Credential Service is an API that exchanges authentication tokens from auth systems (think Auth0, Azure AD B2C, Firebase Auth, etc) for ecosystem-specific tokens, such that they can be used with any RMI service. The API is defined in an OpenAPI v3 spec, and currently only supports Azure AD B2C ID tokens as input.
The service currently has two main credential-exchanging endpoints:
- CreateAPIKey - Creates a new API key, returns it in the response body.
- Intended to be used for programmatically accessing RMI APIs
POST /login/apikey
- CookieLogin - Creates a new API key, returns it in a
Set-Cookieresponse- Intended to be used for web clients
POST /login/cookie
Things to note:
- Only Azure AD B2C is supported as a source of exchangable user ID tokens at the moment, see the server
main.goand theazjwtpackage for more details.
Run the server against an Azure AD B2C instance:
bazel run //scripts:run_server -- --use_azure_authRun the server against a local JWT issuer, see the cmd/server README for more details:
bazel run //scripts:run_serverYou can access the API via curl, see the cmd/server README for more details and exact commands.
This repo doesn't currently have deployment via GitHub Actions. To manually deploy the service:
az acr login --name rmisa
bazel run --@io_bazel_rules_go//go/config:pure //cmd/server:push_image
# If you get an unauthenticated error from the above command, you can run:
bazel build --@io_bazel_rules_go//go/config:pure //cmd/server:image_tarball
docker load < bazel-bin/cmd/server/image_tarball/tarball.tar
docker tag <sha from previous step, without 'sha256:' prefix> rmisa.azurecr.io/credsrv
docker push rmisa.azurecr.io/credsrv
# Now that the updated image has been pushed, deploy it with something like:
az containerapp update \
-g rmi-credsrv-dev \
-n credsrv-dev \
-i rmisa.azurecr.io/credsrv:latestPlease report security issues to [email protected], or by using one of the contact methods available on our Contact Us page.
Contribution guidelines can be found on our website.