Set up OpenID provider
Set up an OpenID authentication provider (e.g. Keycloak) that provides at least one user with username "anonymous" and password "anonymous". To start with the Border Gateway (BGW) for development purposes it is a good idea to allow full anonymous access and define more elaborate authentication and authorization later. See below on how to provide the necessary information in a config file. See subpage for an example on how to set up Keycloak as an Open ID provider for the Border Gateway.
Create an SSL certificate for your deployment
Options could be Let´s encrypt or Fraunhofer certificates. You will need the two .pem files containing the certificate itself (including chain) and the private key. See below on how to provide the necessary information in a config file.
Create config file
Create a file config.toml with the following entries:
Start Docker container
Run the Border Gateway with docker-compose. Make sure the .pem files and the config.json is available, e.g.:
Optional: Set up Redis as an access token cache
You can use key-value database Redis to cache access tokens for connections using username / password. Without caching, each request to one of your services will lead to a post a request to the OpenID Connect provider to retrieve an access token containing the authorization rules. Caching may speed things up. You can add a Redis instance to your Docker deployment by extending your docker-compose file like this:
Add this to your config.toml (by default, Redis support is not enabled):
The BGW auth service will store keys and values in Redis like this:
- Key: SHA256 hash of string
token_endpoint + username + password
- Value: Access token encrypted using AES-256 with the user password as symmetric key
- Key and value automatically expire after the number of seconds defined in
auth_service_redis_expiration is set to a value > 0 the BGW auth service will always try to get an access token from Redis first before posting a request to the OpenID Connect provider. Make sure that the value
auth_service_redis_expiration is not higher than the configured lifespan of the access tokens!