Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
devel:documentation:security:dev:security [2023/12/01 11:19]
chalupat [OICD authentication] 		devel:documentation:security:dev:security [2023/12/01 16:19]
chalupat [The authentication flow from external application (hub, ...)]
Line 216: Line 216:
  
 ===== OIDC authentication ===== ===== OIDC authentication =====
 +
 +@since 13.1.0
 +
 +This feature is disabled by default. If you want to enable it, see configuration properties [[this>devel/documentation/application_configuration/dev/backend#oidc_authentication|application]]
 +
 +CAS Service for OIDC configuration:
 +
 +idm-oidc-201.json
 +<code>
 +
 +{
 +  "@class" : "org.apereo.cas.services.OidcRegisteredService",
 +  "clientId" : "client",
 +  "clientSecret": "secret",
 +  "serviceId" : "redirectUrl",
 +  "name" : "CzechIdM OIDC",
 +  "id" : 201,
 +  "evaluationOrder" : 1,
 +  "scopes": ["java.util.HashSet", ["openid"]],
 +  "supportedResponseTypes": ["java.util.HashSet", ["code"]],
 +  "logoutType": "BACK_CHANNEL",
 +  "logoutUrl": "logoutUrl",
 +  "redirectUrl": "redirectUrl"
 +}
 +
 +</code>
 +
 +
 +==== The authentication flow from front ====
 +
 +{{  .:oidc_1.png?nolink&1061x612  }}
 +
 +1) User isn't authenticated so frotend redirects user to api endpoint for OIDC login.
 +
 +2) IDM redirects user to OIDC providers login page (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
 +
 +3) User login on OIDC providers page
 +
 +4) User gets redirected back to IDM with "code"
 +
 +5) IDM uses "code" to get from OIDC provider, ID token and Access token (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
 +
 +6) After validation IDM creates CIDMST token (with externalID set to SID)
 +
 +7) IDM redirects to front with CIDMST
 +
 +
 +==== The authentication flow from external application (hub, ...) ====
 +
 +{{  .:oidc2_1.png?nolink&889x698  }}
 +
 +1) Authentication happens on external application
 +
 +2) When accessing a resource, external application presents access token (in header "Authorization" and value starts with "Bearer") (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
 +
 +3) IDM validates token on OIDC provider
 +
 +4) If user has access to resource returns it
 +
 +
 +==== Single logout flow from IDM ====
 +
 +{{  .:oidc3_1.png?nolink&881x369  }}
 +
 +1) User clicks on logout button so front redirects him to api endpoint for OIDC logout.
 +
 +2) IDM redirect him to logout endpoint on OIDC provider (adress from .well-known endpoint on OIDC providers or can be overwritten in config)
 +
 +3) OIDC provider calls IMD and IDM invalidates all tokens with SID (from JWT token)
  
  
  • by chalupat