JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 3

changes.mady.by.user Uwe Risse

Saved on

compared with

New Version 4

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The JS7 - Identity Services offer local management of user accounts for authentication and authorization. 
  • The OIDC Identity Service integration is available from JOC Cockpit:
    • Any OIDC compliant Identity Provider can be used for authentication.
    • This requires an OIDC Identity Provider to be installed and operated. JS7 does not ship with an OIDC Identity Provider.
    • JS7 implements a REST client for use with OIDC Identity Providers.

Identity Service Type

The following integration level is available from the OIDC Identity Service Types that can be used with JOC:

Identity ServiceIdentity Service Configuration Items
Service TypeBuilt-inUser Accounts/Passwords
stored with		User Accounts/Passwords
managed by		Roles/Permissions
stored with		Roles->User Accounts Mapping
managed with
OIDCyesOIDC Identity ProviderOIDC Identity ProviderJS7 Database JOC Cockpit


Explanation:

  • Service Type: OIDC
    • Management of user accounts with passwords is performed by the OIDC Identity Provider
    • The assignment of roles to user accounts is performed by the JOC Cockpit.
    • The JOC Cockpit stores user accounts and role assignments:

Identity Service Configuration

The The Image Added icon in the JOC Cockpit provides main menu is used to select the Manage Identity Services page for the configuration of Identity Services. This page is accessed from the user menu of an administrative account::

Identity Service Settings

The settings for the OIDC Identity Service are managed in the "Manage Settings View".

NameValueDescriptionExample
OIDC NameA Name for The name of the OIDC Identity ProviderServiceThis is the name for of the Identity Service. It will be used by JOC Cockpit to show the caption of the assigned login button.Google, Keycloak
OIDC Authentication UrlURLThe url URL used by the Client to connect to the OIDC Identity ProviderThis url will be called during the login to get the access token URL is called by the Client for login and returns the Access Token from the OIDC Identity Provider. It will also be used for is similarly used when reading settings of the OIDC Identity Provider with the /.well-known/openid-configuration url URL and is used as the issuer during the token verification.https://keycloak:8283/auth/realms/JOC
OIDC Client IDThe client id Client ID configured in the OIDC Identiy Identity ProviderThe client id is used for several calls to to the OIDC Identity Provider

joc-cockpit

63853035078-6cm5tv51pp34svj2a6cd9421fjhl1813.apps.googleusercontent.com

OIDC Client Secret

The client secret configured in the OIDC Identiy Identity ProviderThe client secret is used for several calls to to the OIDC Identity Provider

iAMNDlDLorpa7pdbGORDe6vylztVhTiq

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

OIDC Session Renewal UrlURLThis url URL is used for the renewal of the acces access token. 

If empty the "token-endpoint" value from the "/.well-known/openid-configuration" call is used. The renewal url will be call with 

  • client_id
  • grant_type
  • client_secret
  • refresh_token

The new access token is expected in the field "access_token"

https://keycloak:8283/auth/realms/JOC/protocol/openid-connect/token
OIDC Token Verification UrlURLThis url URL is used to verify the token Access Token.

If empty the "introspection_endpoint" value from the "/.well-known/openid-configuration" call is used. The token verification url will be called with 

  • client_id
  • client_secret
  • token

The response must contain the field "active" The value for this field is expected to be "true"

https://keycloak:8283/auth/realms/JOC/protocol/openid-connect/token/introspect




Token Verification

The login call provides these access returns the following tokens to the applicationClient:

  • Access - Token: Ensures a correct authentificationA token returned after successful authentication by the Client.
  • ID - Token: A JWT Token with Header.Payload.Signature is expected.
  • Refresh - Token: To renewal a access-tokenA token used to renew the Access Token.

Checking Token 

The token verification url URL will be called with 

  • Client ID
  • Client Secret
  • Access Token
  • client_id
  • client_secret
  • token


  • The response must contain the field "active" The value for this field is expected to be "true".
  • The access token is not expired.
  • Checken Check whether the client-id Client  ID (aud) stored in the id-token is the same as in the configuration of the Identity-Service
  • Checken Check whether the issuer (iss) stored in the id-token is the same as the OIDC Authentication Url in the configuration of the Identity-Service
  • Checken Check whether the account (email) stored in the id-token is the same as in the field "email" in the answer of the userinfo-endpoint.
  • Checking whether the signature is valid with the given public key. The public key will be read from certs-endpoint. The response of the certs endpoint contains different keys. The public key is found in the field "n" in the element where "kid" is equals to the value of the field "kid" in the header of the id-token. (Not implemented now).

Adding a

...

Client to the OIDC Identity Provider

It is necessary required to configure a client Client in the OIDC Identity Provider that can be used is specified for login. The client provides a client-id and a client-secret.

...

Client specifies a Client ID and a Client Secret.

Keycloak Identity Provider

Settings

  • Open Clients View
  • Create a new client with the button Create
  • The following values are approved
  • Enabled: on
  • Standard Flow Enable: On
  • Valid Redirect Url: JOC Cockpit url e.g. URL, for example http://localhost:4426/joc
  • Web Origin: http://localhost:4426

Credentials

Client Authenticator: Cliend Client ID and Client Secret

Secret: Generated secret value


After setting the client Client users can be added in the Users view.

...

  • the type OIDC the list of requird required Identity Services will not be considered.
  • the login will only be tried with this Identity Service. Other Identity Services will not be considered as no username/password is available.
  • OIDC Identity Services can not set to "required".

...

Token Renewal

Status
colourYellow
titleTBD

Logging

  • Log Files
  • Standard Log Files
    • Identity Services log output to the JETTY_BASE/logs/joc.log file. This includes reporting success or failure of authentication.
    • Successful and failed authentication attempts including user accounts involved are logged to the JETTY_BASE/logs/audit.log file.
  • Debug Log Files
    • For problem analysis during setup of an Identity Service increase the log level as explained with JS7 - Log Levels and Debug Options.
    • The JETTY_BASE/logs/joc-debug.log file includes general debug output of JOC Cockpit.
    • The JETTY_BASE/logs/authentication-debug.log file includes debug output related to authentication and authorization.
    • The JETTY_BASE/logs/jetty.log file includes debug output of attempts to establish SSL connections.

...