Authenticate Flow to other services

Flow will pass authentication headers to upstream services when sending requests.

Configuration is managed through an auth.conf file, present in a Taxi project in your workspace.

auth.conf file

Authentication tokens are defined in a file named auth.conf - a HOCON file which lives inside a Taxi project within your workspace.

The location of your auth.conf file is configured inside the taxi.conf file in your project, using an additionalSources entry with a key of @Flow/config.

By convention, the auth.conf lives at Flow/config/auth.conf, but this is configurable.

name: com.myproject/demo
version: 0.1.0
sourceRoot: src/
additionalSources: {
    "@flow/config" : "flow/config/*.conf"
}

Here’s a sample config:

authenticationTokens {

   // The fully qualified name of a service, as defined in a taxi schema.
   // Should be surrounded in quotes.
   "com.acme.MyService" {
      type = OAuth2
      // ... see below for examples
   }

   // You can also use wildcards in the name of the service, to use the same credentials for
   // all matching services
   "com.hamilton.*" {

   }
}
See also Manage secrets to see how to securely manage sensitive information in your auth tokens.

Authentication token types

Several type of authentication schemes are supported. If you don’t see the one you need here, please contact Hazelcast Support.

Basic authentication

authenticationTokens {

  // The fully qualified name of a service, as defined in a taxi schema.
  // Should be surrounded in quotes.
  "com.foo.TestService" {
     type: Basic
     username: jimmy
     password: password
  }
}

HTTP header

authenticationTokens {

   // The fully qualified name of a service, as defined in a taxi schema.
   // Should be surrounded in quotes.
   "com.foo.TestService" {
      type: HttpHeader
      // Mandatory
      value: letMeIn
      // Optional, defaults to Bearer
      prefix: "Token",
      // Optional, defaults to Authentication
      headerName: Auth
  }
}

Query param

authenticationTokens {

  // The fully qualified name of a service, as defined in a taxi schema.
  // Should be surrounded in quotes.
  "com.foo.TestService" {
     type: QueryParam
     parameterName: authKey
     value: letMeIn
  }
}
authenticationTokens {

   // The fully qualified name of a service, as defined in a taxi schema.
   // Should be surrounded in quotes.
   "com.foo.TestService" {
      type: Cookie
      cookieName: authKey
      value: letMeIn
   }
}

OAuth2

authenticationTokens {

  // The fully qualified name of a service, as defined in a Taxi schema.
  // Should be surrounded in quotes.
  "com.foo.TestService" {
    type: OAuth2
    accessTokenUrl: "https://auth.com/tokens"
    clientId: ABC
    clientSecret: DEF
    scopes: [ "profile", "image" ]

    // One of AuthorizationCode, RefreshToken, ClientCredentials
    grantType: AuthorizationCode
    // One of Basic, Post, JWT
    method: Post

    // Optional. Only required if grantType is RefreshToken
    refreshToken: LMNOP
  }
}

Mutual authentication (mtls)

authenticationTokens {

  // The fully qualified name of a service, as defined in a taxi schema.
  // Should be surrounded in quotes.
  "com.foo.TestService" {
     type: MutualTls
     // Absolute Path of the KeyStore Path containing private keys for mutual Authentication
     keystorePath: /opt/service/flow/test-service-mtls.jks
     // Password for the Key Store
     keystorePassword: flow
     // Absolute Path of the Trust Store
     truststorePath: /opt/service/{short-product-name}/test-trust-service-mtls.jks
     truststorePassword: flow
  }
}

Use environment variables

Environment variables can be used in authentication config files.

authenticationTokens {
   "com.acme.MyService" {
      tokenType = AuthorizationBearerHeader
      value = ${foo} // The enviroment variable of 'foo' is read and substituted
   }
}
See also Manage secrets to see how to securely manage sensitive information in your auth tokens.

Other configuration approaches

Authentication configuration is always persisted to the file described above. However, there are ways of adding / removing to the configuration without requiring file access.

UI configuration

Authentication tokens can be added, modified and deleted through the UI, via the Authentication Manager.

Changes made here are persisted in the configured authentication file.

REST API

Authentication tokens can be added, modified and deleted through the REST API:

Create or update token

POST to /api/tokens/service/{serviceName}:

{
   "tokenType" : "AuthorizationBearerHeader",
   "value" : "yourAPIToken"
}

Delete a token

This deletes a token.

DELETE to /api/tokens/service/{serviceName}

List configured tokens

It is possible to list the configured tokens. However, the token values are not returned.

GET to /api/tokens

[ { "serviceName" : "com.foo.MyService", "tokenType" : "AuthorizationBearerHeader" } ]