Added OIDC tutorial to show how authorization and authentication can be implemented

Author: lukaszbudnik

Diff for: README.md

@@ -41,6 +41,7 @@ The official docker image is available on docker hub at [lukasz/migrator](https:
   * [Deploying migrator to AWS EKS](#deploying-migrator-to-aws-eks)
   * [Deploying migrator to Azure AKS](#deploying-migrator-to-azure-aks)
   * [Securing migrator with OAuth2](#securing-migrator-with-oauth2)
+  * [Securing migrator with OIDC](#securing-migrator-with-oidc)
 * [Performance](#performance)
 * [Change log](#change-log)
 * [Contributing, code style, running unit & integration tests](#contributing-code-style-running-unit--integration-tests)
@@ -669,10 +670,16 @@ You can find it in [tutorials/azure-aks](tutorials/azure-aks).
 
 ## Securing migrator with OAuth2
 
-The goal of this tutorial is to secure migrator with OAuth2. It shows how to deploy oauth2-proxy in front of migrator which will off-load and transparently handle authentication for migrator end-users.
+The goal of this tutorial is to secure migrator with OAuth2. It shows how to deploy oauth2-proxy in front of migrator which will off-load and transparently handle authorization for migrator end-users.
 
 You can find it in [tutorials/oauth2-proxy](tutorials/oauth2-proxy).
 
+## Securing migrator with OIDC
+
+The goal of this tutorial is to secure migrator with OAuth2 and OIDC. It shows how to deploy oauth2-proxy and haproxy in front of migrator which will off-load and transparently handle both authorization (oauth2-proxy) and authentication (haproxy with custom lua script) for migrator end-users.
+
+You can find it in [tutorials/oauth2-proxy-oidc-haproxy](tutorials/oauth2-proxy-oidc-haproxy).
+
 # Performance
 
 As a benchmarks I used 2 migrations frameworks:

Diff for: tutorials/oauth2-proxy-oidc-haproxy/README.md

@@ -0,0 +1,115 @@
+# Securing migrator with OIDC
+
+In this tutorial I will show you how to use OIDC on top of OAuth2 to implement authentication and authorization.
+
+If you are interested in simple OAuth2 authorization see [Securing migrator with OAuth2](../tutorials/oauth2-proxy).
+
+## OIDC
+
+OpenID Connect (OIDC) is an authentication layer on top of OAuth2 authorization framework.
+
+I will use oauth2-proxy project. It supports multiple OAuth2 providers. To name a few: Google, Facebook, GitHub, LinkedIn, Azure, Keycloak, login.gov, or any OpenID Connect compatible provider.
+
+As an OIDC provider I will re-use oauth2-proxy local-environment which creates and setups a ready-to-use Keycloak server. I extended the Keycloak server with additional configuration (client mappers to include roles in responses), created two migrator roles and two additional test accounts.
+
+I also put haproxy between oauth2-proxy and migrator. haproxy will validate the JWT access token and implement access control based on user's roles to allow or deny access to underlying migrator resources. I re-used a great lua script written by haproxytech folks which I modified to work with Keycloak realm roles.
+
+To learn more about oauth2-proxy visit https://github.com/oauth2-proxy/oauth2-proxy.
+
+To learn more about Keycloak visit https://www.keycloak.org.
+
+To learn more about haproxy jwtverify lua script visit https://github.com/haproxytech/haproxy-lua-jwt.
+
+## Docker setup
+
+The provided `docker-compose.yaml` provision the following services:
+
+* keycloak - the Identity and Access Management service, available at: http://keycloak.localtest.me:9080
+* oauth2-proxy - proxy that protects migrator and connects to keycloak for OAuth2/OIDC authentication, available at: http://gateway.localtest.me:4180
+* haproxy - proxy that contains JWT access token validation and user access control logic, available at: http://haproxy.localtest.me:8080
+* migrator - deployed internally and accessible only from haproxy and only by authorized users
+
+> Note: above setup doesn't have a database as this is to only illustrate how to setup OIDC
+
+To build the test environment execute:
+
+```
+docker-compose up -d
+```
+
+## Testing OIDC
+
+I created 2 test users in Keycloak:
+
+* `[email protected]` - migrator admin, has the following roles: `migrator_admin` and `migrator_user`
+* `[email protected]` - migrator user, has one migrator role: `migrator_user`
+
+In haproxy.cfg I implemented the following sample rules:
+
+* all requests starting `/v1` will return 403 Forbidden
+* to access `/v2/service` user must have `migrator_user` role
+* to access `/v2/config` user must have `migrator_admin` role
+
+### Test scenarios
+
+There are two ways to access migrator:
+
+1. getting JWT access token via oauth2-proxy - shown in orange
+1. getting JWT access token directly from Keycloak - shown in blue
+
+![migrator OIDC setup](migrator-oidc.png?raw=true)
+
+Let's test them.
+
+### oauth2-proxy - [email protected]
+
+1. Access http://gateway.localtest.me:4180/
+1. Authenticate using username: `[email protected]` and password: `password`.
+1. After a successful login you will see `/` response
+1. Open http://gateway.localtest.me:4180/v2/config and you will see 403 Forbidden - this user doesn't have `migrator_admin` role
+1. Logout from Keycloak http://keycloak.localtest.me:9080/auth/realms/master/protocol/openid-connect/logout
+1. Invalidate session on auth2-proxy (oauth2-proxy cookie expires in 15 minutes) http://gateway.localtest.me:4180/oauth2/sign_out
+
+### oauth2-proxy - [email protected]
+
+1. Access http://gateway.localtest.me:4180/
+1. Authenticate using username: `[email protected]` and password: `password`.
+1. After a successful login you will see successful `/` response
+1. Open http://gateway.localtest.me:4180/v2/config and now you will see migrator config
+1. Logout from Keycloak http://keycloak.localtest.me:9080/auth/realms/master/protocol/openid-connect/logout
+1. Invalidate session on auth2-proxy (oauth2-proxy cookie expires in 15 minutes) http://gateway.localtest.me:4180/oauth2/sign_out
+
+### Keycloak REST API
+
+1. Get JWT access token for the `[email protected]` user:
+
+```
+access_token=$(curl -s http://keycloak.localtest.me:9080/auth/realms/master/protocol/openid-connect/token \
+    -H 'Content-Type: application/x-www-form-urlencoded' \
+    -d '[email protected]' \
+    -d 'password=password' \
+    -d 'grant_type=password' \
+    -d 'client_id=oauth2-proxy' \
+    -d 'client_secret=72341b6d-7065-4518-a0e4-50ee15025608' | jq -r '.access_token')
+```
+
+2. Execute migrator action and pass the JWT access token in HTTP Authorization header:
+
+```
+curl http://haproxy.localtest.me:8080/v2/config \
+    -H "Authorization: Bearer $access_token"
+```
+
+## Miscellaneous
+
+You can copy JWT access token (haproxy log or Keycloak REST API) and decode it on https://jwt.io.
+
+You can verify the signature of the JWT token by providing the public key (`keycloak.pem` available in haproxy folder).
+
+Public key can be also fetched from:
+
+```
+curl http://keycloak.localtest.me:9080/auth/realms/master/
+```
+
+> The response is a JSON and the public key is returned as a string. To be a valid PEM format you need to add `-----BEGIN PUBLIC KEY-----` header, `-----END PUBLIC KEY-----` footer, and break that string into lines of 64 characters. Compare `keycloak.pem` with the above response.

Diff for: tutorials/oauth2-proxy-oidc-haproxy/docker-compose.yaml

@@ -0,0 +1,66 @@
+version: '3.0'
+services:
+
+  oauth2-proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v6.1.1
+    command: --config /oauth2-proxy.cfg
+    hostname: gateway
+    volumes:
+      - "./oauth2-proxy.cfg:/oauth2-proxy.cfg"
+    # oauth2-proxy dies when not able to connect to keycloak
+    restart: unless-stopped
+    networks:
+      keycloak: {}
+      haproxy: {}
+      oauth2-proxy: {}
+    depends_on:
+      - haproxy
+      - keycloak
+    ports:
+      - 4180:4180
+
+  haproxy:
+    build: haproxy
+    networks:
+      migrator: {}
+      haproxy: {}
+    depends_on:
+      - migrator
+    ports:
+      - 8080:8080
+
+  migrator:
+    image: lukasz/migrator:latest
+    hostname: migrator
+    volumes:
+      - "./migrator.yaml:/data/migrator.yaml"
+    networks:
+      migrator: {}
+
+  keycloak:
+    image: jboss/keycloak:11.0.2
+    hostname: keycloak
+    command:
+      [
+        '-b',
+        '0.0.0.0',
+        '-Djboss.socket.binding.port-offset=1000',
+        '-Dkeycloak.migration.action=import',
+        '-Dkeycloak.migration.provider=dir',
+        '-Dkeycloak.migration.dir=/realm-config',
+        '-Dkeycloak.migration.strategy=IGNORE_EXISTING',
+      ]
+    volumes:
+      - ./keycloak:/realm-config
+    networks:
+      keycloak:
+        aliases:
+          - keycloak.localtest.me
+    ports:
+      - 9080:9080
+
+networks:
+  migrator: {}
+  keycloak: {}
+  oauth2-proxy: {}
+  haproxy: {}

Diff for: tutorials/oauth2-proxy-oidc-haproxy/haproxy/Dockerfile

@@ -0,0 +1,7 @@
+FROM haproxytech/haproxy-debian:2.2
+RUN apt-get update && apt-get install -y git
+RUN git clone https://github.com/haproxytech/haproxy-lua-jwt.git
+RUN cd haproxy-lua-jwt && chmod +x install.sh && ./install.sh luajwt
+COPY keycloak.pem /etc/haproxy/pem/keycloak.pem
+COPY jwtverify.lua /usr/local/share/lua/5.3/jwtverify.lua
+COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg

Diff for: tutorials/oauth2-proxy-oidc-haproxy/haproxy/haproxy.cfg

@@ -0,0 +1,50 @@
+global
+    daemon
+    lua-load /usr/local/share/lua/5.3/jwtverify.lua
+
+    # Set env variables used by Lua file
+    setenv OAUTH_PUBKEY_PATH /etc/haproxy/pem/keycloak.pem
+
+    # OPTIONAL: OAuth issuer
+    setenv OAUTH_ISSUER http://keycloak.localtest.me:9080/auth/realms/master
+
+    # OPTIONAL: OAuth audience
+    # not set because we use 2 different audiences
+    # when using oauth2-proxy only the audience would be:
+    # setenv OAUTH_AUDIENCE oauth2-proxy
+    # when using Keycloak REST API only the audience would be:
+    # setenv OAUTH_AUDIENCE account
+
+defaults
+    timeout connect 5s
+    timeout client  5s
+    timeout server  5s
+    mode http
+
+frontend api_gateway
+    bind :8080
+
+    # API v1
+    # Deny all requests
+    http-request deny if { path_beg /v1 }
+
+    # Deny if no Authorization header sent
+    http-request deny unless { req.hdr(authorization) -m found }
+
+    # Invoke the jwtverify Lua file
+    http-request lua.jwtverify
+
+    # Deny unless jwtverify set 'authorized' to true
+    http-request deny unless { var(txn.authorized) -m bool }
+
+    # API v2
+    # /v2/config available to only migrator_admin role
+    http-request deny if { path_beg /v2/config } ! { var(txn.oauth_roles) -m sub migrator_admin }
+    # /v2/service available to migrator_user role
+    http-request deny if { path_beg /v2/service } ! { var(txn.oauth_roles) -m sub migrator_user }
+
+    use_backend be_migrator
+
+backend be_migrator
+    balance roundrobin
+    server s1 migrator:8080