"As a X-Road (Central/Security) Server
I want to be able to integrate with IAM
so that the user could be authenticated to an external IAM service except using Pluggable Authentication Module approach."The purpose of this modification is to allow for a single Identity and Access Management interface in the form of an external IAM provider. For convenience this solution uses Keycloak but any OIDC capable technology would work and the examples given for Keycloak can be interpolated.
This change will directly affect the code of NIIS X-Road 7.x and implemented in that, preferably included in the upstream as a pull request but for now provided by forking the released version. All changes are backwards compatible.
...
Example ID token structure:
| Code Block |
|---|
{
"exp": 1685022693,
"iat": 1685022393,
"auth_time": 1685021720,
"jti": "df8c31d5-cb32-4e17-9f2e-5340702ce7ab",
"iss": "http://host.docker.internal:8089/realms/pubsub-realm",
"aud": "pubsub",
"sub": "d49fab86-3549-4659-b123-2f74918070d3",
"typ": "ID",
"azp": "pubsub",
"nonce": "f6YNBEB0wUNbzuTa_ydR2KbkSJdSuXRzXPa_5AE2JiY",
"session_state": "da1c67e1-1bf0-4c39-810d-2b675fb5dae1",
"at_hash": "NYOsXhGlZrEQ5JHXevId2Q",
"acr": "0",
"sid": "da1c67e1-1bf0-4c39-810d-2b675fb5dae1",
"email_verified": true,
"roles": [
"default-roles-pubsub-realm",
"offline_access",
"uma_authorization",
"xroad-system-administrator"
],
"name": "System Administrator",
"preferred_username": "sa",
"given_name": "System",
"family_name": "Administrator",
"email": "sa@sa.sa"
} |
|
X-Road will read all the roles and based on them will determine the fine-graned authority access for authenticated users.
...
Add the following parameters to the server process that is executing X-Road proxy-ui-api (security server admin) application, or the centralserver-admin-service (central server admin) application.
| Code Block |
|---|
XROAD_PROXY_UI_API_PARAMS=-Dxroad.ui.authentication-method=OAUTH2 -Dspring.security.oauth2.client.registration.iam-provider.client-id=pubsub -Dspring.security.oauth2.client.registration.iam-provider.client-secret=wAIz8MUUXHCeUH0f26oY3jpZk0IJpVBK -Dspring.security.oauth2.client.registration.iam-provider.authorization-grant-type=authorization_code -Dspring.security.oauth2.client.registration.iam-provider.redirect-uri={baseUrl}/login/oauth2/code/{registrationId} -Dspring.security.oauth2.client.registration.iam-provider.scope=openid -Dspring.security.oauth2.client.registration.iam-provider.provider=iam-provider -Dspring.security.oauth2.client.provider.iam-provider.issuer-uri=http://host.docker.internal:8089/realms/pubsub-realm -Dspring.security.oauth2.client.provider.iam-provider.authorization-uri=http://host.docker.internal:8089/realms/pubsub-realm/protocol/openid-connect/auth -Dspring.security.oauth2.client.provider.iam-provider.token-uri=http://host.docker.internal:8089/realms/pubsub-realm/protocol/openid-connect/token -Dspring.security.oauth2.client.provider.iam-provider.user-info-uri=http://host.docker.internal:8089/realms/pubsub-realm/protocol/openid-connect/userinfo -Dspring.security.oauth2.client.provider.iam-provider.user-name-attribute=preferred_username
XROAD_CS_ADMIN_SERVICE_PARAMS=-Dxroad.ui.authentication-method=OAUTH2 -Dspring.security.oauth2.client.registration.iam-provider.client-id=pubsub -Dspring.security.oauth2.client.registration.iam-provider.client-secret=Cb6THaqLuqCieP7dt5M8i1HBG0sLJoQk -Dspring.security.oauth2.client.registration.iam-provider.authorization-grant-type=authorization_code -Dspring.security.oauth2.client.registration.iam-provider.redirect-uri={baseUrl}/login/oauth2/code/{registrationId} -Dspring.security.oauth2.client.registration.iam-provider.scope=openid -Dspring.security.oauth2.client.registration.iam-provider.provider=iam-provider -Dspring.security.oauth2.client.provider.iam-provider.issuer-uri=https://keycloak.local:8089/realms/pubsub-realm -Dspring.security.oauth2.client.provider.iam-provider.authorization-uri=https://keycloak.local:8089/realms/pubsub-realm/protocol/openid-connect/auth -Dspring.security.oauth2.client.provider.iam-provider.token-uri=https://keycloak.local:8089/realms/pubsub-realm/protocol/openid-connect/token -Dspring.security.oauth2.client.provider.iam-provider.user-info-uri=https://keycloak.local:8089/realms/pubsub-realm/protocol/openid-connect/userinfo -Dspring.security.oauth2.client.provider.iam-provider.user-name-attribute=preferred_username |
|
Configuring KeyCloak as an IAM for local testing purposes:
...