OIDC Integration¶
Overview¶
Insight can be integrated with various OpenID-Connect (OIDC) providers.
OIDC is an open standard, integration is tested with Keycloak.
Please follow Keycloak installation first.
You can find configuration examples here.
OIDC provider configuration¶
In order to use OIDC with Insight, two clients must be created on the OIDC provider.
Client for technical user via middleware¶
- clientId for the insight-middleware configured in
insight.properties- client must not be public
- accessType must be
confidential, client_secret is required
- accessType must be
- DirectGrantAccess (keycloak) must be enabled resp. 'resource owner password credentials grant' (OAuth2)
- Standardflow must be off (keycloak)
- ServiceAccounts must be enabled (keycloak) resp. 'client credentials grant' (OAuth2)
- A user and password must be configured
- client must not be public
Client for access via browser & app¶
Private client, login procedure via backend¶
- clientId should be
insight-app- client must not be public and can support the
Authorization Code with PKCEflow- accessType must be
confidential, client_secret is required - if
PKCEis not usedoidc.pkce=falsemust be set
- accessType must be
- DirectGrantAccess (keycloak) must be off
- Standardflow must be enabled (keycloak) resp. 'Authorization Code flow' (OAuth2)
- client must not be public and can support the
Public client, login procedure via client itself¶
- clientId should be
insight-app- This client must be public and support the
Authorization Code with PKCEflow- accessType must be
publicso clients do not require a secret (keycloak)
- accessType must be
- DirectGrantAccess (keycloak) must be off resp. 'resource owner password credentials grant' (OAuth2)
- Standardflow must be enabled (keycloak) resp. 'Authorization Code flow' (OAuth2)
- This client must be public and support the
Callback URLs¶
Those URLs must be valid callback URLs:
insightmobile://authcallback(Android and iOS)http://localhost:9990/authcallback(Insight Electron)https://your-insight-endpoint/insight/*(Insight via browser)
OIDC configuration Insight¶
In order to enable OIDC the following property must be set:
Enable OIDC¶
oidc.server- must point to your realm's root (e.g.
https://auth.local.ibfs.de/realms/insight)
- must point to your realm's root (e.g.
Additional properties¶
oidc.pkce=false(default: true)- disable usage of
PKCE
- disable usage of
oidc.userinfo.username- configure which property of the token contains the username
oidc.accesstoken.transform=mas8- Transform access token between requests when using
Maximo Application Suite 8
- Transform access token between requests when using
oidc.client.scope(default:openid)- used with login procedure via backend
Configure access for technical user via middleware¶
oidc.techuser.usernameandeam.usernamethe technical user's usernameoidc.techuser.passwordthe technical user's passwordoidc.techuser.client_idthe keycloak client's name (e.g.insight-api)oidc.techuser.client_secretthe client's secret that was copied to the clipboard in the previous paragraphoidc.techuser.authflowtech-user uses OIDC-Login if property is set otherwise classic login- for OIDC-Login possible values are
Resource Owner Password CredentialsorClient Credentials
- for OIDC-Login possible values are
Configure Insight Clients¶
Client Configuration is done via config.json / config.js
Private client, login procedure via backend¶
insight.properties
oidc.client.client_id=insight-appoidc.client.client_secret=your_client_secret
config.json/config.js
"oidc": {
"backend": true
}
Public client, login procedure via client itself¶
config.json / config.js:
"oidc": {
"clientId": "insight-app",
"server": "https://auth.local.ibfs.de/realms/insight",
}
additional properties¶
scope- default:
openid, but can be extended:openid profile email
- default: