Gateway config

Configuration example for token validations from popular OIDC providers. Can be edited via k8s configmap, mounted config file, or using environment variables.

"providers": {
                  "azure": {
                      "name": "Azure",
                      "issuer": "https://sts.windows.net/{tenantId}/",
                      "authority": "https://sts.windows.net/{tenantId}/",
                      "jwks_uri": "https://login.microsoftonline.com/common/discovery/keys",
                      "client_id": "{client_id}",
                      "login_info":{
                        "login_type": "azure",
                        "additional_info": {
                          "resource": "{client_id}",
                          "tenant": "https://sts.windows.net/{tenantId}/"
                        },
                        "scope": "openid profile email",
                        "response_type": "id_token"
                      }
                  },
                  "google": {
                    "name": "Google",
                    "issuer": "https://accounts.google.com",
                    "authority": "https://accounts.google.com",
                    "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
                    "client_id": "{client_id}",
                    "login_info": {
                        "login_type": "oidc",
                        "additional_info": {
                      },
                      "scope": "openid profile email",
                      "response_type": "id_token"
                    }
                  },
                  "oidc": {
                    "name": "Mock OpenId Connect server",
                    "issuer": "http://localhost:4011",
                    "authority": "http://localhost:4011",
                    "jwks_uri": "http://oidc-server-mock/.well-known/openid-configuration/jwks",
                    "client_id": "tweek-openid-mock-client",
                    "login_info": {
                        "login_type": "oidc",
                        "additional_info": {},
                        "scope": "openid profile email",
                        "response_type": "id_token"
                    }
                },
       }

JWT Extraction

Map JWT token to a user role and group. Written in OPA’s rego language

This example -

  1. map JWT issued by Google to:
  • Group: editors
  • User: {email}
  1. map JWT issued by Azure to:
  • Group: editors
  • User: {upn}
  1. Other users are with valid JWT will get the group default with user: {sub}

This file can be edited via the editor UI (settings/security/policies/JWT Extraction)

package rules

default subject = { "user": null, "group": null }

subject = { "user": input.email, "group": "editors" } { # Google
    input.iss = "https://accounts.google.com"
    input.aud = "{client-id}"
    input.hd = "{example.com}"
} else = { "user": input.upn, "group": "editors" } { # Azure
    input.iss = "https://sts.windows.net/{client-id}/"
} else = { "user": input.sub, "group": "default" } {
    true
}

Policies config

Access policies for Tweek. This example allow editor Permission (edit keys, context, …) for editors group and allow all (include anonymous) users to read/calculate values.

This file can be edited via the editor UI (settings/security/policies/acl)

"policies": [
        {
            "group": "editors",
            "user": "*",
            "contexts": {
              "*": "*"
            },
            "object": "editors",
            "action": "*",
            "effect": "allow"
        },
        {
            "group": "editors",
            "user": "*",
            "contexts": {
                "tweek_editor_user": "self"
            },
            "object": "values/*",
            "action": "*",
            "effect": "allow"
        },
        {
            "group": "editors",
            "user": "*",
            "contexts": {},
            "object": "repo/keys/*",
            "action": "write",
            "effect": "allow"
        },
        {
            "group": "editors",
            "user": "*",
            "contexts": {},
            "object": "repo",
            "action": "read",
            "effect": "allow"
        },
        {
            "group": "editors",
            "user": "*",
            "contexts": {},
            "object": "repo/tags",
            "action": "write",
            "effect": "allow"
        },
        {
            "group": "editors",
            "user": "*",
            "contexts": {},
            "object": "repo/schemas",
            "action": "write",
            "effect": "allow"
        },
        {
            "group": "*",
            "user": "*",
            "contexts": {
              "user": "*"
            },
            "object": "values/*",
            "action": "*",
            "effect": "allow"
        }
]