OAuth2

Use OAuth2 middleware to secure HTTP endpoints

The OAuth2 HTTP middleware enables the OAuth2 Authorization Code flow on a Web API without modifying the application. This design separates authentication/authorization concerns from the application, so that application operators can adopt and configure authentication/authorization providers without impacting the application code.

Component format

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: oauth2
  5. spec:
  6. type: middleware.http.oauth2
  7. version: v1
  8. metadata:
  9. - name: clientId
  10. value: "<your client ID>"
  11. - name: clientSecret
  12. value: "<your client secret>"
  13. - name: scopes
  14. value: "https://www.googleapis.com/auth/userinfo.email"
  15. - name: authURL
  16. value: "https://accounts.google.com/o/oauth2/v2/auth"
  17. - name: tokenURL
  18. value: "https://accounts.google.com/o/oauth2/token"
  19. - name: redirectURL
  20. value: "http://dummy.com"
  21. - name: authHeaderName
  22. value: "authorization"
  23. - name: forceHTTPS
  24. value: "false"

Warning

The above example uses secrets as plain strings. It is recommended to use a secret store for the secrets as described here.

Spec metadata fields

FieldDetailsExample
clientIdThe client ID of your application that is created as part of a credential hosted by a OAuth-enabled platform
clientSecretThe client secret of your application that is created as part of a credential hosted by a OAuth-enabled platform
scopesA list of space-delimited, case-sensitive strings of scopes which are typically used for authorization in the applicationhttps://www.googleapis.com/auth/userinfo.email
authURLThe endpoint of the OAuth2 authorization serverhttps://accounts.google.com/o/oauth2/v2/auth
tokenURLThe endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh tokenhttps://accounts.google.com/o/oauth2/token
redirectURLThe URL of your web application that the authorization server should redirect to once the user has authenticatedhttps://myapp.com
authHeaderNameThe authorization header name to forward to your application“authorization”
forceHTTPSIf true, enforces the use of TLS/SSL“true”,“false”

Dapr configuration

To be applied, the middleware must be referenced in configuration. See middleware pipelines.

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Configuration
  3. metadata:
  4. name: appconfig
  5. spec:
  6. httpPipeline:
  7. handlers:
  8. - name: oauth2
  9. type: middleware.http.oauth2

Last modified June 23, 2022: Merge pull request #2550 from ItalyPaleAle/cosmosdb-harcoded-dapr-version (cf03237)