Articles on: Tutorials

Configure authentification with Carbone docker image

How to enable authentication with Carbone docker


By default, Carbone docker image is running without authentication.


Please follow the steps below:


Enable authentication options in Carbone


You first need to set environment variable CARBONE_EE_AUTHENTICATION to true.
If you use Studio (CARBONE_EE_STUDIO=true), don't forget to also enable security on it with : CARBONE_EE_STUDIOUSER=user:password


Carbone key generation


When running Carbone for the first time, if no keys are present, Carbone automatically generate a key pair (key.pem and key.pub) in /app/config/.


To simplify migration and architecture issues, we strongly recommend that you generate your own keys and make them available to Carbone.


To do this, you must first generate a private key with the following command:

openssl ecparam -genkey -name secp521r1 -noout -out key.pem


Then the corresponding public key : 

openssl ec -in key.pem -pubout -out key.pub


Launching Carbone with your key


As with license provisioning, we recommend using a docker secret to map the public key to the container's config directory.


Here's an example using docker compose (file docker-compose.yml) : 

version: "3.9"
services:
  carbone:
    image: carbone-ee:4.20.0
    platform: linux/amd64
    ports:
      - "4000:4000"
    secrets:
      - source: carbone-license
        target: /app/config/license.carbone-license
      - source: carbone-publickey
        target: /app/config/key.pub
    environment:
      - CARBONE_EE_STUDIO=true
      - CARBONE_EE_AUTHENTICATION=true
      - CARBONE_EE_STUDIOUSER=user:passw0rd
secrets:
  carbone-license:
    file: license.carbone-license
  carbone-publickey:
    file: key.pub


Generating JWT tokens for API use


Carbone uses standard ES512 JWT tokens.


You must then generate a token and sign it with your private key.


The JWT token must contain the following information.
Header : 

{
    "alg" : "ES512",
    "typ" : "JWT"
}

Payload

{
    'iss' : 'carbone-user',
    'aud' : 'carbone-ee', 
    'exp' : xxxxx // timestamp en sec
}


Numerous solutions exist, but we suggest you use https://github.com/smallstep/cli


After installation, you just need to run the following command to generate one JWT token :

current_time=$(date +%s)
expiration_time=$(($current_time + 864000)) # Ten days from now for ex

step crypto jwt sign --alg ES512 --iss=carbone-user --subtle --aud=carbone-ee --exp=$expiration_time --key=key.pem


Et voilà !

Updated on: 03/19/2024

Was this article helpful?

Share your feedback

Cancel

Thank you!