JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 13

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 14

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If login is performed with an OIDC Identity Service then

  • the list of any additional required Identity Services Service will not be considered by JOC Cockpit.the  The login is tried performed with the given OIDC Identity Service only. Other Identity Services will not be considered.
  • OIDC Identity Services cannot be set to be "required".

Token Verification

The login call returns the following tokens to the Client:

  • Access Token: A token returned after successful authentication by the Client Identity Service Provider.
  • ID Token: A JWT Token with Header.Payload.Signature is expected that is used by the Application to verify the Client's authentication.
  • Refresh Token: A token used by the Application Client to renew the Access Token.

After successful login of the Client the OIDC Token Verification URL is called by the Application with the following settings:

  • Client ID
  • Client Secret
  • Access ID Token

Processing of the response and verification of the token is performed by the following steps:

  • Checking if the response contains the field "active". The value of the field is expected to be "true".
  • Checking if the Access ID Token is not expired.
  • Checking if the Client  ID (aud) stored in the ID Token is the same as in the configuration of the Identity Service.
  • Checking if the issuer (iss) stored in the ID Token is the same as the OIDC Authentication URL in the configuration of the Identity Service.
  • Checking if the account (e-mail) stored in the ID Token is the same as in the field "email" in the answer of the userinfo endpoint.
  • Checking if the signature is valid for the given public key. The certs endpoint is the value of jwks_uri  in the response to the /.well-known/openid-configuration call. The response of the certs endpoint includes a number of keys. The public key is calculated from thekey entryusing the value for n and e of the corresponding array element where the kid value matches the kid in the token header. 

...

The token contains the expiration date. The token will be renewed by the Client 20s before expiration. 

If the token cannot be renewed then the JOC Cockpit session will be terminated and the user is forced to login.

The token cannot be renewed, if

  • the session has been cancelled terminated in the Identity Provider
  • no valid Session Token is returned from the Identity Provider.

Examples for Use with Identity Providers

...

Register a Client

...

with the OIDC Identity Provider

It is required to configure register a Client in with the OIDC Identity Provider. The Client specifies the given Client ID during login. and Client Secret during login. To achieve this, the token endpoint is called with

...

If the session in the Identity Provider is no longer valid then the JOC Cockpit session will terminate at the point of time of the next token renewal.

Examples for Use with Identity Providers

Keycloak Identity Provider

...