Skip to content

SeaCat Auth in ASAB Maestro

SeaCat Auth is an open-source access control technology developed in TeskaLabs. Integration to ASAB Maestro ensures automatic introspection for all api locations on the https server.

"Mongo content" sherpa of SeaCat Auth service creates records in the auth database of Mongo. It helps to integrate authorization of 3rd party services.

Other services can add extra configuration of SeaCat Auth instances if needed.

Descriptor section seacat-auth

Every descriptor can use seacat-auth section to add configuration section to the SeaCat Auth service and equired data to auth Mongo database.

        url: "http://{{NODE_ID}}:9200"
        username: elastic
        password: "{{ELASTIC_PASSWORD}}"
    - "cl.json": |
            "_id": "kibana",
            "application_type": "web",
            "authorize_anonymous_users": false,
            "client_name": "Kibana",
            "code_challenge_method": "none",
            "grant_types": [
            "redirect_uri_validation_method": "prefix_match",
            "redirect_uris": [
            "response_types": [
            "token_endpoint_auth_method": "none",
            "cookie_entry_uri": "{{PUBLIC_URL}}/api/cookie-entry",
            "client_uri": "{{PUBLIC_URL}}/kibana"

Section seacath-auth:config

Add configuration to all SeaCat Auth instances in YAML format.

Section seacat-auth:content

Similarly as in the files section of the descriptor, this is a list of records.

Each record is either a name of a file inside /Site/Files/<service_id>/ directory or a key:value record with key being the file name and value the file itself written as string.

The name of the file must correspond with target Mongo collection name.

Interaction with NGINX configuration

Presence of SeaCat Auth in the cluster adds introspection to NGINX configuration. Introspection endpoint is added and all NGINX locations originated from the nginx:api adopt this introspection. With SeaCat Auth in the cluster, only authorized requests can pass to the back-end services.

For internal communication among the services use internal HTTP nginx server

In example, asab-governator location that requires introspection endpoint (handled by the SeaCat Auth)


location /api/asab-governator {
    auth_request /_oauth2_introspect;
    auth_request_set $authorization $upstream_http_authorization;
    proxy_set_header Authorization $authorization;

    rewrite ^/api/asab-governator/(.*) /$1 break;
    proxy_pass http://upstream-asab-governator-8892;

location = /_oauth2_introspect {
    proxy_method POST;
    proxy_set_body "$http_authorization";
    proxy_pass http://upstream-seacat-auth-private/nginx/introspect/openidconnect;
    proxy_set_header X-Request-URI "$scheme://$host$request_uri";
    proxy_ignore_headers Cache-Control Expires Set-Cookie;
    proxy_cache oauth2_introspect;
    proxy_cache_key "$http_authorization $http_sec_websocket_protocol";
    proxy_cache_lock on;
    proxy_cache_valid 200 30s;