This repository contains an auth callout service for NATS which can read and verify an OIDC-issued JWT and grant permissions based on the roles set there.
A local development setup can be found in the infrastructure/
folder. See the infrastructure README for
instructions on how to run that.
See Caveats.
See NATS auth callout documentation.
If you just want to spin up NATS with auth callout, go to the
infrastructure/ folder and follow the instructions in the README
there.
When you have done that, edit the token_extract.py script and set
the client_id and authority arguments to the
PublicClientApplication. The values are individual, you will likely
find them in your OIDC application registration (e.g. Azure Portal).
Now create a python virtual env:
python -m venv natsauth
And activate it with:
source natsauth/bin/activate
With this done, install the MSAL dependency and execute the script:
python -m pip install msal
python token_extract.py
This should print a token to your console. If it does not, maybe you need to edit your application registration: create a desktop application platform with a http://localhost:8081 redirect url and enable public flows (might be Azure AD specific).
podman run --pod=nats --rm -it --restart=no -v ./vols/nsc:/nsc:Z docker.io/natsio/nats-box:latest nats --user foo --password $JWT_TOKEN pub test 'gello'
The auth callout is published as an OCI image to
ghcr.io under latest
tag. It assumes that a config.edn file with the configuration is
mounted into the image at the path /etc/app/config.edn.
:nats-url: [string] where to find the NATS cluster:service-name: [string] what to call the service:service-version: [string] semantic versioning!:connection: [map] object with:usernameand:passwordkeys that match the NATS cluster's auth callout user:oidc-endpoint-url: [string] URL to an OIDC discovery endpoint:user-keys: [map] object with:nseedkey:application-account: [string] name of the NATS account that users will be associated with:role-mappings: [map] object with keys matching values in therolesarray of the OIDC JWT, and values being objects with keys:puband:sub(see sample config.edn for example -:allowand:deny)