Skip to content

OIDC-Integration

Overview

Insight can integrate with OpenID-Connect (OIDC for short). OIDC is an open standard, integration is only tested with keycloak.

Please follow Keycloak installation first.

In order to use OIDC with Insight Mobile and Insight Explorer, two different clients must be created on the OIDC server.

  1. clientId for the insight-middleware configured in insight.properties

    • This client must be confidenial
      • accessType must be confidential so that requests needs a client_secret (keycloak)
    • DirectGrantAccess (keycloak) must be enabled resp. 'resource owner password credentials grant' (OAuth2)
    • Standardflow must be off (keycloak)
    • ServiceAccounts must be enabled (keycloak) resp. 'client credentials grant' (OAuth2)
    • A user and password must be configured

  2. clientId for the clients configured in config.js / config.json

    • This client must be public and support the Authorization Code with PKCE flow
      • accessType must be public so clients do not require a secret (keycloak)
    • DirectGrantAccess (keycloak) must be off resp. 'resource owner password credentials grant' (OAuth2)
    • Standardflow must be enabled (keycloak) resp. 'Authorization Code flow' (OAuth2)

Configure Insight-Properties

In order to integrate Insight with your OIDC-Server, you must set the following properties.

  • oidc.server must point to your realm's root (e.g. https://auth.local.ibfs.de/auth/realms/insight)
  • oidc.techuser.username and eam.username the technical user's username
  • oidc.techuser.password the technical user's password
  • oidc.techuser.client_id the keycloak client's name (e.g. insight-api)
  • oidc.techuser.client_secret the client's secret that was copied to the clipboard in the previous paragraph
  • oidc.techuser.authflow tech-user uses OIDC-Login if property is set otherwise classic login
    • for OIDC-Login the only valid value is Resource Owner Password Credentials

Configure Insight Clients

In addition, the following redirect URLs must be stored.

  • insightmobile://authcallback To support Android and iOS
  • http://localhost:9990/authcallback To support Insight Mobile Electron
  • https://your-insight-endpoint/* To support the browser, the URL must be changed to your insight endpoint: https://your-insight-endpoint/insight/mobile/index.html

To enable OIDC authentiaction in Insight Mobile and Insight Explorer, the clients must configured in config.json / config.js. Client Configuration

Example config.json:

{
    "name": "Insight Mobile Prod",
    "server": "/",
    "oidc": {
        "clientId": "insight-app",
        "server": https://your-oidc-auth-server/path-before-well-known,
        "scope": "openid"
    }
}
  • clientId The clientId created for Insight Mobile
  • server The server property must result in an valid call like this (/.well-known/openid-configuration is attached by insight): https://your-oidc-auth-server/path-before-well-known/.well-known/openid-configuration
  • scope Must include openid but can be extended: openid profile email

Apache Http

  • KeyCloak needs a dedicated hostname or alias configured in DNS i.e. auth.local.ibfs.de
  • certificates for KeyCloak
  • configure vhost in http_ahssl.conf
    <VirtualHost auth.kcserver:443>
SSLEngine on
ServerName auth.kcserver:443
SSLCertificateFile "${SRVROOT}/conf/ssl/kcserver.pem"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/kcserver.key"

ProxyPreserveHost On
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"

ProxyPass / http://localhost:<kcport>/
ProxyPassReverse / http://localhost:<kcport>/
</virtualhost>