Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
[external-interface]
tls_key = "/bgw/certs/<your_key>.pem"
tls_cert = "/bgw/certs/<your_cert>.pem"

[mqtt-proxy]

  [mqtt-proxy.broker]
  address = "demo.linksmart.eu"
  port = 8883
  username = "linksmart"
  password = "demo"
  tls = true
  tls_ca = ""
  tls_client_key = ""
  tls_client_cert = ""

[http-proxy]

  [http-proxy.domains]

    [http-proxy.domains."<your_application_domain_name_used_in_certificate>"]

      [http-proxy.domains."<your_application_domain_name_used_in_certificate>"."<location>"]
      local_address = "<address_of_your_local_service>:<port>"

[auth-service]

  [auth-service.openid_connect_providers]

    [auth-service.openid_connect_providers.default]
    issuer = "https://<keycloak_domain>/auth/realms/<realm_name>"
    authorization_endpoint = openid_configuration="https://<keycloak_domain>/auth/realms/<realm_name>/protocol/openid-connect/auth"
    token_endpoint = "https://<keycloak_domain>/auth/realms/<realm_name>/protocol/openid-connect/token.well-known/openid-configuration"
    audience = "bgw_client"
    client_id = "bgw_client"
    client_secret = ""
    jwks_uri = "https://<keycloak_domain>/auth/realms/<realm_name>/protocol/openid-connect/certs"<client_secret>"
    realm_public_key_modulus = "<...>"
    realm_public_key_exponent = "<...>"
    redirect_uri = "https://<your_application_domain_name_used_in_certificate>:443/callback"
    anonymous_bgw_rules = "HTTPS/GET/# MQTT/#"

...

Code Block
languagejs
version: '3.5'
services:
  bgw:
    image: "linksmart/bgw:latest"
    deploy:
      replicas: 1    
    container_name: "bgw"
    ports:
      - 443:443
      - 8883:8883
      - 9002:9002
    secrets:
      - source: bgw-ssl.cert
        target: "/bgw/certs/<your_cert>.pem"
      - source: bgw-ssl.key
        target: "/bgw/certs/<your_key>.pem"
    configs:
      - source: config
        target: "/bgw/config/config.toml"

secrets:
  bgw-ssl.cert:
    file: "./certs/<your_cert>.pem"
  bgw-ssl.key:
    file: "./certs/<your_key>.pem"
configs:
  config:
    file: "./config.toml"

...

Set up Redis as an access token cache

You can use need to set up key-value database Redis to cache access tokens for connections using username / password. Without caching, each request to one of your services will lead to a post a request to the OpenID Connect provider to retrieve an access token containing the authorization rules. Caching will speed things up. You can add a Redis instance to your Docker deployment by extending your docker-compose file like this:

...

Add this to your config.toml (by default, Redis support is not enabled):

Code Block
languagejs
[auth-service]
redis_expiration = 120
redis_host = redis
redis_port = 6379

...

  • Key: SHA256 hash of string token_endpoint + username + password
  • Value: Access token encrypted using AES-256 with the user password as symmetric key
  • Key and value automatically expire after the number of seconds defined in auth_service_redis_expiration

If auth_service_redis_expiration is set to a value > 0 the BGW auth service will always try to get an access token from Redis first before posting a request to the OpenID Connect provider. Make sure that the value auth_service_redis_expiration is not higher than the configured lifespan of the access tokens!The access tokens will be cached for the duration of their lifespan according to the expiration timestamp sent inside the token.