OIDC Integration¶

Overview¶

Insight can be integrated with various OpenID-Connect (OIDC) providers. OIDC is an open standard, integration is tested with Keycloak.

You can find configuration examples here.

In order to use OIDC with Insight, two clients must be created on the OIDC provider.

clientId should be insight-app
- This client must be public and support the Authorization Code with PKCE flow
  - accessType must be public so clients do not require a secret (keycloak)
- DirectGrantAccess (keycloak) must be off resp. 'resource owner password credentials grant' (OAuth2)
- Standardflow must be enabled (keycloak) resp. 'Authorization Code flow' (OAuth2)

Those URLs must be valid callback URLs:

In order to enable OIDC the following property must be set:

oidc.server
- must point to your realm's root (e.g. https://auth.local.ibfs.de/realms/insight)

oidc.server.pkce=false (default: true)
- disable usage of PKCE
oidc.userinfo.username
- configure which property of the token contains the username
oidc.accesstoken.transform=mas8
- Transform access token between requests when using Maximo Application Suite 8
oidc.accesstoken.validation=local
- How to validate token in insight-middleware of incoming request? local is default. remote uses for validation a remote call to userinfo-endpoint
oidc.accesstoken.validation.remote.return=access_token
- which value should used to retrieve user/roles data if oidc.accesstoken.validation=remote is configured. "userinfo", "access_token" is possible. access_token is default
oidc.token.name=access_token
- Which token should be used for OIDC? Default is access_token. Hxgn uses 'id_token'
oidc.client.scope (default: openid)
- used with login procedure via backend
oidc.cache.duration (default: 900000 - 15 min)
- expiry time of pkce verifier in cache

oidc.techuser.username and eam.username the technical user's username
oidc.techuser.password the technical user's password
oidc.techuser.client_id the keycloak client's name (e.g. insight-api)
oidc.techuser.client_secret the client's secret that was copied to the clipboard in the previous paragraph
oidc.techuser.authflow tech-user uses OIDC-Login if property is set otherwise classic login
- for OIDC-Login possible values are Resource Owner Password Credentials or Client Credentials

Client Configuration is done via config.json

insight.properties

config.json

"oidc": {
    "backend": true
}

config.json:

"oidc": {
    "clientId": "insight-app",
    "server": "https://auth.local.ibfs.de/realms/insight",
}

scope
- default: openid, but can be extended: openid profile email
clearCache
- true: The auth window starts with a new session. (default on android)
- false: The auth window starts with an existing session. If the user was already logged in to the IDP, the login is performed immediately. (default on ios)