Skip to main content

Authentication

The remote data loader supports authenticating with an identity provider that supports the OAuth 2.0 Authorization Code flow with PKCE. The authentication token returned from this flow will then be passed from the remote data loader to your data backend with every request.

This behavior can be disabled by setting DISABLE_AUTH=true in the remote data loader container's environment. This might be appropriate if you protect access to the remote data loader through an internal VPN.

Flow overview

When a user tries to access your remote data loader from the Foxglove app, an authorization prompt from your identity provider will be shown.

After the user logs in and consents to authorize the remote data loader, your identity provider will redirect to the remote data loader so it can do the authorization code exchange and return an auth token to access your data backend.

Where is the authentication token stored?

The authentication token is stored as a cookie on the domain of your remote data loader which is deployed in your infra.

The cookie cannot be accessed from the Foxglove app as it is scoped to your domain. You can also optionally provide an encryption key to encrypt the cookie to ensure a malicious client cannot read the access token.

How is the authentication token used?

The authentication token is sent in the Authorization header as Bearer <token> to your manifest endpoint and any source URLs contained in manifests.

Configuration

Configure auth for your remote data loader by creating an auth-credentials secret in your cluster. This secret will contain all the environment variables required to configure authentication.

To create the secret, start by creating the following file at auth-credentials.yaml.

apiVersion: v1
kind: Secret
metadata:
  name: auth-credentials
type: Opaque
stringData:
  # OAuth 2.0 configuration
  OAUTH_CLIENT_ID: # <client id>
  OAUTH_CLIENT_SECRET: # <client secret>
  OAUTH_AUTHORIZE_URL: # for example, https://abc.auth0.com/oauth/authorize
  OAUTH_TOKEN_URL: # for example, https://abc.auth0.com/oauth/token

  # The callback URL will be "https://<your data loader url>/v1/login/callback"
  OAUTH_CALLBACK_URL: # for example, https://data.loader.dev/v1/login/callback
  # Optionally include a cookie encryption key to avoid user tokens being visible to the client.
  #
  # This must be at least 64 bytes of cryptographically secure random data encoded as base64.
  COOKIE_ENCRYPTION_KEY: # secure random secret
  # Optionally provide a comma-separated list of scopes to request from the auth provider at login.
  OAUTH_REQUESTED_SCOPES: # comma-separated list of scopes

Next apply the secret to your cluster:

kubectl apply -f ./auth-credentials.yaml --namespace foxglove

To verify that the authentication flow is working, navigate to https://<your data loader url>/v1/login in your browser.

note

The OAuth 2.0 Authorization Flow with PKCE does not work with the Foxglove Desktop app, it only works when running Foxglove from the browser.