JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 4

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 5

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The JS7 - Identity Services offer local management of user accounts for authentication and authorization.
  • The OIDC Identity Service integration is available from JOC Cockpit:
    • Any OIDC compliant Identity Provider can be used for authentication.
    • This requires an OIDC Identity Provider to be installed and operated. JS7 does not ship with an OIDC Identity Provider.
    • JS7 implements a REST client for use with OIDC Identity Providers.

Terminology

OIDC knows of the following roles involved in authentication:

  • The Identity Provider is a system external to JS7 that provides authentication services for user accounts.
  • The Client is the JOC Cockpit GUI that performs login/logout with the Identity Provider and that receives tokens from the Identity Provider in case of successful login.
  • The Application is the JS7 - REST Web Service API that is handed over tokens by the Client and that verifies tokens with the Identity Provider.

Identity Service Type

The following integration level is available from the OIDC Identity Service Type:

Identity ServiceIdentity Service Configuration Items
Service TypeBuilt-inUser Accounts/Passwords
stored with		User Accounts/Passwords
managed by		Roles/Permissions
stored with		Roles->User Accounts Mapping
managed with
OIDCyesOIDC Identity ProviderOIDC Identity ProviderJS7 Database JOC Cockpit

...

  • Service Type: OIDC
    • Management of user accounts with passwords is performed by the OIDC Identity Provider
    • The assignment of roles to user accounts is performed by the JOC Cockpit Client.
    • The JOC Cockpit stores user accounts and role assignments: in the JS7 - Database and.
    • The JOC Cockpit does not know passwords of user accounts.

Identity Service Configuration

The  icon in the JOC Cockpit main menu is used to select the Manage Identity Services page:

Identity Service Settings

Add Identity Service

To add an Identity Service use the button Add Identity Service from the page shown above, listing the available Identity Services:

Image Added


The remaining input fields for the popup window look like this:

Image Added


Explanation:

  • The Identity Service Name is a unique identifier that can be freely chosen.
  • The Identity Service Type can be selected as available from the above matrix.
  • The Ordering specifies the sequence in which a login is performed with available Identity Services.
  • The Disabled attribute specifies if the respective Identity Service should not be considered by JOC Cockpit.
  • The Identity Service Authentication Scheme allows to select
    • single-factor authentication: user account and password are specified for login with the Identity Service.
    • two-factor authentication: in addition to user account and password a Client Authentication Certificate is required - see the JS7 - Certificate based Authentication article for more information.

Identity Service Settings

Having added an OIDC Identity Service it is necessary to add settings for the OIDC integration from the Identity Service's Manage Settings action menu item:

Image Added


For use with the OIDC Identity Service Type:

  • the OIDC Identity Provider product has to be installed and has to be accessible for JOC Cockpit and
  • the following settings have to be specified:

Image Added

Explanations:The settings for the OIDC Identity Service are managed in the "Manage Settings View".

NameValueDescriptionExample
OIDC NameThe name of the OIDC Identity Service.This is the name of the Identity Service. It will be is used by JOC Cockpit to show the caption of the assigned login button.Google, Keycloak
OIDC Authentication URLThe URL used by the Client to connect login to the OIDC Identity Provider.This URL is called by the Client for login and returns the Access Token from the OIDC Identity Provider. It is similarly used when reading settings of the OIDC Identity Provider with the /.well-known/openid-configuration URL and is used as the issuer during token verification.https://keycloak:8283/auth/realms/JOC
OIDC Client IDThe Client ID is configured in the OIDC Identity Provider.The client id Client ID is used for several a number of calls to to the OIDC Identity Provider.

joc-cockpit

63853035078-6cm5tv51pp34svj2a6cd9421fjhl1813.apps.googleusercontent.com

OIDC Client Secret

The client secret Client Secret is configured in the OIDC Identity Provider.The client secret Client Secret is used for several a number of calls to to the OIDC Identity Provider.

iAMNDlDLorpa7pdbGORDe6vylztVhTiq

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

OIDC Session Renewal URLThis URL is used for the renewal of the access token Access Token. 

If empty then the "token-endpoint" value from the "response of a call to the /.well-known/openid-configuration" call URL is used. The renewal url will be call with 

  • client_id
  • grant_type
  • client_secret
  • refresh_token

URL is called with the following settings:

  • Client ID
  • Grant Type
  • Client Secret
  • Refresh Token

The new Access Token The new access token is expected in the field "access_token" of the response.

https://keycloak:8283/auth/realms/JOC/protocol/openid-connect/token
OIDC Token Verification URLThis URL is used to verify the Access Token.

If empty then the "introspection_endpoint" value from the "response of a call to the /.well-known/openid-configuration" call URL is used. The token verification url will be called with  OIDC Token Verification URL is called with the following settings:

  • Client ID
  • Client Secret
  • Access Token
  • client_id
  • client_secret
  • token

The response must contain the field "active", The value for this of the field is expected to be "true".

https://keycloak:8283/auth/realms/JOC/protocol/openid-connect/token/introspect

Identity Service Processing

Login

If login is performed with an OIDC Identity Service then

  • the list of required Identity Services will not be considered by JOC Cockpit.
  • the login is tried with the given OIDC Identity Service only. Other Identity Services will not be considered.
  • OIDC Identity Services cannot be set to be "required".

Token Verification

The login call returns the following tokens to the Client:

  • Access Token: A token returned after successful authentication by the Client.
  • ID Token: A JWT Token with Header.Payload.Signature is expected.
  • Refresh Token: A token used by the Application to renew the Access Token.

Checking Token 

The token verification URL will be called with After successful login of the Client the OIDC Token Verification URL is called by the Application with the following settings:

  • Client ID
  • Client Secret
  • Access Token

Processing of the response and verification of the token is performed by the following steps:

  • Checking if the response contains The response must contain the field "active". The value for this of the field is expected to be "true".
  • The access token Checking if the Access Token is not expired.
  • Check whether Checking if the Client  ID (aud) stored in the id-token ID Token is the same as in the configuration of the Identity - Service.
  • Check whether Checking if the issuer (iss) stored in the id-token ID Token is the same as the OIDC Authentication Url URL in the configuration of the Identity - Service.
  • Check whether Checking if the account (emaile-mail) stored in the id-token ID Token is the same as in the field "email" in the answer of the userinfo - endpoint.
  • Checking whether if the signature is valid with the given public key. The public key will be read is accessed from the certs - endpoint. The response of the certs endpoint contains different includes a number of keys. The public key is found in the field "n" in the element where that includes the "kid" is equals field with a value  equal to the value of the field "kid" field in the header of the id-token. (Not implemented now). ID Token.

Token Renewal

Status
colourYellow
titleTBD

Examples for Use with Identity Providers

Adding a Client to the OIDC Identity Provider

It is required to configure a Client in the OIDC Identity Provider that is specified for login. The Client specifies a the given Client ID and a Client Secret during login.

Keycloak Identity Provider

Settings

  • Open Clients View
  • Create a new client Client with the "Create" button Create
  • The following values are approved
    • Enabled: on
    • Standard Flow Enable:
    On
    • on
  • Valid Redirect UrlURL: JOC Cockpit URL, for example httphttps://localhostjoc-primary:44264446/joc
  • Web Origin: httpFor example https://localhost:4426joc-primary:4446/joc

Credentials

  • Client Authenticator: Client ID and Client Secret
  • Secret: Generated secret value

After setting up the Client users can be added in the Keycloak's "Users" view.

Google

...

.......

Exceptions from other Identity Services

If the login will be done with an Identity Service with

  • the type OIDC the list of required Identity Services will not be considered.
  • the login will only be tried with this Identity Service. Other Identity Services will not be considered as no username/password is available.
  • OIDC Identity Services can not set to "required".

...

Identity Provider

Status
colourYellow
titleTBD

...