Authenticate Flow to other services
Flow will pass authentication headers to upstream services when sending requests.
Configuration is managed through an auth.conf
file, present in a Taxi project in your workspace.
auth.conf file
Authentication tokens are defined in a file named auth.conf
- a HOCON file which lives inside a Taxi project within your workspace.
The location of your auth.conf
file is configured inside the taxi.conf
file in your project, using an additionalSources
entry with a key of @Flow/config
.
By convention, the auth.conf
lives at Flow/config/auth.conf
, but this is configurable.
name: com.myproject/demo
version: 0.1.0
sourceRoot: src/
additionalSources: {
"@flow/config" : "flow/config/*.conf"
}
Here’s a sample config:
authenticationTokens {
// The fully qualified name of a service, as defined in a taxi schema.
// Should be surrounded in quotes.
"com.acme.MyService" {
type = OAuth2
// ... see below for examples
}
// You can also use wildcards in the name of the service, to use the same credentials for
// all matching services
"com.hamilton.*" {
}
}
See also Manage secrets to see how to securely manage sensitive information in your auth tokens. |
Authentication token types
Several type of authentication schemes are supported. If you don’t see the one you need here, please contact Hazelcast Support.
Basic authentication
authenticationTokens {
// The fully qualified name of a service, as defined in a taxi schema.
// Should be surrounded in quotes.
"com.foo.TestService" {
type: Basic
username: jimmy
password: password
}
}
HTTP header
authenticationTokens {
// The fully qualified name of a service, as defined in a taxi schema.
// Should be surrounded in quotes.
"com.foo.TestService" {
type: HttpHeader
// Mandatory
value: letMeIn
// Optional, defaults to Bearer
prefix: "Token",
// Optional, defaults to Authentication
headerName: Auth
}
}
Query param
authenticationTokens {
// The fully qualified name of a service, as defined in a taxi schema.
// Should be surrounded in quotes.
"com.foo.TestService" {
type: QueryParam
parameterName: authKey
value: letMeIn
}
}
Cookie
authenticationTokens {
// The fully qualified name of a service, as defined in a taxi schema.
// Should be surrounded in quotes.
"com.foo.TestService" {
type: Cookie
cookieName: authKey
value: letMeIn
}
}
OAuth2
authenticationTokens {
// The fully qualified name of a service, as defined in a Taxi schema.
// Should be surrounded in quotes.
"com.foo.TestService" {
type: OAuth2
accessTokenUrl: "https://auth.com/tokens"
clientId: ABC
clientSecret: DEF
scopes: [ "profile", "image" ]
// One of AuthorizationCode, RefreshToken, ClientCredentials
grantType: AuthorizationCode
// One of Basic, Post, JWT
method: Post
// Optional. Only required if grantType is RefreshToken
refreshToken: LMNOP
}
}
Mutual authentication (mtls)
authenticationTokens {
// The fully qualified name of a service, as defined in a taxi schema.
// Should be surrounded in quotes.
"com.foo.TestService" {
type: MutualTls
// Absolute Path of the KeyStore Path containing private keys for mutual Authentication
keystorePath: /opt/service/flow/test-service-mtls.jks
// Password for the Key Store
keystorePassword: flow
// Absolute Path of the Trust Store
truststorePath: /opt/service/{short-product-name}/test-trust-service-mtls.jks
truststorePassword: flow
}
}
Use environment variables
Environment variables can be used in authentication config files.
authenticationTokens {
"com.acme.MyService" {
tokenType = AuthorizationBearerHeader
value = ${foo} // The enviroment variable of 'foo' is read and substituted
}
}
See also Manage secrets to see how to securely manage sensitive information in your auth tokens. |
Other configuration approaches
Authentication configuration is always persisted to the file described above. However, there are ways of adding / removing to the configuration without requiring file access.
UI configuration
Authentication tokens can be added, modified and deleted through the UI, via the Authentication Manager.
Changes made here are persisted in the configured authentication file.