Page History
Introduction
- The JS7 - Identity Services offer local management of user accounts for authentication and authorization.
Identity Service Type
The following integration level is available from Identity Service Types that can be used with JOC:
Identity Service | Identity Service Configuration Items | ||||
---|---|---|---|---|---|
Service Type | Built-in | User Accounts/Passwords stored with | User Accounts/Passwords managed by | Roles/Permissions stored with | Roles->User Accounts Mapping managed with |
OIDC | yes | Identity Provider | Identity Provider | JS7 Database | JOC Cockpit |
Explanation:
- Service Type:
OIDC
- Management of user accounts with passwords is performed by the OIDC Identity Provider
- The assignment of roles to user accounts is performed by the JOC Cockpit.
- The JOC Cockpit stores user accounts and role assignments:
- in the JS7 - Database and
Identity Service Configuration
The JOC Cockpit provides the Manage Identity Services page for the configuration of Identity Services. This page is accessed from the user menu of an administrative account::
Identity Service Settings
The settings for the OIDC Identity Service are managed in the "Manage Settings View".
Name | Value | Description | Example |
OIDC Name | A Name for the OIDC Identity Provider | This is the name for the Identity Service. It will be used by JOC Cockpit to show the caption of the assigned login button. | Google, Keycloak |
OIDC Authentication Url | The url to connect to the OIDC Identity Provider | This url will be called during the login to get the access token from the OIDC Identity Provider. It will also be used for the /.well-known/openid-configuration url and as the issuer during the token verification. | https://keycloak:8283/auth/realms/JOC |
OIDC Client ID | The client id configured in the OIDC Identiy Provider | The client id is used for several calls to to the OIDC Identity Provider | joc-cockpit 63853035078-6cm5tv51pp34svj2a6cd9421fjhl1813.apps.googleusercontent.com |
OIDC Client Secret | The client secret configured in the OIDC Identiy Provider | The client secret is used for several calls to to the OIDC Identity Provider | iAMNDlDLorpa7pdbGORDe6vylztVhTiq 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 |
OIDC Session Renewal Url | This url is used for the renewal of the acces token. | If empty the "token-endpoint" value from the "/.well-known/openid-configuration" call is used. The renewal url will be call with
The new access token is expected in the field "access_token" | https://keycloak:8283/auth/realms/JOC/protocol/openid-connect/token |
OIDC Token Verification Url | This url is used to verify the token | If empty the "introspection_endpoint" value from the "/.well-known/openid-configuration" call is used. The token verification url will be called with
The response must contain the field "active" The value for this field is expected to be "true" | https://keycloak:8283/auth/realms/JOC/protocol/openid-connect/token/introspect |
Token Verification
The login call provides these access tokens to the application
- Access-Token: Ensures a correct authentification
- ID-Token: A JWT Token with Header.Payload.Signature is expected
- Refresh-Token: To renewal a access-token
Checking Account
The userinfo endpoint is called with
- client_id
- client_secret
The response must contain the field "email". The value of "email" must be the same as in the payload of the id-token
Checking Token
The token verification url will be called with
- client_id
- client_secret
- token
- The response must contain the field "active" The value for this field is expected to be "true"
- The token is not expired
- Checken whether the client-id (aud) stored in the id-token is the same as in the configuration of the Identity-Service
- Checken whether the issuer (iss) stored in the id-token is the same as the OIDC Authentication Url in the configuration of the Identity-Service
- Checken whether the account (email) stored in the id-token is the same as in the field "email" in the answer of the userinfo-endpoint.
- Checking whether the signature is valid with the given public key. The public key will be read from certs-endpoint. The response of the certs endpoint contains different keys. The public key is found in the field "n" in the element where "kid" is equals to the value of the field "kid" in the header of the id-token. (Not implemented now).
Adding a client to the OIDC Identity Provider
It is necessary to configure a client in the OIDC Identity Provider that can be used for login. The client provides a client-id and a client-secret.
Keycloack
Oracle
Exceptions from other Identity Services
If the login will be done with an Identity Service with
- the type OIDC the list of requird Identity Services will not be considered.
- the login will only be tried with this Identity Service. Other Identity Services will not be considered as no username/password is available.
- OIDC Identity Services can not set to "required".
Logging
- Log Files
- Standard Log Files
- Identity Services log output to the
JETTY_BASE/logs/joc.log
file. This includes reporting success or failure of authentication. - Successful and failed authentication attempts including user accounts involved are logged to the
JETTY_BASE/logs/audit.log
file.
- Identity Services log output to the
- Debug Log Files
- For problem analysis during setup of an Identity Service increase the log level as explained with JS7 - Log Levels and Debug Options.
- The
JETTY_BASE/logs/joc-debug.log
file includes general debug output of JOC Cockpit. - The
JETTY_BASE/logs/authentication-debug.log
file includes debug output related to authentication and authorization. - The
JETTY_BASE/logs/jetty.log
file includes debug output of attempts to establish SSL connections.