In v2.6.0+ we will add OIDC authn to WS.
- Extracts the code from the authorization header (see below)
- Will call token endpoint with POST and user/pass basic authn to retrieve the access token based on the code
- Will call the userinfo endpoint to get the user attributes from the access token (no authn)
- Resolve the subject from the configured userinfo claim
External system in grouper.properties
############################################ ## OIDC external system ############################################ # url to decode the oidc code into an access token: https://idp.institution.edu/idp/profile/oidc/token (required) # grouper.oidcExternalSystem.myOidcConfigId.tokenEndpointUri = # url to get the user info from the access token https://idp.pennkey.upenn.edu/idp/profile/oidc/userinfo (required) # grouper.oidcExternalSystem.myOidcConfigId.userInfoUri = # client id to authorize url (required) # grouper.oidcExternalSystem.myOidcConfigId.clientId = # secret to ws (required) # grouper.oidcExternalSystem.myOidcConfigId.clientSecret = # if this oidc connector is enabled # grouper.oidcExternalSystem.myOidcConfigId.enabled =
Grouper would have configurations for OIDC configuration in grouper.properties
# config id of the external system (required) grouper.oidc.configId.oidcExternalSystemConfigId = # needed for retrieving an access token, e.g. https://my.app/someUrlBackFromIdp grouper.oidc.configId.redirectUri = # scope to retrieve from oidc, e.g. openid email profile (required) grouper.oidc.configId.scope = # optional, could be in claim as "subjectSourceId", e.g. myPeople grouper.oidc.configId.subjectSourceId = # subjectId, subjectIdentifier, or subjectIdOrIdentifier (required) grouper.oidc.configId.subjectIdType = # some claim name that has the subjectId / subjectIdentifier / subjectIdOrIdentifier in it. e.g. employeeId (required) grouper.oidc.configId.subjectIdClaimName =
Make a web service call
Authorization : Bearer oidc_configId_abc123def456 -or- Authorization : Bearer oidcWithRedirectUri_configId_lmn432rew987_abc123def456 (lmn432rew987 is base64 redirect uri)
Grouper will decode the OIDC claim from that config id and the Grouper Web Service will authenticate as the user in the token
Developers only
File from git has users
grouper/misc/oidc_container_users.json
Run command for local oidc docker:
docker run --rm -d -p 9000:9000 --mount type=bind,src=/Users/vsachdeva/Downloads/oidc_users/users.json,dst=/tmp/users.json -e "REDIRECTS=http://localhost:8080/grouper/grouperUi/app/UiV2Main.oidc" -e "USERS_FILE=/tmp/users.json" qlik/simple-oidc-provider
1 Comment
Chad Redman
What is "
abc123def456
"?