JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 19

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 20

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

NameValueDescriptionExample
OIDC NameThe name of the OIDC Identity Service.This is the name of the Identity Service. It is used by JOC Cockpit to show the caption of the assigned login button.Google, Keycloak
OIDC Authentication URLThe URL used by the Client to login to the OIDC Identity Provider.This URL is called by the Client for login and returns the Access Token from the OIDC Identity Provider. It is similarly used when reading settings of the OIDC Identity Provider with the /.well-known/openid-configuration URL and is used as the issuer during token verification.https://keycloak:8283/auth/realms/JOC
OIDC Client IDThe Client ID is configured in the OIDC Identity Provider.The Client ID is used for a number of calls to to the OIDC Identity Provider.

joc-cockpit

63853035078-6cm5tv51pp34svj2a6cd9421fjhl1813.apps.googleusercontent.com

OIDC Client Secret

The Client Secret is configured in the OIDC Identity Provider.The Client Secret is used for a number of calls to the OIDC Identity Provider.

iAMNDlDLorpa7pdbGORDe6vylztVhTiq

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

OIDC ImageAn image can be uploaded that is displayed with the login page.

Optionally an image can be uploaded. .


OIDC Truststore PathThe Path to a truststore.

Should the OIDC Identity Provider be configured for HTTPS connections then the indicated truststore has to include an X.509 certificate specified for the Extended Key Usage of Server Authentication.

    • The truststore can include a self-signed certificate or a CA signed certificate. Typically the Root CA certificate is used as otherwise the complete certificate chain involved in signing the Server Authentication Certificate has to be available with the truststore.
    • If the OIDC Identity Provider is operated for HTTPS connections and this setting is not specified then the JOC Cockpit will use the truststore that is configured with the JETTY_BASE/resources/joc/joc.properties configuration file. This includes use of settings for the truststore password and truststore type.
    • The path to the truststore is specified relative to the JETTY_BASE/resources/joc directory. If the truststore is located in this directory then only the file name is specified, typically with a .p12 extension. Other relative locations can be specified using, for example, ../../joc-truststore.p12 if the truststore is located in the JETTY_BASE directory. An absolute path cannot be specified and a path cannot be specified that lies before the JETTY_BASE directory in the file system hierarchy.
oidc-truststore.p12
OIDC Truststore PasswordTruststore passwordIf the OIDC Identity Provider is configured for HTTPS connections and the indicated truststore is protected by a password then the password has to be specified.secret
OIDC Truststore TypeTruststore type

If the OIDC Identity Provider is configured for HTTPS connections then the type of the truststore has to be specified being either PKCS12 or JKS (deprecated).

PKCS12

OIDC Login

With OIDC Identity Services being configured they are displayed in JOC Cockpit's login screen like this: 

Image Added


Explanation:

  • OIDC Identity Services are displayed in alphabetical order.
  • If a users clicks the Identity Service in the login screen then the Identity Provider will show a popup window that asks for credentials or the user will be immediately authenticated in case of single sign-on.

OIDC Flows

Register Client

It is required to register a Client with the Identity Provider. The Client specifies the given Client ID and Client Secret during authentication. To achieve this, the token endpoint is called with

...