Examples
Gateway config
Configuration example for token validations from popular OIDC providers. Can be edited via k8s configmap, mounted config file, or using environment variables.
"providers": {
"azure": {
"name": "Azure",
"issuer": "https://sts.windows.net/{tenantId}/",
"authority": "https://sts.windows.net/{tenantId}/",
"jwks_uri": "https://login.microsoftonline.com/common/discovery/keys",
"client_id": "{client_id}",
"login_info":{
"login_type": "azure",
"additional_info": {
"resource": "{client_id}",
"tenant": "https://sts.windows.net/{tenantId}/"
},
"scope": "openid profile email",
"response_type": "id_token"
}
},
"google": {
"name": "Google",
"issuer": "https://accounts.google.com",
"authority": "https://accounts.google.com",
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
"client_id": "{client_id}",
"login_info": {
"login_type": "oidc",
"additional_info": {
},
"scope": "openid profile email",
"response_type": "id_token"
}
},
"oidc": {
"name": "Mock OpenId Connect server",
"issuer": "http://localhost:4011",
"authority": "http://localhost:4011",
"jwks_uri": "http://oidc-server-mock/.well-known/openid-configuration/jwks",
"client_id": "tweek-openid-mock-client",
"login_info": {
"login_type": "oidc",
"additional_info": {},
"scope": "openid profile email",
"response_type": "id_token"
}
},
}
JWT Extraction
Map JWT token to a user role and group. Written in OPA’s rego language
This example -
- map JWT issued by Google to:
- Group:
editors - User:
{email}
- map JWT issued by Azure to:
- Group:
editors - User:
{upn}
- Other users are with valid JWT will get the group
defaultwith user:{sub}
This file can be edited via the editor UI (settings/security/policies/JWT Extraction)
package rules
default subject = { "user": null, "group": null }
subject = { "user": input.email, "group": "editors" } { # Google
input.iss = "https://accounts.google.com"
input.aud = "{client-id}"
input.hd = "{example.com}"
} else = { "user": input.upn, "group": "editors" } { # Azure
input.iss = "https://sts.windows.net/{client-id}/"
} else = { "user": input.sub, "group": "default" } {
true
}
Policies config
Access policies for Tweek. This example allow editor Permission (edit keys, context, …) for editors group and allow all (include anonymous) users to read/calculate values.
This file can be edited via the editor UI (settings/security/policies/acl)
"policies": [
{
"group": "editors",
"user": "*",
"contexts": {
"*": "*"
},
"object": "*",
"action": "*",
"effect": "allow"
},
{
"group": "editors",
"user": "*",
"contexts": {
"tweek_editor_user": "self"
},
"object": "values/*",
"action": "*",
"effect": "allow"
},
{
"group": "editors",
"user": "*",
"contexts": {},
"object": "repo/keys/*",
"action": "write",
"effect": "allow"
},
{
"group": "editors",
"user": "*",
"contexts": {},
"object": "repo",
"action": "read",
"effect": "allow"
},
{
"group": "editors",
"user": "*",
"contexts": {},
"object": "repo/tags",
"action": "write",
"effect": "allow"
},
{
"group": "editors",
"user": "*",
"contexts": {},
"object": "repo/schemas",
"action": "write",
"effect": "allow"
},
{
"group": "*",
"user": "*",
"contexts": {
"user": "*"
},
"object": "values/*",
"action": "*",
"effect": "allow"
}
]