the exchange. The endpoint follows the |
| 34 | +[RFC8693](https://datatracker.ietf.org/doc/html/rfc8693) standard, but in a very |
| 35 | +restricted way. An example request is as follows: |
| 36 | + |
| 37 | +```sh |
| 38 | +curl -vvv 'http://labid.labid.svc.cluster.local/token' \ |
| 39 | +--header 'Content-Type: application/x-www-form-urlencoded' \ |
| 40 | +--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \ |
| 41 | +--data-urlencode 'subject_token_type=urn:ietf:params:oauth:grant-type:id_token' \ |
| 42 | +--data-urlencode 'subject_token=<kubernetes-token>' \ |
| 43 | +--data-urlencode 'scope=current_group,all_groups' \ |
| 44 | +--data-urlencode 'audience=my-audience' |
| 45 | +``` |
| 46 | + |
| 47 | +`Content-Type`, `grant_type` and `subject_token` must use the values above, no |
| 48 | +other values are supported. |
| 49 | + |
| 50 | +`scope` is an optional field and supports two values: |
| 51 | +1. `current_group` adds a `dapla.group` claim to the LabID token, whose value is |
| 52 | + the Dapla group the service is started as, e.g. `dapla-felles-developers` |
| 53 | +2. `all_groups` adds a `dapla.groups` claim to the LabID token, which is a list |
| 54 | + of all the Dapla groups the user is a member of. |
| 55 | + |
| 56 | +`audience` is an optional field and can be whatever you want. |
| 57 | + |
| 58 | +`subject_token` must be the content of the file |
| 59 | +`/var/run/secrets/kubernetes.io/serviceaccount/token`, which is the service' SA |
| 60 | +token. |
| 61 | + |
| 62 | +#### `/jwks` (externally available) |
| 63 | +Exposes the public part of LabID's signing keys, which can be used to validate |
| 64 | +the issued tokens. Usually this is handled automatically by auth libraries |
| 65 | +through `/.well-known/openid-configuration`. |
| 66 | + |
| 67 | +#### `/.well-known/openid-configuration` (externally available) |
| 68 | +Exposes necessary information about LabID as an Authorization Server as |
| 69 | +specified by [RFC8414](https://datatracker.ietf.org/doc/html/rfc8414). Usually |
| 70 | +handled automatically be auth libraries. |
| 71 | + |
5 | 72 |
|
6 | 73 | ```mermaid |
7 | 74 | sequenceDiagram |
|
0 commit comments