WORKLOAD
Users (read more about User management here) can use the standard OAuth2 client credentials authentication flow (read more here) to authenticate themselves to the Cluster and start accessing its publicly exposed HTTP-based Services (read more about publicly exposed BeyondCorp Services here), such as HTTP/gRPC-based APIs or Kubernetes clusters, exactly like any protected public SaaS HTTP-based resource without having to install clients on their hosts, use special SDKs or even having to even be aware of the Cluster's existence at all. This allows you to write applications in any programming language and use standard OAuth2 libraries to securely access all the Cluster publicly exposed Services via a single identity and credential.
Additionally to using the OAuth2 client credentials flow Credential, you can also generate an access token Credential and use it directly as a bearer token to access publicly exposed Services. Read more here.
It simply works as follows:
- Obtain an OAuth2 client credential Credential as follows:
octeliumctl create cred --user root --type oauth2 my-oauth-cred# Here is the command outputClient ID: nz7y-hagwClient Secret: AQpA691Z...
You can read more here.
Now you can use the client credentials, for example, within your application to authenticate to the Cluster's OAuth2 token endpoint which is located at the URL https://<DOMAIN>/oauth2/token
. For example, let's assume we want to access the Service my-api
and obtain the access token which can then be used to access your Services via the standard bearer authentication (i.e. via the HTTP request header Authorization: Bearer <ACCESS_TOKEN>
).
In shell and curl this can be simply done as follows:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&grant_type=client_credentials' 'https://<DOMAIN>/oauth2/token'# Now we use the obtained access token from the above request to access the Servicecurl -H "Authorization: Bearer <ACCESS_TOKEN>" https://my-api.<DOMAIN>
Here is an equivalent example in Golang:
1package main23import (4"context"5"fmt"6"io"78"golang.org/x/oauth2/clientcredentials"9)1011func main() {12if err := doMain(context.Background()); err != nil {13panic(err)14}15}1617func doMain(ctx context.Context) error {1819// Your Cluster domain20domain := "example.com"21// Configuration for the client credentials flow22config := clientcredentials.Config{23ClientID: "y56y-9ru3",24ClientSecret: "AQpAt200_CHp2S9G...",25TokenURL: fmt.Sprintf("https://%s/oauth2/token", domain),26}2728// Now we obtain an access token from our OAuth2 client credentials29_, err := config.Token(ctx)30if err != nil {31return err32}3334// Now we access our Service "my-api"35client := config.Client(ctx)36resp, err := client.Get(fmt.Sprintf("https://my-api.%s", domain))37if err != nil {38return err39}40defer resp.Body.Close()4142bodyBytes, err := io.ReadAll(resp.Body)43if err != nil {44return err45}4647fmt.Printf("Response: %s\n", string(bodyBytes))4849return nil50}
And here is an equivalent example in Typescript:
1import axios from "axios";2import { URLSearchParams } from "url";34const clientId = "y56y-9ru3";5const clientSecret = "AQpAyteKC0UPDI1U...";6const domain = "<DOMAIN>";78const getToken = async (): Promise<string> => {9try {10const params = new URLSearchParams();11params.append("grant_type", "client_credentials");12params.append("client_id", clientId);13params.append("client_secret", clientSecret);1415const response = await axios.post(16`https://${domain}/oauth2/token`,17params,18{19headers: {20"Content-Type": "application/x-www-form-urlencoded",21},22}23);2425return response.data.access_token;26} catch (error) {27console.error("Error fetching access token:", error);28throw error;29}30};3132const accessProtectedResource = async (token: string) => {33try {34const response = await axios.get(`https://my-api.${domain}`, {35headers: {36Authorization: `Bearer ${token}`,37},38});39console.log(response)40} catch (error) {41throw error;42}43};4445const main = async () => {46const accessToken = await getToken();47await accessProtectedResource(accessToken);48};4950main();51
You can additionally add Octelium scopes as OAuth2 scopes. Read more about scopes here.
There are standard libraries in almost all the major programming languages to use the OAuth2 client credentials flow and obtain the access token. Some examples are:
You can also use the issued access token in the X-Octelium-Auth: <ACCESS_TOKEN>
header instead of using it in the typical Authorization: Bearer <ACCESS_TOKEN>
header.