Differences

This shows you the differences between two versions of the page.

--- devel:documentation:security:dev:security [2023/12/01 11:19]
chalupat
+++ devel:documentation:security:dev:security [2023/12/01 16:19] (current)
chalupat [The authentication flow from external application (hub, ...)]
@@ Line 215: / Line 215: @@
 When all configuration is done. You will be able to log into IdM **ONLY**  via CAS. **The authentication flow is**: Access IdM URL → if you are not logged in → redirect to CAS → log in → redirect back to IdM → You are authenticated in IdM Access IdM URL → If you are logged in (jwt token is valid) → You are authenticated in IdM **Logout:**  Click on logout button in IdM → Log out of IdM → CAS logout URL is called → logout from CAS → redirect to IdM → Redirect back to CAS because you are not authenticated **Expired jwt token:**  Logged out of IdM → redirect to /login → CAS is conntacted → authentication flow is applied now
-===== OICD authentication  =====
+===== OIDC authentication =====
+@since 13.1.0
+This feature is disabled by default. If you want to enable it, see configuration properties [[this>devel/documentation/application_configuration/dev/backend#oidc_authentication|application]]
+CAS Service for OIDC configuration:
+idm-oidc-201.json
+<code>
+{
+  "@class" : "org.apereo.cas.services.OidcRegisteredService",
+  "clientId" : "client",
+  "clientSecret": "secret",
+  "serviceId" : "redirectUrl",
+  "name" : "CzechIdM OIDC",
+  "id" : 201,
+  "evaluationOrder" : 1,
+  "scopes": ["java.util.HashSet", ["openid"]],
+  "supportedResponseTypes": ["java.util.HashSet", ["code"]],
+  "logoutType": "BACK_CHANNEL",
+  "logoutUrl": "logoutUrl",
+  "redirectUrl": "redirectUrl"
+}
+</code>
+==== The authentication flow from front ====
+{{  .:oidc_1.png?nolink&1061x612  }}
+) User isn't authenticated so frotend redirects user to api endpoint for OIDC login.
+) IDM redirects user to OIDC providers login page (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
+) User login on OIDC providers page
+) User gets redirected back to IDM with "code"
+) IDM uses "code" to get from OIDC provider, ID token and Access token (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
+) After validation IDM creates CIDMST token (with externalID set to SID)
+) IDM redirects to front with CIDMST
+==== The authentication flow from external application (hub, ...) ====
+{{  .:oidc2_1.png?nolink&889x698  }}
+) Authentication happens on external application
+) When accessing a resource, external application presents access token (in header "Authorization" and value starts with "Bearer") (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
+) IDM validates token on OIDC provider
+) If user has access to resource returns it
+==== Single logout flow from IDM ====
+{{  .:oidc3_1.png?nolink&881x369  }}
+) User clicks on logout button so front redirects him to api endpoint for OIDC logout.
+) IDM redirect him to logout endpoint on OIDC provider (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
+) OIDC provider calls IMD and IDM invalidates all tokens with SID (from JWT token)