Configuring OIDC provider for solutions

For authentication within solutions any arbitrary OIDC compliant Identity Provider can be configured and used. Please note that this only affects authentication within solutions, e.g. the verification of the sent JWT, and does not affect the Solution Designer or Solution Hub environment at all. If Keycloak is used as an identity provider all configuration can be setup automatically by enabling the autoconfiguration flag of the k5-project resource.

The following conditions must be met by your Identity Provider:

• Supported authentication flows / grant types:

  • Authorization Code (login to dashboard)

  • Implicit (login via swagger-ui)

  • Client Credentials (service execution by agents triggered by an event)

  • Password (testing solutions in the pipeline)

• The Identity Provider must be conformant to the OIDC protocol

• The Identity Provider must provide its OIDC configuration via metadata at a URL, that is constructed by <ISSUER>.well-known/openid-configuration, whereby <ISSUER> is referring to the issuer, that is used in the resulting token

• The issuer of the token must be the same regardless of the flow that was used to authenticate

  Note: To achieve this in an Azure app registration, you have to update the manifest and set the property accessTokenAcceptedVersion to 2.

• All authentication flows except Authorization Code must issue an id_token

Minimum required data:

• client_id: the ID of an oauth-client

• client_secret: a secret value, which is bound to the referenced oauth-client

• issuer: The issuer which has issued the JWT

• jwk uri: The URL of the Json Web Key Set

• user authorization uri: The URL of the OAuth authorization endpoint

• token uri: The URL of the OAuth token endpoint

Optional data - highly dependent on the Identity Provider:

• audience: the audience that needs to be included within calls of the Client Credentials Flow

• scope: the scope that needs to be included within calls of the Client Credentials Flow

• name of the username attribute within the token - default preferred_username

• name of the name attribute within the token - default name

Known restrictions:

• A proper logout in the dashboard can only be performed, if the OIDC configuration metadata document provides a property named end_session_endpoint

• Authentication calls are only sending scope=openid for the Implicit and Password flow. In case of Authorization Code flow all supported scopes will be sent

• Currently, there is support only for one Identity Provider per k5-project, that is managed by the k5-project-operator.

Create secrets manually:

This step has to be repeated for every k5-project. Please ensure that your k5-project resource does not have the autoconfiguration flag for IAM enabled. If you do not want to configure the secrets manually, there is also the option to administer those secrets within the Configuration Management. Please note that those secrets are built out only during the creation of a k5-project from the default configuration values.

Create the following secrets within the namespace of the k5-project and provide the necessary information for each:

The secret should always contain the following properties:

Example call for create a secret:

This sample call will create a secret named dashboard-oauth-client-secret and specifies all required values.

oc create secret generic dashboard-oauth-client-secret \
--from-literal=issuer='https://login.microsoftonline.com/426abd8d-4518-4fd8-b768-107155ec5d15/v2.0'  \
--from-literal=client.id='8325d28e-840e-4420-928c-33382d4b92a9'  \
--from-literal=client.secret='aaf83822-6beb-4ea7-ab78-6af08e81ca8d'  \
--from-literal=token.endpoint='https://login.microsoftonline.com/426abd8d-4518-4fd8-b768-107155ec5d15/oauth2/v2.0/token' \
--from-literal=baseurl='https://login.microsoftonline.com/426abd8d-4518-4fd8-b768-107155ec5d15/'  \
--from-literal=realm='mySecurityRealm'

List of redirect-URIs

The application (dashboard and swagger-ui) will send the following redirect URIs. Please ensure that your Identity Provider does explicitly accept these.

• <HOSTNAME>/login/oauth2/code/dashboard

• <HOSTNAME>/swagger-ui/oauth2-redirect.html

For the Client Credentials Flow working properly, different Identity Providers need different properties to set. In order to give full flexibility, there are some configuration properties that can be set additionally. They can be specified via a solution configuration within the Configuration Management (see Solution default configuration).

In order to specify the needed values, you can put the values inside the configmap property:

configmap
extraConfiguration: |
  # Optional additional configuration
  de.knowis.cp.ds.action.helper.overwriteParameter.scope: "api://8325d28e-840e-4420-928c-33382d4b92a9/.default"
  de.knowis.cp.ds.action.helper.overwriteParameter.audience:

You can specify any arbitrary key value pairs, that are sent to the Identity Provider by just using the pattern de.knowis.cp.ds.action.helper.overwriteParameter.KEY: VALUE. Declaring a key with no value, will actually result in an empty form parameter with this specific key.