Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth2 OpenId Connect Documentation #201

Merged
merged 8 commits into from
Dec 12, 2022
Merged

OAuth2 OpenId Connect Documentation #201

Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
7f7e0cc
wip: openid connect dox
david-blasby Jun 7, 2022
1a34522
for OPENIDCONNECT_ROLECONVERTER, changed format from ':' to '=' as se…
david-blasby Jun 8, 2022
7817096
add doc for oidc bearer tokens
david-blasby Jul 20, 2022
4d385d2
feedback from jose
david-blasby Sep 9, 2022
fd9616c
add doc for OPENIDCONNECT_LOGINTYPE
david-blasby Sep 9, 2022
8829a6e
add info about OPENIDCONNECT_SERVERMETADATA_CONFIG_URL
david-blasby Sep 20, 2022
87b1dbc
update doc for default scopes
david-blasby Sep 27, 2022
75d4314
add doc for OPENIDCONNECT_LOGSENSITIVE_INFO
david-blasby Oct 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
add doc for oidc bearer tokens
  • Loading branch information
@david-blasby
david-blasby committed Jul 20, 2022
commit 781709685df502b92e95f1460feb823320cf3f03
52 changes: 52 additions & 0 deletions source/administrator-guide/managing-users-and-groups/authentication-mode.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -742,6 +742,58 @@ NOTE: The roles are in the "roles" part of the ID Token.

NOTE: You don't typically have to do any role conversion since the role name will be used in the ID Token.
davidblasby marked this conversation as resolved.
Show resolved Hide resolved

OIDC Bearer Tokens
==================

Bearer Tokens are also supported - you can attach the JWT Bearer token to any request by setting the HTTP header like this;
davidblasby marked this conversation as resolved.
Show resolved Hide resolved

.. code-block:: properties

Authorization: Bearer: <JWT token>

Bearer Tokens are mostly used for automated (desktop or application) API calls - real users should just login normally using OIDC.

#. Setup your OIDC configuration (see above)
davidblasby marked this conversation as resolved.
Show resolved Hide resolved
#. Setup the OIDC Bearer token configuration (see below)
#. Obtain a Bearer token from the OIDC server. This is the hard part and there are several ways to do this. One way that is used is via the OAuth 2.0 Device Authorization Grant ("Device Flow") workflow.
#. Attach it to your request headers (see above)
#. Make protected requests to the Geonetwork API

This has been tested with Keycloak and with Azure AD. It should work with other JWT-based OIDC services.

Validation
``````````

The token is validated in three major ways;

#. The bearer token will be used to access the `userinfo` ("token validation") endpoint specified in the OIDC configuration. This means the IDP validates the token (at the very least its signature and expiry).
#. The bearer token (JWT) will be checked that the audience for it is the same as our configurated OIDC configuration. This will ensure that someone isn't getting a token from a different service and attempting to use it here. See `AudienceAccessTokenValidator.java`
#. The bearer token (JWT) will be checked that the subject of the JWT and the `userinfo` (returned from the IDP) are the same. This shouldnt be a problem in our use-case, but the OAUTH2 specification recommends this check. See `SubjectAccessTokenValidator.java`


Configuration
`````````````

Configure OIDC as above - ensure this is working.

Instead of using `GEONETWORK_SECURITY_TYPE=openidconnect`, use `GEONETWORK_SECURITY_TYPE=openidconnectbearer`.
davidblasby marked this conversation as resolved.
Show resolved Hide resolved

Inside `config-security-openidconnectbearer.xml`;
davidblasby marked this conversation as resolved.
Show resolved Hide resolved

#. If you are using keycloak (configured with Groups in the `userinfo` response), then uncomment the `UserInfoAccessTokenRolesResolver` bean and comment out the `MSGraphUserRolesResolver` bean.
#. If you are using Azure AD (MS Graph API for the user's groups), then then uncomment the `MSGraphUserRolesResolver` bean and comment out the `UserInfoAccessTokenRolesResolver` bean.

The easiest way to test is to obtain a Bearer Token, and then use a browser plugin to add the `Authorization: Bearer <token>` header to all requests. When you visit the Geonetwork website, you should see yourself logged in with the appropriate permissions.

Other Providers
```````````````

This has been tested with Azure AD (groups in the MS Graph API) and KeyCloak (groups in the `userinfo`).

For other IDP, you might have to make some modifications.

#. Make sure the `AudienceAccessTokenValidator` and `SubjectAccessTokenValidator` work correctly for your JWT bearer tokens.
#. Make sure that the user's groups are available - see the `UserRolesResolver` interface and its two implementations - `UserInfoAccessTokenRolesResolver` and `MSGraphUserRolesResolver`.


.. _authentication-keycloak:
Expand Down