OpenAperture Documentation

OpenAperture Authentication

OpenAperture requires that authentication be configured in order to properly operate. All requests submitted to the Manager must contain an authorization header in the form:

Authorization: OAuth Bearer *access token*

Once a user has been authenticated, a User record is created, and an AuthSource defined (if one does not exist).

Configuring OAuth

OpenAperture requires an external OAuth 2 provider in order to function; OpenAperture uses both the Client Authentication flow to request authentication tokens, as well as the token endpoint to validate incoming tokens. The Manager SystemComponent will need to both authenticate tokens and request tokens. All of the remaining SystemComponents will need the ability to request tokens (to send to the Manager. The following OAuth information is required to be configured in the SystemComponent run-time environments:

OAUTH_CLIENT_ID: represents the OAuth 2 client_id
OAUTH_CLIENT_SECRET: represents the OAuth 2 client_secret
OAUTH_LOGIN_URL: represents the OAuth 2 client authentication endpoint
- An example login endpoint would be the login endpoint for Google's OAuth 2 Service Accounts endpoint
MANAGER_OAUTH_VALIDATE_URL: represents the OAuth 2 token endpoint (used for token validation)
- An example validation endpoint would be Google's tokeninfo endpoint: https://www.googleapis.com/oauth2/v1/tokeninfo

The authentication flow generally looks something like:

SystemComponent requests an auth token from the OAUTH_LOGIN_URL, using the OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET
An access token is parsed from the response body
The access token is set to the Authorization header of a Manager request
The Manager parses out the access token from the request's Authorization header and submits it to MANAGER_OAUTH_VALIDATE_URL.
If rejected, the Manager returns a 401. Otherwise, a User and AuthSource are verified or created
The request is processed