Introduction
- The JS7 - Identity Services offer local management of user accounts for authentication and authorization.
- The OIDC Identity Service integration is available from JOC Cockpit:
- Any OIDC compliant Identity Provider can be used for authentication.
- This requires an OIDC Identity Provider to be installed and operated. JS7 does not ship with an OIDC Identity Provider.
- JS7 implements a REST client for use with OIDC Identity Providers.
Identity Service Type
The following integration level is available from the OIDC Identity Service:
| Identity Service | Identity Service Configuration Items | ||||
|---|---|---|---|---|---|
| Service Type | Built-in | User Accounts/Passwords stored with | User Accounts/Passwords managed by | Roles/Permissions stored with | Roles->User Accounts Mapping managed with |
| OIDC | yes | OIDC Identity Provider | OIDC Identity Provider | JS7 Database | JOC Cockpit |
Explanation:
- Service Type:
OIDC- Management of user accounts with passwords is performed by the OIDC Identity Provider
- The assignment of roles to user accounts is performed by the JOC Cockpit.
- The JOC Cockpit stores user accounts and role assignments:
- in the JS7 - Database and
Identity Service Configuration
The 
icon in the JOC Cockpit main menu is used to select the Manage Identity Services page:
Identity Service Settings
The settings for the OIDC Identity Service are managed in the "Manage Settings View".
| Name | Value | Description | Example |
| OIDC Name | The name of the OIDC Identity Service | This is the name of the Identity Service. It will be used by JOC Cockpit to show the caption of the assigned login button. | Google, Keycloak |
| OIDC Authentication URL | The URL used by the Client to connect to the OIDC Identity Provider | This URL is called by the Client for login and returns the Access Token from the OIDC Identity Provider. It is similarly used when reading settings of the OIDC Identity Provider with the /.well-known/openid-configuration URL and is used as the issuer during token verification. | https://keycloak:8283/auth/realms/JOC |
| OIDC Client ID | The Client ID configured in the OIDC Identity Provider | The client id is used for several calls to to the OIDC Identity Provider | joc-cockpit 63853035078-6cm5tv51pp34svj2a6cd9421fjhl1813.apps.googleusercontent.com |
OIDC Client Secret | The client secret configured in the OIDC Identity Provider | The client secret is used for several calls to to the OIDC Identity Provider | iAMNDlDLorpa7pdbGORDe6vylztVhTiq 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 |
| OIDC Session Renewal URL | This URL is used for the renewal of the access token. | If empty the "token-endpoint" value from the "/.well-known/openid-configuration" call is used. The renewal url will be call with
The new access token is expected in the field "access_token" | https://keycloak:8283/auth/realms/JOC/protocol/openid-connect/token |
| OIDC Token Verification URL | This URL is used to verify the Access Token. | If empty the "introspection_endpoint" value from the "/.well-known/openid-configuration" call is used. The token verification url will be called with
The response must contain the field "active" The value for this field is expected to be "true" | https://keycloak:8283/auth/realms/JOC/protocol/openid-connect/token/introspect |
Token Verification
The login call returns the following tokens to the Client:
- Access Token: A token returned after successful authentication by the Client.
- ID Token: A JWT Token with Header.Payload.Signature is expected.
- Refresh Token: A token used to renew the Access Token.
Checking Token
The token verification URL will be called with
- Client ID
- Client Secret
- Access Token
- The response must contain the field "active" The value for this field is expected to be "true".
- The access token is not expired.
- Check whether the Client ID (aud) stored in the id-token is the same as in the configuration of the Identity-Service
- Check whether the issuer (iss) stored in the id-token is the same as the OIDC Authentication Url in the configuration of the Identity-Service
- Check whether the account (email) stored in the id-token is the same as in the field "email" in the answer of the userinfo-endpoint.
- Checking whether the signature is valid with the given public key. The public key will be read from certs-endpoint. The response of the certs endpoint contains different keys. The public key is found in the field "n" in the element where "kid" is equals to the value of the field "kid" in the header of the id-token. (Not implemented now).
Adding a Client to the OIDC Identity Provider
It is required to configure a Client in the OIDC Identity Provider that is specified for login. The Client specifies a Client ID and a Client Secret.
Keycloak Identity Provider
Settings
- Open Clients View
- Create a new client with the button Create
- The following values are approved
- Enabled: on
- Standard Flow Enable: On
- Valid Redirect Url: JOC Cockpit URL, for example http://localhost:4426/joc
- Web Origin: http://localhost:4426
Credentials
Client Authenticator: Client ID and Client Secret
Secret: Generated secret value
After setting the Client users can be added in the Users view.
.......
Exceptions from other Identity Services
If the login will be done with an Identity Service with
- the type OIDC the list of required Identity Services will not be considered.
- the login will only be tried with this Identity Service. Other Identity Services will not be considered as no username/password is available.
- OIDC Identity Services can not set to "required".
Token Renewal
TBD
Logging
- Log Files
- Standard Log Files
- Identity Services log output to the
JETTY_BASE/logs/joc.logfile. This includes reporting success or failure of authentication. - Successful and failed authentication attempts including user accounts involved are logged to the
JETTY_BASE/logs/audit.logfile.
- Identity Services log output to the
- Debug Log Files
- For problem analysis during setup of an Identity Service increase the log level as explained with JS7 - Log Levels and Debug Options.
- The
JETTY_BASE/logs/joc-debug.logfile includes general debug output of JOC Cockpit. - The
JETTY_BASE/logs/authentication-debug.logfile includes debug output related to authentication and authorization. - The
JETTY_BASE/logs/jetty.logfile includes debug output of attempts to establish SSL connections.
Overview
Content Tools