Skip to content

MAS OpenID Connect

Goal

The goal of this document is to provide a guide on how to configure the MAS OpenID Connect IdP and the Middleware and Client to use it.

Configuration

insight.properties, Middleware:

  • oidc.server=https://auth.mas8.maximo.tld/oidc/endpoint/MaximoAppSuite
  • oidc.server.pkce=false
  • oidc.userinfo.username=sub
  • oidc.client.client_id=insight-app
    • must match client configuration, see below
  • oidc.client.client_secret=your_client_secret
    • must match client configuration, see below

config.json, Client

"oidc": {
  "backend": true
}

MAS Setup

Goal

Enable the MAS OIDC provider for the Insight application by registering a new client to be used by the Insight application.

Requirements

From the Openshift cluster running MAS find the "oauth-admin-username" and "oauth-admin-password" secrets.

  • Log into Openshift
  • Select the "mas-...-core" project
    • Select the secrets tab
    • Search for oauth
    • Select the ...-credentials-oauth-admin secret
      • You need the oauth-admin-username and oauth-admin-password values

Register Insight OIDC client

To register a new client for the first time use the POST method.

curl -k --user $OAUTH_ADMIN_USERNAME:$OAUTH_ADMIN_PASSWORD \
  -H 'Accept: application/json' \
  -H 'Content-type: application/json' \
  -X POST https://auth.mas8.maximo.tld/oidc/endpoint/MaximoAppSuite/registration/ \
  -d @insight_client.json  ;

Update Insight OIDC client

To update an existing client use the PUT method and append the client_id to the url.

curl -k --user $OAUTH_ADMIN_USERNAME:$OAUTH_ADMIN_PASSWORD \
  -H 'Accept: application/json' \
  -H 'Content-type: application/json' \
  -X PUT https://auth.mas8.maximo.tld/oidc/endpoint/MaximoAppSuite/registration/insight-app \
  -d @insight_client.json  ;

Example client configuration

Please replace the your_client_secret and all urls with your own values. You can also change the client_id but must not.

{
  "client_id": "insight-app",
  "client_secret": "your_client_secret",
  "publicClient": false,
  "proofKeyForCodeExchange": false,
  "scope": "openid profile email general",
  "grant_types": [
    "authorization_code",
    "client_credentials",
    "implicit",
    "refresh_token",
    "urn:ietf:params:oauth:grant-type:jwt-bearer"
  ],
  "response_types": ["code", "token", "id_token token"],
  "application_type": "web",
  "subject_type": "public",
  "post_logout_redirect_uris": [
    "https://insight.local.ibfs.de/insight/auth/logout"
  ],
  "preauthorized_scope": "openid profile email general",
  "introspect_tokens": true,
  "trusted_uri_prefixes": [
    "https://insight.local.ibfs.de"
  ],
  "redirect_uris": [
    "https://insight.local.ibfs.de/insight/auth/callback",
    "https://insight.local.ibfs.de/insight/cockpit/api/auth/callback"
  ]
}