Add token restriction example and background image

alexellis · alexellis · commit e21b57b17cd4 · 2024-05-17T17:07:15.000+01:00
Signed-off-by: Alex Ellis (OpenFaaS Ltd) &lt;alexellis2@gmail.com&gt;
diff --git a/_posts/2024-05-16-function-authentication.md b/_posts/2024-05-16-function-authentication.md
@@ -1,24 +1,26 @@
 ---
-title: Introducing built-in Function Authentication for OpenFaaS
+title: Introducing built-in authentication for OpenFaaS Functions
 description: 
-date: 2024-05-14
+date: 2024-05-16
 categories:
 - kubernetes
 - faas
 - functions
 - authentication
 - authorization
 dark_background: true
-# image: "/images/2024-05-01-chargeback/background.png"
+image: "/images/2024-05-function-auth/background.png"
 author_staff_member: alex
 hide_header_image: true
 ---
 
 A long standing request from OpenFaaS users has been to add built-in authentication for functions. This would allow you to secure your function endpoints without having to write any additional code.
 
-In this blog post we'll show you how to use an updated version of IAM for OpenFaaS to create a Policy that restricts access to a function only to authorized users with JSON Web Token (JWT) authentication.
+Once a function deployed via the OpenFaaS gateway, it will become available on the gateway via the path: `/function/NAME` and `/async-function/NAME`. This means that anyone with access to the gateway can invoke the function, and the function's handler is responsible for any authentication or authorization.
 
-You'll need to have OpenFaaS for Enterprises pre-installed and configured to integrate with your existing Identify Provider (IdP) such as Okta, Keycloak, or Google.
+In this blog post we'll show you how to use a pre-release version of [IAM for OpenFaaS](https://docs.openfaas.com/openfaas-pro/iam/overview/) to create a Policy that restricts access to a function only to authorized users with JSON Web Token (JWT) authentication.
+
+You'll need to have [OpenFaaS for Enterprises](https://docs.openfaas.com/openfaas-pro/introduction/) pre-installed and configured to integrate with your existing Identify Provider (IdP) such as Okta, Keycloak, or Google.
 
 We will perform the initial one-time setup process:
 
@@ -207,6 +209,65 @@ The resulting token will look like this:
 
 Save the text from the "access_token" field as function-token.txt.
 
+It will look something like this:
+
+```json
+{
+  "iss": "https://openfaas.example.com",
+  "sub": "fed:a9e0e67a-5758-4373-a4ba-23957fa66e6b",
+  "aud": [
+    "https://openfaas.example.com"
+  ],
+  "exp": 1715892121,
+  "iat": 1715848921,
+  "function": {
+    "permissions": [
+      "openfaas-fn:*",
+      "dev:env"
+    ]
+  }
+}
+```
+
+As you can see, the union of permissions from the Policy are encoded into the Function Token.
+
+If you wish to restrict the token so that it can only be used to invoke a single function, or a subset of functions, you can request a specific audience when you exchange the token.
+
+```bash
+curl -S -L -X POST "${IDP_TOKEN_URL}" \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode "subject_token=${TOKEN}" \
+--data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:id_token" \
+--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
+--data-urlencode 'scope=function' \
+--data-urlencode 'audience=openfaas-fn:env' \
+--data-urlencode 'audience=openfaas-fn:figlet'
+```
+
+Here's how the token looks, with the audience also specified.
+
+```json
+{
+  "iss": "https://openfaas.example.com",
+  "sub": "fed:a9e0e67a-5758-4373-a4ba-23957fa66e6b",
+  "aud": [
+    "https://openfaas.example.com"
+  ],
+  "exp": 1715892177,
+  "iat": 1715848977,
+  "function": {
+    "permissions": [
+      "openfaas-fn:*",
+      "dev:env"
+    ],
+    "audience": [
+      "openfaas-fn:env",
+      "openfaas-fn:figlet"
+    ]
+  }
+}
+```
+
 ## Invoke the function with the Function Token
 
 You now have a token that can be used to invoke a function. You can use it with curl or any HTTP client.
@@ -232,6 +293,10 @@ If you already have IAM for OpenFaaS installed and configured for Single-Sign On
 
 ### Q&A
 
+Q: Are Function Tokens production-ready? When will I be able to use them in production?
+
+A: Function Tokens, once released will be suitable for use in production. They are an extension of the already released IAM for OpenFaaS features and use the same underlying technology for the new type of Function Token. The work is currently pre-release and available for testing, once it's released you will have access to it via the Helm chart.
+
 Q: I use another version of OpenFaaS i.e. faasd, what can I do to authenticate functions?
 
 A: OpenFaaS functions serve HTTP, therefore [you can use any standard authentication mechanism](https://docs.openfaas.com/reference/authentication/) such as Basic Auth, HMAC, API tokens, or OAuth2. We do not recommend using an API gateway or reverse proxy to implement authentication, as functions can be invoked directly at the Pod level, or via the OpenFaaS gateway's internal address, bypassing the proxy.
diff --git a/_sass/openfaas/includes/blog-page/highlighter.scss b/_sass/openfaas/includes/blog-page/highlighter.scss
@@ -11,7 +11,7 @@
 	background-color: #fbf1c7;
 	.w {
 		color: #282828;
-		background-color: #fbf1c7;
+		// background-color: #fbf1c7;
 	}
 	.err {
 		color: #9d0006;
diff --git a/images/2024-05-function-auth/background.png b/images/2024-05-function-auth/background.png

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`background-color: #fbf1c7;`
`12`	`12`	`.w {`
`13`	`13`	`color: #282828;`
`14`		`- background-color: #fbf1c7;`
	`14`	`+ // background-color: #fbf1c7;`
`15`	`15`	`}`
`16`	`16`	`.err {`
`17`	`17`	`color: #9d0006;`