This message was deleted Permit #opal

Join Slack

This message was deleted.

# opal

Slackbot

07/14/2023, 10:35 AM

This message was deleted.

Or Weis

07/14/2023, 12:26 PM

Hi @Charlie Batten, you can create a custom data fetcher deriving from the HTTP one, and add the token management logic

Or Weis

07/14/2023, 12:27 PM

Checkout https://docs.opal.ac/tutorials/write_your_own_fetch_provider

Or Weis

07/14/2023, 12:34 PM

note that for the HTTP data fetchers you can pass a

config.headers

which will be used for aiohttp’s headers. And you can latch on top of that from your own custom fetch provider

Charlie Batten

07/14/2023, 12:37 PM

Thank you 😄

David Hamilton

07/14/2023, 5:21 PM

~~According to the documentation here it should already be added on the token query parameter for a GET request~~ https://docs.opal.ac/tutorials/configure_external_data_sources#how-the-redirect-actually-works

David Hamilton

07/14/2023, 5:23 PM

Oh, I see, actually this is for the getting the data sources, not retrieving the data itself

✅ 1

David Hamilton

07/14/2023, 5:52 PM

If headers, such as Authorization, are provided on a topic for initial data config sources, can those headers be automatically applied to the subsequent data updates? Say my initial data config sources includes the topic

person_data

and the url is

<https://person-api/v1/all>

. Then I have a data update notification on the same topic and the url is

<https://person-api/v1/123>.

If my initial data config sources applied authorization header, could that be stored in order to make any calls to that same url on the same topic?

Charlie Batten

07/14/2023, 5:55 PM

That's the kind of problem I'm trying to solve :) I'm not sure if it's possible without a customer fetcher

Or Weis

07/14/2023, 5:57 PM

What you're suggestioning @David Hamilton is doable, but as @Charlie Batten says not without a custom fetcher. In the long run we are planning on adding a secret manager integration as part of the OPAL client, and then the update's can just reference the keys by name, and the client can render them as they come in.

👍 1

David Hamilton

07/14/2023, 5:57 PM

My other thought for a similar configuration is basically to just use mutual SSL as the authentication. If I'm standing up an API which has the sole purpose of providing data to the clients, I can set up the API so that its truststore only holds the approved client public certs. Obviously only applicable in the scenario the endpoint is solely for systems, not users

Or Weis

07/14/2023, 6:04 PM

@David Hamilton, yes authenticating with client certificates can work. Note that would require changes on the server side as well to validate the client certificate, if it doesn't do so already.

👍 1

Or Weis

07/14/2023, 6:05 PM

CC: @Shaul Kremer, @Asaf Cohen, @Ro'e Katz Re: opal client secrets store

David Hamilton

07/14/2023, 6:40 PM

speaking of secrets store, I noticed this link is broken

Or Weis

07/14/2023, 6:44 PM

Thanks @David Hamilton @Filip can you take care of the link 🙏

David Hamilton

07/17/2023, 7:09 PM

Or, does OPAL Client support mutual TLS in the http fetcher?

Or Weis

07/17/2023, 7:27 PM

Hi @David Hamilton The underlying lib aiohttp does support, it's easy to Google examples, But the default fetcher doesn't expose a config for it, you can create a custom one to do so.

Open in Slack

Previous Next