Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
devel:documentation:security:dev:security [2023/12/01 11:19]
chalupat
devel:documentation:security:dev:security [2023/12/01 16:18]
chalupat [Single logout flow from IDM]
Line 215: Line 215:
 When all configuration is done. You will be able to log into IdM **ONLY**  via CAS. **The authentication flow is**: Access IdM URL → if you are not logged in → redirect to CAS → log in → redirect back to IdM → You are authenticated in IdM Access IdM URL → If you are logged in (jwt token is valid) → You are authenticated in IdM **Logout:**  Click on logout button in IdM → Log out of IdM → CAS logout URL is called → logout from CAS → redirect to IdM → Redirect back to CAS because you are not authenticated **Expired jwt token:**  Logged out of IdM → redirect to /login → CAS is conntacted → authentication flow is applied now When all configuration is done. You will be able to log into IdM **ONLY**  via CAS. **The authentication flow is**: Access IdM URL → if you are not logged in → redirect to CAS → log in → redirect back to IdM → You are authenticated in IdM Access IdM URL → If you are logged in (jwt token is valid) → You are authenticated in IdM **Logout:**  Click on logout button in IdM → Log out of IdM → CAS logout URL is called → logout from CAS → redirect to IdM → Redirect back to CAS because you are not authenticated **Expired jwt token:**  Logged out of IdM → redirect to /login → CAS is conntacted → authentication flow is applied now
  
-===== OICD authentication  =====+===== OIDC authentication ===== 
 + 
 +@since 13.1.0 
 + 
 +This feature is disabled by default. If you want to enable it, see configuration properties [[this>devel/documentation/application_configuration/dev/backend#oidc_authentication|application]] 
 + 
 +CAS Service for OIDC configuration: 
 + 
 +idm-oidc-201.json 
 +<code> 
 + 
 +
 +  "@class" : "org.apereo.cas.services.OidcRegisteredService", 
 +  "clientId" : "client", 
 +  "clientSecret": "secret", 
 +  "serviceId" : "redirectUrl", 
 +  "name" : "CzechIdM OIDC", 
 +  "id" : 201, 
 +  "evaluationOrder" : 1, 
 +  "scopes": ["java.util.HashSet", ["openid"]], 
 +  "supportedResponseTypes": ["java.util.HashSet", ["code"]], 
 +  "logoutType": "BACK_CHANNEL", 
 +  "logoutUrl": "logoutUrl", 
 +  "redirectUrl": "redirectUrl" 
 +
 + 
 +</code> 
 + 
 + 
 +==== The authentication flow from front ==== 
 + 
 +{{  .:oidc_1.png?nolink&1061x612  }} 
 + 
 +1) User isn't authenticated so frotend redirects user to api endpoint for OIDC login. 
 + 
 +2) IDM redirects user to OIDC providers login page (adress from .well-known endpoint on OIDC providers or can be overwritten in config) 
 + 
 +3) User login on OIDC providers page 
 + 
 +4) User gets redirected back to IDM with "code" 
 + 
 +5) IDM uses "code" to get from OIDC provider, ID token and Access token (adress from .well-known endpoint on OIDC providers or can be overwritten in config) 
 + 
 +6) After validation IDM creates CIDMST token (with externalID set to SID) 
 + 
 +7) IDM redirects to front with CIDMST 
 + 
 + 
 +==== The authentication flow from external application (hub, ...) ==== 
 + 
 +{{  .:oidc2_1.png?nolink&889x698  }} 
 + 
 +1) Authentication happens on external application 
 + 
 +2) When accessing a resource, external application presents access token (in header "Authorization" and value starts with "Bearer"
 + 
 +3) IDM validates token on OIDC provider 
 + 
 +4) If user has access to resource returns it 
 + 
 + 
 +==== Single logout flow from IDM ==== 
 + 
 +{{  .:oidc3_1.png?nolink&881x369  }} 
 + 
 +1) User clicks on logout button so front redirects him to api endpoint for OIDC logout. 
 + 
 +2) IDM redirect him to logout endpoint on OIDC provider (adress from .well-known endpoint on OIDC providers or can be overwritten in config) 
 + 
 +3) OIDC provider calls IMD and IDM invalidates all tokens with SID (from JWT token)
  
  
  • by chalupat