Page tree
Skip to end of metadata
Go to start of metadata

Set up OpenID provider

Set up an OpenID authentication provider (e.g. Keycloak) that provides at least one user with username "anonymous" and password "anonymous". To start with the Border Gateway (BGW) for development purposes it is a good idea to allow full anonymous access and define more elaborate authentication and authorization later. See below on how to provide the necessary information in a config file. See subpage for an example on how to set up Keycloak as an Open ID provider for the Border Gateway.

Create an SSL certificate for your deployment

Options could be Let´s encrypt or Fraunhofer certificates. You will need the two .pem files containing the certificate itself (including chain) and the private key. See below on how to provide the necessary information in a config file.

Create config file

Create a file config.toml with the following entries:

[external-interface]
tls_key = "/bgw/certs/<your_key>.pem"
tls_cert = "/bgw/certs/<your_cert>.pem"

[mqtt-proxy]

  [mqtt-proxy.broker]
  address = "demo.linksmart.eu"
  port = 8883.0
  username = "linksmart"
  password = "demo"
  tls = true
  tls_ca = ""
  tls_client_key = ""
  tls_client_cert = ""

[http-proxy]

  [http-proxy.domains]

    [http-proxy.domains."<your_domain_name_used_in_certificate>"]

      [http-proxy.domains."<your_domain_name_used_in_certificate>"."<location>"]
      local_address = "<address_of_your_local_service>:<port>"

[auth-service]

  [auth-service.openid_connect_providers]

    [auth-service.openid_connect_providers.default]
    issuer = "https://auth.fit.fraunhofer.de/kc/realms/linksmart-demo"
    token_endpoint = "https://auth.fit.fraunhofer.de/kc/realms/linksmart-demo/protocol/openid-connect/token"
    client_id = "bgw_client"
    realm_public_key_modulus = "hF2bmoFd35rgtsXny2NFXG-M-ywZPkuonyUC8fwYQ4axSB86gPXbkkgH5LsDkpJHovMvXUgDiEJg2k0TbEfy7edtpk1e0IpqY8KKFQ-Gz_YjxXPWEsO30k11T66aczDVC1aKFDuBCQ9ExZopTehR_awHn3FAuDHTGrG8W4bMJ3z1VqcFRh5fZG3vGFvPi6J-6QpV8P82wFqMHJWeBJGUThWMNCtgi88KXf8Jz1MgvXO-NnDK_KduJBo_c6Dm5NiZjReQtKRO8TXUkhglClwHU6sOGx0IIvgQ9q5vRwWf6ou6t5_40cNYiu86GYlHH-1dimb_f6CoiTBG8-99wgfxvw"
    realm_public_key_exponent = "AQAB"

Start Docker container

Run the Border Gateway with docker-compose. Make sure the .pem files and the config.json is available, e.g.:

version: '3.5'
services:
  bgw:
    image: "docker.linksmart.eu/bgw:latest"
    container_name: "bgw"
    ports:
      - 443:443
      - 8883:8883
      - 9002:9002
    volumes:
      - "<path_to_your_config_folder>:/bgw/config"
      - "<path_to_your_certs_folder>:/bgw/certs"

Optional: Set up Redis as an access token cache

You can use key-value database Redis to cache access tokens for connections using username / password. Without caching, each request to one of your services will lead to a post a request to the OpenID Connect provider to retrieve an access token containing the authorization rules. Caching may speed things up. You can add a Redis instance to your Docker deployment by extending your docker-compose file like this:

version: '3.5'
services:
  bgw:
    image: "docker.linksmart.eu/bgw:latest"
    container_name: "bgw"
    ports:
      - 443:443
      - 8883:8883
      - 9002:9002
    volumes:
      - "<path_to_your_config_folder>:/bgw/config"
      - "<path_to_your_certs_folder>:/bgw/certs"
  redis:
    container_name: redis
    image: redis:5-alpine

Add this to your config.toml (by default, Redis support is not enabled):

[auth-service]
redis_expiration = 120
redis_host = redis
redis_port = 6379

The BGW auth service will store keys and values in Redis like this:

  • Key: SHA256 hash of string token_endpoint + username + password
  • Value: Access token encrypted using AES-256 with the user password as symmetric key
  • Key and value automatically expire after the number of seconds defined in auth_service_redis_expiration

If auth_service_redis_expiration is set to a value > 0 the BGW auth service will always try to get an access token from Redis first before posting a request to the OpenID Connect provider. Make sure that the value auth_service_redis_expiration is not higher than the configured lifespan of the access tokens!

  • No labels