Skip to main content

Overview

Defines the mechanism used to authenticate users and workflows attempting to access a service or a resource. The Serverless Workflow DSL supports multiple authentication schemes to accommodate various security requirements.

Authentication Object

use
string
The name of the top-level authentication definition to use. Cannot be used by authentication definitions defined at top level.
basic
object
The basic authentication scheme to use, if any.Required if no other property has been set, otherwise ignored.
bearer
object
The bearer authentication scheme to use, if any.Required if no other property has been set, otherwise ignored.
certificate
object
The certificate authentication scheme to use, if any.Required if no other property has been set, otherwise ignored.
digest
object
The digest authentication scheme to use, if any.Required if no other property has been set, otherwise ignored.
oauth2
object
The oauth2 authentication scheme to use, if any.Required if no other property has been set, otherwise ignored.
oidc
object
The oidc authentication scheme to use, if any.Required if no other property has been set, otherwise ignored.

Basic Authentication

Defines the fundamentals of a ‘basic’ authentication.
username
string
required
The username to use.
password
string
required
The password to use.

Example

use:
  authentications:
    sampleBasic:
      basic:
        username: admin
        password: password123
do:
  - sampleTask:
      call: http
      with:
        method: get
        endpoint: 
          uri: https://secured.fake.com/sample
          authentication: 
            use: sampleBasic

Bearer Authentication

Defines the fundamentals of a ‘bearer’ authentication.
token
string
required
The bearer token to use.

Example

do:
  - sampleTask:
      call: http
      with:
        method: get
        endpoint: 
          uri: https://secured.fake.com/sample
          authentication:
            bearer:
              token: ${ .user.token }

Digest Authentication

Defines the fundamentals of a ‘digest’ authentication.
username
string
required
The username to use.
password
string
required
The password to use.

Example

use:
  authentications:
    sampleDigest:
      digest:
        username: admin
        password: password123
do:
  - sampleTask:
      call: http
      with:
        method: get
        endpoint: 
          uri: https://secured.fake.com/sample
          authentication: 
            use: sampleDigest

OAuth2 Authentication

Defines the fundamentals of an ‘oauth2’ authentication.
authority
uri-template
required
The URI that references the authority to use when making OAuth2 calls.
endpoints.token
uri-template
The relative path to the endpoint for OAuth2 token requests.Defaults to /oauth2/token.
endpoints.revocation
uri-template
The relative path to the endpoint used to invalidate tokens.Defaults to /oauth2/revoke.
endpoints.introspection
uri-template
The relative path to the endpoint used to validate and obtain information about a token, typically to check its validity and associated metadata.Defaults to /oauth2/introspect.
grant
string
required
The grant type to use.Supported values are authorization_code, client_credentials, password, refresh_token and urn:ietf:params:oauth:grant-type:token-exchange.
client.id
string
The client id to use.Required if the client.authentication method has not been set to none.
client.secret
string
The client secret to use, if any.
client.assertion
string
A JWT containing a signed assertion with your application credentials.Required when client.authentication has been set to private_key_jwt.
client.authentication
string
The client authentication method to use.Supported values are client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt or none.Defaults to client_secret_post.
request.encoding
string
The encoding of the token request.Supported values are application/x-www-form-urlencoded and application/json.Defaults to application/x-www-form-urlencoded.
issuers
uri-template[]
A list that contains valid issuers that will be used to check against the issuer of generated tokens.
scopes
string[]
The scopes, if any, to request the token for.
audiences
string[]
The audiences, if any, to request the token for.
username
string
The username to use. Used only if the grant type is Password.
password
string
The password to use. Used only if the grant type is Password.
subject
object
The security token that represents the identity of the party on behalf of whom the request is being made.
actor
object
The security token that represents the identity of the acting party.

Example

do:
  - sampleTask:
      call: http
      with:
        method: get
        endpoint: 
          uri: https://secured.fake.com/sample
          authentication:
            oauth2:
              authority: http://keycloak/realms/fake-authority
              endpoints:
                token: /oauth2/token
              grant: client_credentials
              client:
                id: workflow-runtime
                secret: "**********"
              scopes: [ api ]
              audiences: [ runtime ]

OAuth2 Token

Represents the definition of an OAuth2 token.
token
string
required
The security token to use.
type
string
required
The type of security token to use.

OpenID Connect Authentication

Defines the fundamentals of an ‘oidc’ authentication.
authority
uri-template
required
The URI that references the authority to use when making OpenID Connect calls.
grant
string
required
The grant type to use.Supported values are authorization_code, client_credentials, password, refresh_token and urn:ietf:params:oauth:grant-type:token-exchange.
client.id
string
The client id to use.Required if the client.authentication method has not been set to none.
client.secret
string
The client secret to use, if any.
client.assertion
string
A JWT containing a signed assertion with your application credentials.Required when client.authentication has been set to private_key_jwt.
client.authentication
string
The client authentication method to use.Supported values are client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt or none.Defaults to client_secret_post.
request.encoding
string
The encoding of the token request.Supported values are application/x-www-form-urlencoded and application/json.Defaults to application/x-www-form-urlencoded.
issuers
uri-template[]
A list that contains valid issuers that will be used to check against the issuer of generated tokens.
scopes
string[]
The scopes, if any, to request the token for.
audiences
string[]
The audiences, if any, to request the token for.
username
string
The username to use. Used only if the grant type is Password.
password
string
The password to use. Used only if the grant type is Password.
subject
object
The security token that represents the identity of the party on behalf of whom the request is being made.
actor
object
The security token that represents the identity of the acting party.

Example

do:
  - sampleTask:
      call: http
      with:
        method: get
        endpoint: 
          uri: https://secured.fake.com/sample
          authentication:
            oidc:
              authority: http://keycloak/realms/fake-authority/.well-known/openid-configuration
              grant: client_credentials
              client:
                id: workflow-runtime
                secret: "**********"
              scopes: [ api ]
              audiences: [ runtime ]

Using Authentication from Secrets

document:
  dsl: '1.0.3'
  namespace: test
  name: authentication-example
  version: '0.1.0'
use:
  secrets:
    - usernamePasswordSecret
  authentications:
    sampleBasicFromSecret:
      basic:
        use: usernamePasswordSecret
do:
  - sampleTask:
      call: http
      with:
        method: get
        endpoint: 
          uri: https://secured.fake.com/sample
          authentication:
            use: sampleBasicFromSecret

Build docs developers (and LLMs) love

Get started for freeTalk to us