JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 2

changes.mady.by.user Uwe Risse

Saved on

compared with

New Version 3

changes.mady.by.user Uwe Risse

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The following integration level is available from Identity Service Types that can be used with JOC:

Identity ServiceIdentity Service Configuration Items
Service TypeBuilt-inUser Accounts/Passwords
stored with		User Accounts/Passwords
managed by		Roles/Permissions
stored with		Roles->User Accounts Mapping
managed with
OIDCyesIdentity ProviderIdentity ProviderJS7 Database JOC Cockpit


Explanation:

  • Service Type: OIDC
    • Management of user accounts with passwords is performed by the OIDC Identity Provider
    • The assignment of roles to user accounts is performed by the JOC Cockpit.
    • The JOC Cockpit stores user accounts and role assignments:

...

The settings for the OIDC Identity Service are managed in the "Manage Settings View".

NameValueDescriptionExample
OIDC NameA Name for the OIDC Identity ProviderThis is the name for the Identity Service. It will be used by JOC Cockpit to show the caption of the assigned login button.Google, Keycloak
OIDC Authentication UrlThe url to connect to the OIDC Identity ProviderThis url will be called during the login to get the access token from the OIDC Identity Provider. It will also be used for the /.well-known/openid-configuration url and as the issuer during the token verification.https://keycloak:8283/auth/realms/JOC
OIDC Client IDThe client id configured in the OIDC Identiy ProviderThe client id is used for several calls to to the OIDC Identity Provider

joc-cockpit

63853035078-6cm5tv51pp34svj2a6cd9421fjhl1813.apps.googleusercontent.com

OIDC Client Secret

The client secret configured in the OIDC Identiy ProviderThe client secret is used for several calls to to the OIDC Identity Provider

iAMNDlDLorpa7pdbGORDe6vylztVhTiq

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

OIDC Session Renewal UrlThis url is used for the renewal of the acces token. 

If empty the "token-endpoint" value from the "/.well-known/openid-configuration" call is used. The renewal url will be call with 

  • client_id
  • grant_type
  • client_secret
  • refresh_token

The new access token is expected in the field "access_token"

https://keycloak:8283/auth/realms/JOC/protocol/openid-connect/token
OIDC Token Verification UrlThis url is used to verify the token

If empty the "introspection_endpoint" value from the "/.well-known/openid-configuration" call is used. The token verification url will be called with 

  • client_id
  • client_secret
  • token

The response must contain the field "active" The value for this field is expected to be "true"

https://keycloak:8283/auth/realms/JOC/protocol/openid-connect/token/introspect




Token Verification

The login call provides these access tokens to the application

  • Access-Token: Ensures a correct authentification
  • ID-Token: A JWT Token with Header.Payload.Signature is expected
  • Refresh-Token: To renewal a access-token

Checking

...

The userinfo endpoint is called with 

  • client_id
  • client_secret

The response must contain the field "email". The value of "email" must be the same as in the payload of the id-token

Checking Token 

The token verification url will be called with 

...

It is necessary to configure a client in the OIDC Identity Provider that can be used for login. The client provides a client-id and a client-secret.

Keycloack

Settings

Credentials

Client Authenticator: Cliend ID and Secret

Secret: Generated secret value


After setting the client users can be added in the Users view.

Google

.......Oracle

Exceptions from other Identity Services

...

  • the type OIDC the list of requird Identity Services will not be considered.
  • the login will only be tried with this Identity Service. Other Identity Services will not be considered as no username/password is available.
  • OIDC Identity Services can not set to "required".

Refreshing Token


Logging

  • Log Files
  • Standard Log Files
    • Identity Services log output to the JETTY_BASE/logs/joc.log file. This includes reporting success or failure of authentication.
    • Successful and failed authentication attempts including user accounts involved are logged to the JETTY_BASE/logs/audit.log file.
  • Debug Log Files
    • For problem analysis during setup of an Identity Service increase the log level as explained with JS7 - Log Levels and Debug Options.
    • The JETTY_BASE/logs/joc-debug.log file includes general debug output of JOC Cockpit.
    • The JETTY_BASE/logs/authentication-debug.log file includes debug output related to authentication and authorization.
    • The JETTY_BASE/logs/jetty.log file includes debug output of attempts to establish SSL connections.

...