Setup RBAC for SOARCA

Setup OIDC based Role-Based Access Control (RBAC) for SOARCA

Authentication is disabled by default in SOARCA. This means that when SOARCA is launched with its default configuration and exposed to a network, anyone can interact with it. Since SOARCA requires significant capabilities and access to reconfigure systems, exposing it without authentication poses a security risk. This section outlines how to set up authentication and authorization for SOARCA.

SOARCA leverages our internally developed gauth library as its underlying authentication framework. This library provides convenient Role-Based Access Control (RBAC) middleware, which manages authentication for various endpoints, such as the Playbook API. Based on OpenID Connect (OIDC), the library supports integration with multiple authentication providers.

Currently, for the used gauth library the Authentik authentication provider, an open-source solution that supports a wide range of authentication methods is supported and tested. As such other OIDC-based providers might not be compatible.

Supported OIDC-Based Auth Providers

Enabling RBAC

Enabling RBAC can be done by setting the AUTH_ENABLED: true.

AUTH_ENABLED: true
AUTH_GROUP: "soarca_admin"
OIDC_ISSUER: "https://authentikuri:9443/application/u/test/"
OIDC_CLIENT_SECRET: "SOME_CLIENT_SECRET"
OIDC_CLIENT_ID: "SOME_CLIENT_ID"
OIDC_SKIP_TLS_VERIFY: true

Setting up Authentik with SOARCA

Next, we need to obtain variables such as OIDC_ISSUER etc. This section will describe how we can setup Authentik.

Spinning up Authentik

Instruction and docker-compose on how to bundle SOARCA with Authentik will come!

Making an authentication provider

In Authentik first setup a new provider. This can be done under Applications -> Providers ->Create. For the provider type select the OAuth2/OpenID provider from the various options. An example configuration is given below:

Next, we need to set in the advanced protocol settings the token expiration lifetime needs to be changed to 8 hours.

core

core

Endpoints for the auth provider can also be found here:

core

Making an application

Next, we can create a new application as shown in the picture below. A new application can be added under Applications –> Create Add the earlier made provider to this application.

core

Setting the authentication provider

Next, under providers -> soarca-auth-provider -> edit we can find the following overview:

core

Here we can find the:

  • Client ID: some random stuff
  • Client Secret: some other random stuff
  • Redirect Url: Optional, should be set when using for the SOARCA-GUI explained [here]

core

We only use the Authentik integration for token validation on the SOARCA side. As such, only the OIDC_CLIENT_ID is required here. For the SOARCA-GUI, we would need the OIDC_CLIENT_SECRET.

Set these variables in the environment variables settings, for example:

AUTH_ENABLED: true  
AUTH_GROUP: "soarca_admin"
OIDC_ISSUER: "https://authentikuri/application/o/does-providing-for-soarca/"
OIDC_CLIENT_ID: "WxUcBMGZdI7c0e5oYp6mYdEd64acpXSuWKh8zBH5"
OIDC_SKIP_TLS_VERIFY: true
export AUTH_ENABLED=true
export AUTH_GROUP="soarca_admin"
export OIDC_ISSUER="https://authentikuri:9443/application/o/does-providing-for-soarca/"
export OIDC_CLIENT_ID="WxUcBMGZdI7c0e5oYp6mYdEd64acpXSuWKh8zBH5"
export OIDC_SKIP_TLS_VERIFY=true

Adding SOARCA user group and users

For the current version of SOARCA and the gauth library the access to the API for a given user is dependent on the required set AUTH_GROUP. Users are required to be in the same group as the group that has been set through this variable. Currently, there is not yet control over which group can access a specific API or route grooup. This feature is scheduled for a future version of SOARCA. In the example below, the AUTH_GROUP: soarca_admin is set.

Next, we require to setup a group in Authentik that is called soarca_admin as explained earlier. The to be obtained tokens from Authentik needs to have this group information as this will be checked by the middleware. A group can be created under Directory -> Groups -> New.

Under users normal as as service accounts can be created. We advise for machine-to-machine implementation service accounts, and for normal users (used for example for SOARCA-GUI logins) normal accounts. Now we can make an users and add to the soarca_admin group. Make use under the application that this group is added to the application provider that we have setup earlier, otherwise the grants of token might fail.

core

core

core

Authentication with Bearer

Now that authentication and authorization is enabled, every request requires to have a set Authorization: Bearer <token> header.

POST /trigger/playbook/ HTTP/1.1
Host: localhost:8080
Content-Type: application/json
Authorization: Bearer <token from authentik> 
Content-Length: 2345

{
    "type": "playbook",
    "spec_version": "cacao-2.0",
    "id": "playbook--300270f9-0e64-42c8-93cc-0927edbe3ae7",
    "name": "Example ssh",
    ...
}

The gauth library will validate this bearer token against the setup Authentik provider and grant the user or application access. Replace the token with a working bearer token.

An example curl command is provided below:

curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer <replace token>" -d @./example/ssh-playbook.json localhost:8080/trigger/playbook

Last modified December 11, 2024: removal of <h by auto formatter (55a22f1)