MAS OpenID Connect¶
Goal¶
The goal of this document is to provide a guide on how to configure the MAS OpenID Connect IdP and the Middleware and Client to use it.
Configuration¶
insight.properties, Middleware:¶
oidc.server=https://auth.mas8.maximo.tld/oidc/endpoint/MaximoAppSuite
oidc.server.pkce=false
oidc.userinfo.username=sub
oidc.client.client_id=insight-app
- must match client configuration, see below
oidc.client.client_secret=your_client_secret
- must match client configuration, see below
config.json, Client¶
"oidc": {
"backend": true
}
MAS Setup¶
Goal¶
Enable the MAS OIDC provider for the Insight application by registering a new client to be used by the Insight application.
Requirements¶
From the Openshift cluster running MAS find the "oauth-admin-username" and "oauth-admin-password" secrets.
- Log into Openshift
- Select the "mas-...-core" project
- Select the
secrets
tab - Search for
oauth
- Select the
...-credentials-oauth-admin
secret- You need the
oauth-admin-username
andoauth-admin-password
values
- You need the
- Select the
Register Insight OIDC client¶
To register a new client for the first time use the POST method.
curl -k --user $OAUTH_ADMIN_USERNAME:$OAUTH_ADMIN_PASSWORD \
-H 'Accept: application/json' \
-H 'Content-type: application/json' \
-X POST https://auth.mas8.maximo.tld/oidc/endpoint/MaximoAppSuite/registration/ \
-d @insight_client.json ;
Update Insight OIDC client¶
To update an existing client use the PUT method and append the client_id to the url.
curl -k --user $OAUTH_ADMIN_USERNAME:$OAUTH_ADMIN_PASSWORD \
-H 'Accept: application/json' \
-H 'Content-type: application/json' \
-X PUT https://auth.mas8.maximo.tld/oidc/endpoint/MaximoAppSuite/registration/insight-app \
-d @insight_client.json ;
Example client configuration¶
Please replace the your_client_secret
and all urls with your own values.
You can also change the client_id but must not.
{
"client_id": "insight-app",
"client_secret": "your_client_secret",
"publicClient": false,
"proofKeyForCodeExchange": false,
"scope": "openid profile email general",
"grant_types": [
"authorization_code",
"client_credentials",
"implicit",
"refresh_token",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
],
"response_types": ["code", "token", "id_token token"],
"application_type": "web",
"subject_type": "public",
"post_logout_redirect_uris": [
"https://insight.local.ibfs.de/insight/auth/logout"
],
"preauthorized_scope": "openid profile email general",
"introspect_tokens": true,
"trusted_uri_prefixes": [
"https://insight.local.ibfs.de"
],
"redirect_uris": [
"https://insight.local.ibfs.de/insight/auth/callback",
"https://insight.local.ibfs.de/insight/cockpit/api/auth/callback"
]
}