Configuring OIDC Provider for solutions

Keycloak can be replaced by any OIDC compliant Identity Provider

Introduction

For authentication within solutions any arbitrary OIDC compliant Identity Provider can be configured and used. Please note that this only affects authentication within solutions, e.g. the verification of the sent JWT, and does not affect the design or hub environment at all. If keycloak is used as an Identity Provider all configuration can be setup automatically by enabling the autoconfiguration flag of the k5-project resource.

Gathering data and prerequisites of the Identity Provider

The following conditions must be met by your Identity Provider:

  • Supported Authentication Flows / Grant Types

    • Authorization Code (login to dashboard)
    • Implicit (login via swagger-ui)
    • Client Credentials (service execution by agents triggered by an event)
    • Password (testing solutions in the pipeline)
  • The Identity Provider must be conformant to the OIDC protocol.
  • The Identity Provider must provide its OIDC configuration via metadata at a URL, that is constructed by <ISSUER>.well-known/openid-configuration, whereby <ISSUER> is referring to the issuer, that is used in the resulting token.
  • The issuer of the token must be the same regardless of the flow that was used to authenticate.
    Note: To achieve this in an azure app registration, you have to update the manifest and set the property accessTokenAcceptedVersion to 2.
  • All Authentication Flows except Authorization Code must issue an id_token.

Minimum required data

  • client_id: the id of an oauth-client
  • client_secret: a secret value, which is bound to the referenced oauth-client
  • issuer: The issuer which has issued the JWT
  • jwk uri: The url of the Json Web Key Set
  • user authorization uri: The url of the OAuth authorization endpoint
  • token uri: The url of the OAuth token endpoint

Optional data - highly dependent on the Identity Provider

  • audience: the audience that needs to be included within calls of the Client Credentials Flow
  • scope: the scope that needs to be included within calls of the Client Credentials Flow
  • name of the username attribute within the token - default preferred_username
  • name of the name attribute within the token - default name

Known Restrictions

  • A proper logout in the dashboard can only be performed, if the OIDC configuration metadata document provides a property named end_session_endpoint.
  • Authentication calls are only sending scope=openid for the Implicit and Password Flow. In case of Authorization Code Flow all supported scopes will be sent.
  • Currently there is support only for one Identity Provider per k5-project, that is managed by the k5-project-operator.

Configuration Settings

Note: Please do not forget to update the truststore to contain the complete certificate chain for a proper communication with the Identity Provider

Create secrets manually

This step has to be repeated for every k5-project. Please ensure that your k5-project resource does not have the autoconfiguration flag for iam enabled. If you do not want to configure the secrets manually, there is also the option to administer those secrets within the Configuration Management. Please note that those secrets are built out only during the creation of a k5-project from the default configuration values.

Create the following secrets within the namespace of the k5-project and provide the necessary information for each:

Secret Name Usage Supported Authentication Flows
dashboard-oauth-client-secret used to provide the login information for the dashboard; also used in the swagger-ui. Authorization Code, Implicit
debugserver-oauth-client-secret used for debugging within the CLI Password
event-manager-oauth-client-secret used for service execution of agents, that were triggered by events Client Credentials
solution-test-oauth-client-secret used for executing tests within the pipeline Password

The secret should always contain the following properties

Key Description Example
issuer The issuer of the token https://login.microsoftonline.com/426abd8d-4518-4fd8-b768-107155ec5d15/v2.0
client.id The client id to use 8325d28e-840e-4420-928c-33382d4b92a9
client.secret The client secret aaf83822-6beb-4ea7-ab78-6af08e81ca8d
token.endpoint The token url of the identity provider that is used to get tokens https://login.microsoftonline.com/426abd8d-4518-4fd8-b768-107155ec5d15/oauth2/v2.0/token
baseurl The base url of the identity provider (only needed for legacy reasons; should be similar to the issuer) https://login.microsoftonline.com/426abd8d-4518-4fd8-b768-107155ec5d15/
realm The realm that is used for authentication (only needed for legacy reasons) mySecurityRealm

Example call for create a secret

This sample call will create a secret named dashboard-oauth-client-secret and specifies all required values.

oc create secret generic dashboard-oauth-client-secret \
--from-literal=issuer='https://login.microsoftonline.com/426abd8d-4518-4fd8-b768-107155ec5d15/v2.0'  \
--from-literal=client.id='8325d28e-840e-4420-928c-33382d4b92a9'  \
--from-literal=client.secret='aaf83822-6beb-4ea7-ab78-6af08e81ca8d'  \
--from-literal=token.endpoint='https://login.microsoftonline.com/426abd8d-4518-4fd8-b768-107155ec5d15/oauth2/v2.0/token' \
--from-literal=baseurl='https://login.microsoftonline.com/426abd8d-4518-4fd8-b768-107155ec5d15/'  \
--from-literal=realm='mySecurityRealm'

Configuration Settings for the Identity Provider

List of redirect-URIs

The application (dashboard and swagger-ui) will send the following redirect URIs. Please ensure that your Identity Provider does explicitly accept these.

  • <HOSTNAME>/login/oauth2/code/dashboard
  • <HOSTNAME>/swagger-ui/oauth2-redirect.html

Special configuration possibilities

For the Client Credentials Flow working properly, different Identity Providers, need different properties to set. In order to give full flexibility, there are some configuration properties that can be set additionally. They can be specified via a solution configuration within the Configuration Management (see Solution default configuration).

In order to specify the needed values, you can put the values inside the configmap property

configmap
  extraConfiguration: |
    # Optional additional configuration
    de.knowis.cp.ds.action.helper.overwriteParameter.scope: "api://8325d28e-840e-4420-928c-33382d4b92a9/.default"
    de.knowis.cp.ds.action.helper.overwriteParameter.audience:

You can specify any arbitrary key value pairs, that are sent to the Identity Provider by just using the pattern de.knowis.cp.ds.action.helper.overwriteParameter.KEY: VALUE. Declaring a key with no value, will actually result in an empty form parameter with this specific key.

Attribute names for name and username

Since the tokens may look very different, there is the possiblity to configure the attribute names under which the token sends the desired information. Despite the default attributes like sub, issuer, exp, there needs to be information present about name and username of the user. The names of these attributes can be configured, if the default (name, preferred_username) is not sufficient.

The settings can be applied via configuration of the k5-project resource in the section of dashboard.

spec:
  configuration:
    dashboard:
      configmap:
        extra:
          de.knowis.cp.dashboard.security.claim.username: nickname
          de.knowis.cp.dashboard.security.claim.name: fullname

Reference calls

This section aim to outline the actual calls that are sent to the Identity Provider.

Password

curl -i -X POST \
   -H "Content-Type:application/x-www-form-urlencoded" \
   -d "grant_type=password" \
   -d "client_id=8325d28e-840e-4420-928c-33382d4b92a9" \
   -d "scope=openid" \
   -d "username=User@mydomain.com" \
   -d "password=passw0rd" \
   -d "client_secret=aaf83822-6beb-4ea7-ab78-6af08e81ca8d" \
 'https://login.microsoftonline.com/426abd8d-4518-4fd8-b768-107155ec5d15/oauth2/v2.0/token'

Client Credentials

curl -i -X POST \
   -H "Content-Type:application/x-www-form-urlencoded" \
   -d "grant_type=client_credentials" \
   -d "client_id=8325d28e-840e-4420-928c-33382d4b92a9" \
   -d "client_secret=aaf83822-6beb-4ea7-ab78-6af08e81ca8d" \
 'https://login.microsoftonline.com/426abd8d-4518-4fd8-b768-107155ec5d15/oauth2/v2.0/token'

Please note that the overrideParameter as described above will be appended to this call as specified with -d key=value

Calls for Authorization Code or Implicit cannot be done on the command line, since they are only working with enabled redirects in the browser.