Auth documentation

Fabric console as of v2.7 supports Basic Authentication and OpenID Connect protocol.

Basic Auth

Basic Authentication is a simple authentication scheme built into the HTTP protocol. It is a widely used method for securing web services and APIs. With Basic Authentication, the client sends its credentials (a username and password) in the HTTP request header, encoded using Base64 encoding.

Basic Auth can be enabled in values of the helm chart:

auth:
  enabled: true
  method: basic
  basic:
    username: test
    password: test

Open ID Connect protocol

The OpenID Protocol is an open standard that allows users to be authenticated across different websites or services without the need for separate usernames and passwords for each. It enables Single Sign-On (SSO) functionality, simplifying the authentication process for users and providing a seamless experience across multiple platforms.

OpenID is based on technologies such as HTTP, SSL/TLS, and URI schemes, making it compatible with existing web infrastructure. It utilizes identity providers (IdPs) to authenticate users and provide them with unique identifiers known as OpenID identifiers.

The protocol is defined in several specifications, with the main specification being OpenID Connect. OpenID Connect is built on top of OAuth 2.0 and provides additional features for authentication and authorization.

RFC: The OpenID Connect specification is defined in RFC 6749 (OAuth 2.0) and RFC 6750 (OAuth 2.0 Bearer Token Usage). These RFCs outline the standardization of the OAuth 2.0 framework and token usage, which form the basis for the OpenID Connect protocol.

There are two possible flows for authentication:

  1. Confidential - the one that requires client secret for additional layer of security. Confidential type of clients involve backend in the authentication flow.

  2. Public or ID Token - does not require client secret, the client itself is responsible for fetching the access token.

wellKnownURL - publicly available url by RFC that contains all the necessary information abouе IDP.

clientID and clientSecret (optional) - app registration credentials

confidential (default: false) - defines type of client

scope - space separated list of scopes.

Depending on the provider scope can differ, in the example below this is the scope for Microsoft Azure IDP. A custom scope were created to attach custom roles to the token claims.offiline_access scope is required for refresh token to be returned. Without it the refresh mechanism won’t work.

roleBasedAuth (default false) - requires roles claim to be present and authorizes the token according to the assigned role. Possible roles: ['console-viewer', 'console-writer', "console-admin'] to be present in.

OpenID can be enabled in values of the helm chart:

auth:
  enabled: true
  method: openid
  openid:
    wellKnownURL: "https://login.microsoftonline.com/ffffffff-eeeee-fffff-eeee-aaaaa/v2.0/.well-known/openid-configuration"
    clientID: "xxxxx-yyyyy-qqqqq-zzzzz"
    clientSecret: "client secret"
    confidential: true
    # space separated list of scopes
    scope: api://ttt-aaa-qqq-ggg/users openid offline_access
    roleBasedAuth: false