Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Devops/tweak openid for different access url #510

Open
wants to merge 5 commits into
base: develop
Choose a base branch
from
Open

Devops/tweak openid for different access url #510

wants to merge 5 commits into from

Conversation

MikeNeilson
Copy link
Contributor

Was finally able to retrieve an active JWT and see how things worked. CDA can now use the EDIPI provided by the JWT to retrieve CWMS user credentials.

Possible future work involved database changes to allow use of the "sub" which would be appropriate to allow Keycloak Direct Grant OR Login.gov.

The majority the auth flows are not usable by our users, and some scopes don't work even through their presented. Removing the oauth flows is easy, I'll investigate later setting an appropriate default scope and client id.

Oh and for anyone that ever needs to try TLS/Mutual auth from a termina in windows:

curl -v --ca-native --cert "CurrentUser\MY\<Thumbprint from CAC cert>" https://url-requiring-mutual-auth.test" -d "grant_type=password" -d "username=" -d "password=" -d "response_type=code" -d "client_id=<client scope>" -d "scope=openid profile email"

Note with the above email did not show up within the JWT, @willbreitkreutz the JWT clearly said email not verified so seems reasonable to ; is there a process for a user to update their information on keycloak, couldn't quite figure out how to log in to my account correctly, assuming it's even configured to do so.

@MikeNeilson
Update certs for .test naming.
ffc24b1
@MikeNeilson
Added edipi value to user name to allow keycloak preferred_name from …
4af6be4 
…CAC to work.
@MikeNeilson
Implement support for CWBI Keycloak auth.
11afcee 
- Method to tweak base auth to allow usage of non-cac for service lookup and cac for user login through Swagger.
- Implemented Functionality to process JWT and build appropriate DataApiPrincipal.

Closes #392.
ktarbet
ktarbet reviewed Jan 12, 2024
View reviewed changes
compose_files/pki/certs/main.conf Show resolved Hide resolved
compose_files/pki/certs/main.crt Outdated
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think several files in pki/certs/* area are re-generated and don't need to be included here?

cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java Outdated Show resolved Hide resolved
docker-compose.README.md Show resolved Hide resolved
@MikeNeilson @ktarbet
Additional "not used" conditition check.
72e805d 
Co-authored-by: Karl Tarbet <ktarbet@users.noreply.github.com>
@willbreitkreutz
Copy link

@MikeNeilson there is a way for users to update their profile, first name, last name and e-maiil anyway. we're working on getting that workflow documented. We don't have e-mail verification wired up so they all show not-verified even if there is an e-mail, probably something we need to get incorporated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adamkorynta adamkorynta adamkorynta approved these changes

@ktarbet ktarbet ktarbet approved these changes

@rma-rripken rma-rripken Awaiting requested review from rma-rripken

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@MikeNeilson @willbreitkreutz @ktarbet @adamkorynta