diff --git a/.gitignore b/.gitignore index db49acdd..9bc787b9 100644 --- a/.gitignore +++ b/.gitignore @@ -2,7 +2,8 @@ conf.json conf-*.jsonc conf-*.json -!conf-example.json +!conf-example.jsonc +!conf-example-manual-auth.jsonc !conf-test-example.json !conf-github-ci.json !conf-jenkins.json diff --git a/README.md b/README.md index ec1158f3..a918fc02 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ There are three different auth modes: - 2. manual auth with bearer token validation (JWT) - 3. automatic keycloak auth discovery (JWT) - preferred -Auth modes 2. and 3. of Tableaux are secured by a JWT based authentication. The JWT (signed with a private key) is verified by the public key of the auth service. In manual auth mode 2. the public key is configured in the conf file (see `./conf-example.json`), in automatic auth mode 3. the public key is discovered via the auth service also configured in the conf file (see `./conf-example-auto-discovery.json`) +Auth modes 2. and 3. of Tableaux are secured by a JWT based authentication. The JWT (signed with a private key) is verified by the public key of the auth service. In manual auth mode 2. the public key is configured in the conf file (see `./conf-example-manual-auth.jsonc`), in automatic auth mode 3. the public key is discovered via the auth service also configured in the conf file (see `./conf-example.jsonc`) The auth mode 1. is a legacy mode for testing or for running the service behind a different auth service. In this mode the incoming request is not verified. The user (e.g. for history entries) must be set via cookie `userName`. Legacy mode is activated, if `auth` key in config is missing. diff --git a/conf-example-manual-auth.jsonc b/conf-example-manual-auth.jsonc new file mode 100644 index 00000000..a0ff5365 --- /dev/null +++ b/conf-example-manual-auth.jsonc @@ -0,0 +1,14 @@ +{ + // other configurations but auth are documented in conf-example.jsonc + "auth": { + "realm": "keycloak-realm", + "bearer-only": true, + "auth-server-url": "http://localhost:9999/auth", + "ssl-required": "external", + "resource": "grud-backend", + "verify-token-audience": true, + "use-resource-role-mappings": true, + "confidential-port": 0, + "issuer": "test" + } +} diff --git a/conf-example.json b/conf-example.json deleted file mode 100644 index db7297c1..00000000 --- a/conf-example.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "host": "127.0.0.1", - "port": 8080, - - "uploadsDirectory": "uploads/", - "workingDirectory": "./", - "rolePermissionsPath": "./role-permissions.json", - "openApiUrl": "https://my.domain.com/api/docs", - - "database" : { - "host" : "localhost", - "port" : 5432, - "username" : "postgres", - "password" : "secret", - "database" : "tableaux" - }, - - "auth": { - "realm": "keycloak-realm", - "bearer-only": true, - "auth-server-url": "http://localhost:9999/auth", - "ssl-required": "external", - "resource": "grud-backend", - "verify-token-audience": true, - "use-resource-role-mappings": true, - "confidential-port": 0, - "issuer": "test" - } -} diff --git a/conf-example.jsonc b/conf-example.jsonc new file mode 100644 index 00000000..4f6557b7 --- /dev/null +++ b/conf-example.jsonc @@ -0,0 +1,21 @@ +{ + "host": "127.0.0.1", + "port": 8080, + "uploadsDirectory": "uploads/", + "workingDirectory": "./", + "rolePermissionsPath": "./role-permissions.json", + "isPublicFileServer": false, // if true, the file serving endpoint is public, if false, the file serving is protected by the auth server (default: false) + "openApiUrl": "https://my.domain.com/api/docs", // override the openapi url, needed for reverse proxy (if not set, the openapi url is generated automatically) + "database": { + "host": "localhost", + "port": 5432, + "username": "postgres", + "password": "secret", + "database": "tableaux" + }, + "auth": { + "isAutoDiscovery": true, + "resource": "grud-backend", + "issuer": "https:///auth/realms/" + } +}