JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Uwe Risse

Saved on

compared with

New Version 11

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To add an Identity Service use the button Add Identity Service from the page shown above, listing the available Identity Services:
Image Removed

Image Added


The remaining input fields for the popup window look like this:

...

  • Access Token: A token returned after successful authentication by the Client.
  • ID Token: A JWT Token with Header.Payload.Signature is expected.
  • Refresh Token: A token used by the Application to renew the Access Token.

...

  • Checking if the response contains the field "active". The value of the field is expected to be "true".
  • Checking if the Access Token is not expired.
  • Checking if the Client  ID (aud) stored in the ID Token is the same as in the configuration of the Identity Service.
  • Checking if the issuer (iss) stored in the ID Token is the same as the OIDC Authentication URL in the configuration of the Identity Service.
  • Checking if the account (e-mail) stored in the ID Token is the same as in the field "email" in the answer of the userinfo endpoint.
  • Checking if the signature is valid with for the given public key. The certs endpoint is the value of jwks_uri  in the response of to the /.well-known/openid-configuration call. The response of the certs endpoint includes a number of keys. The public key is calculated from thekey entryusing the value for n and e of the correspending corresponding array element where the kid value matches the kid value in the token header. 

Token Renewal

The token contains the value when it will expired. 20s before this happens, the expiration date. The token will be renewed 20s before expiration

When If the token can not cannot be renewed , then the JOC Cockpit Session session will be revokedterminated and the user is forced to login.

The token can not cannot be renewed, whenif

  • the session have has been cancelled in the Identity providerProvider
  • There is no valid session_token Session Token is returned from the Identity Provider.

Examples for Use with Identity Providers

...

It is required to configure a Client in the OIDC Identity Provider. The Client specifies the given Client ID and Client Secret during login. To achieve this, the token endpoint is called with

  • client-id: The client id Client ID that is configured in the JOC Cockpit Identity ServicyService.
  • client-secret: The client secret Client Secret that is configured in the JOC Cockpit Identity ServicyService.
  • grant-type: refresh_token
  • refresh-token: The refresh token that have has been provided in the header of the login call.

The JOC -Cockpit sessions expiration time Cockpit session idle timeout is configured in the JOC Cockpit global settings for Identity Services.

When If the session in the Identity Provider is no longer valid , then the JOC Cockpit session will end terminate at the point of time when of the next session token renewal is executed.

Keycloak Identity Provider

Settings

...