JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 20

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 21

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The Identity Provider is a system external to JS7 that provides authentication services for user accounts.
  • The Client is the JOC Cockpit GUI that performs login/logout with the Identity Provider and that receives tokens from the Identity Provider in case of successful login.
  • The Application is the JS7 - REST Web Service API that is handed over a token by the Client and that which verifies the token with the Identity Provider.

...

  • Service Type: OIDC
    • Management of user accounts with passwords is performed by the OIDC Identity Provider
    • The assignment of roles to user accounts is performed by the JOC Cockpit Client.
    • The JOC Cockpit stores user accounts and role assignments: in the JS7 - Database.
    • The JOC Cockpit does not know passwords of user accounts or the access tokens of successful authentication.

...

Having added an OIDC Identity Service, it is necessary to add settings for the OIDC integration from the Identity Service's Manage Settings action menu item:

...

NameValueDescriptionExample
OIDC NameThe name of the OIDC Identity Service.This is the name of the Identity Service. It is used by JOC Cockpit to show the caption of the assigned login button.Google, Keycloak
OIDC Authentication URLThe URL used by the Client to login to the OIDC Identity Provider.This URL is called by the Client for login and returns the Access Token from the OIDC Identity Provider. It is similarly used when reading settings of the OIDC Identity Provider with the /.well-known/openid-configuration URL and is used as the issuer during token verification.https://keycloak:8283/auth/realms/JOC
OIDC Client IDThe Client ID is configured in the OIDC Identity Provider.The Client ID is used for a number of calls to to the OIDC Identity Provider.

joc-cockpit

63853035078-6cm5tv51pp34svj2a6cd9421fjhl1813.apps.googleusercontent.com

OIDC Client Secret

The Client Secret is configured in the OIDC Identity Provider.The Client Secret is used for a number of calls to the OIDC Identity Provider.

iAMNDlDLorpa7pdbGORDe6vylztVhTiq

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

OIDC ImageAn image can be uploaded that is displayed with the login page.

Optionally an image can be uploaded. .


OIDC Truststore PathThe Path to a truststore.

Should the OIDC Identity Provider be configured for HTTPS connections then the indicated truststore has to include an X.509 certificate specified for the Extended Key Usage of Server Authentication.

    • The truststore can include a self-signed certificate or a CA signed certificate. Typically the Root CA certificate is used as otherwise the complete certificate chain involved in signing the Server Authentication Certificate has to be available with the truststore.
    • If the OIDC Identity Provider is operated for HTTPS connections and this setting is not specified then the JOC Cockpit will use the truststore that is configured with the JETTY_BASE/resources/joc/joc.properties configuration file. This includes use of settings for the truststore password and truststore type.
    • The path to the truststore is specified relative to the JETTY_BASE/resources/joc directory. If the truststore is located in this directory then only the file name is specified, typically with a .p12 extension. Other relative locations can be specified using, for example, ../../joc-truststore.p12 if the truststore is located in the JETTY_BASE directory. An absolute path cannot be specified and a path cannot be specified that lies before the JETTY_BASE directory in the file system hierarchy.
oidc-truststore.p12
OIDC Truststore PasswordTruststore passwordIf the OIDC Identity Provider is configured for HTTPS connections and the indicated truststore is protected by a password then the password has to be specified.secret
OIDC Truststore TypeTruststore type

If the OIDC Identity Provider is configured for HTTPS connections then the type of the truststore has to be specified being either PKCS12 or JKS (deprecated).

PKCS12

OIDC Login

With Once OIDC Identity Services being have been configured they are displayed in JOC Cockpit's login screen like this: 

...

OIDC Flows

Register Client

It is required to register necessary for a Client to be registered with the Identity Provider. The Client specifies the given Client ID and Client Secret during authentication. To achieve this, the token endpoint is called with:

  • client-id: The Client ID that which is configured in the JOC Cockpit Identity Service.
  • client-secret: The Client Secret that which is configured in the JOC Cockpit Identity Service.
  • redirect-urls: The list of allowed URLs for redirection after authentication by the Client. Consider Note that for clustered JOC Cockpit instances the URL of each JOC Cockpit instance has to be specified for clustered JOC Cockpit instances. For JOC Cockpit, the protocol (HTTP, HTTPS), host and port is specified as the URL, for example https://joc-2-0-primary:4446.

The step to register Registration of the Client is performed once in the lifetime of an OIDC Identity Service.

...

When authentication is performed with an Identity Provider then:

  • no additional required Identity Services will be considered by JOC Cockpit. Authentication is performed with the given OIDC Identity Service only.
  • OIDC Identity Services cannot be set to be required.

In case that If the Client has previously did authenticate authenticated with the Identity Provider and that an active session exists then the Client immediately receives tokens from the Identity Provider. Without previous authentication the Client specifies credentials for authentication with the Identity Provider and creates a session in the Identity Provider. This mechanism allows Single Sign-On for Clients.

After successful authentication the The Identity Provider returns the following to the Client after successful authentication:

  • Access Token: The Client stores this token in a locker for later token renewal.
  • Refresh Token: The Client stores this token in a locker for later token renewal.
  • ID Token: This token is used by the Application to verify the Client's authentication. 

...

  • Checking if the response contains the field "active". The value of the field is expected to be "true".
  • Checking if the ID Token is has not expired.
  • Checking if the Client  ID (aud) stored in the ID Token is the same as in the configuration of the Identity Service.
  • Checking if the issuer (iss) stored in the ID Token is the same as the OIDC Authentication URL in the configuration of the Identity Service.
  • Checking if the account (e-mail) stored in the ID Token is the same as in the field "email" in the answer of the userinfo endpoint.
  • Checking if the signature is valid for the given public key. The certs endpoint is the value of jwks_uri  in the response to the /.well-known/openid-configuration call. The response of the certs endpoint includes a number of keys. The public key is calculated from thekey entryusing the value for n and e of the corresponding array element where the kid value matches the kid in the token header. 

...

Access Tokens and ID Tokens include the an expiration date. The tokens will be renewed by the Client 20s before expiration. 

If the tokens cannot be renewed, for example if the underlying session in the Identity Provider is terminated, then the JOC Cockpit session will be terminated and the user is forced to login. This occurs in case that:

  • the session has been terminated in the Identity Provider
  • no valid Access Token is returned from the Identity Provider.

...

  • Users who previously have been authenticated with the same Identity Provider as used by the OIDC Identity Service can access JOC Cockpit from their browser without specifying credentials.
  • Users who initially authenticate with an Identity Provider by use of JOC Cockpit can open additional tabs in their browser without specifying credentials.
    • If a session is created for a user in the Identity Provider by authentication with JOC Cockpit then this session will last as long as the JOC Cockpit session.
    • If the user's Access Token is revoked in the Identity Provider then the underlying session in the Identity Provider is will be continued until the JOC Cockpit session is has been terminated either by a logout operation or by reaching the Idle Session Timeout.
    • If the user performs a logout operation from the JOC Cockpit session that was used to authenticate with the Identity Provider then the underlying session in the Identity Provider is will be terminated.

Logging

  • Log Files
  • Standard Log Files
    • Identity Services log output to the JETTY_BASE/logs/joc.log file. This includes reporting success or failure of authentication.
    • Successful and failed authentication attempts including user accounts involved are logged to the JETTY_BASE/logs/audit.log file.
  • Debug Log Files
    • For problem analysis during setup of an Identity Service, increase the log level as explained with in the JS7 - Log Levels and Debug Options article.
    • The JETTY_BASE/logs/joc-debug.log file includes general debug output of JOC Cockpit.
    • The JETTY_BASE/logs/authentication-debug.log file includes debug output related to authentication and authorization.
    • The JETTY_BASE/logs/jetty.log file includes debug output of attempts to establish SSL connections.

...