New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generic OIDC provider support #10152
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@offtherailz as discussed, I would like to add an entry point section in the documentation to provide an overall picture of available capabilities of the current OpenID support in MS across different OpenID clients / configuration methodologies we have (using old clients and the new one) such as:
- Available clients and what they can do
- Which limits they have
- How them can be combined to provide multiple auths
- Future steps also in term of deprecation of the old clients
I would like to provide only a brief preliminary indication of the above to allow readers to learn the details in the relevant sections of the documentation.
!!! note | ||
If only one OpenID entry is present in `authenticationProviders` (and no `geostore` entry available), clicking on login in the login menu will not show any intermediate window and you will be redirected directly to the OpenID provider configured. If more than one entry is present in `authenticationProviders` list, the user will have to choose one of them to be authenticated. | ||
!!! info | ||
If only one OpenID entry is present in `authenticationProviders` (and no `geostore` entry available), clicking on the login entry in the login menu will redirect directly to the OpenID provider login page configured, without showing the login window. If more than one entry is present in `authenticationProviders` list, the user will see the login window before to choose one of the services configured to be authenticated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If only one OpenID entry is present in `authenticationProviders` (and no `geostore` entry available), clicking on the login entry in the login menu will redirect directly to the OpenID provider login page configured, without showing the login window. If more than one entry is present in `authenticationProviders` list, the user will see the login window before to choose one of the services configured to be authenticated. | |
If only one OpenID entry is present in `authenticationProviders` (and no `geostore` entry available), clicking on the login entry in the login menu will redirect directly to the OpenID provider login page configured, without showing the login window. If more than one entry is present in the `authenticationProviders` list, the the login window will be provided in the MapStore UI to be able choose the desired one for the authentication. |
|
||
## Supported OpenID services | ||
|
||
MapStore allows to integrate with the following OpenID providers. | ||
MapStore provides a generic OpenID connect provider (`oidc`) that can be used to configure any OpenID Connect service (Google, Microsoft, Keycloak, Facebook, Github ...). In addition, MapStore provides specific configurations for some services. This means that you can configure MapStore to use the following services out of the box: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MapStore provides a generic OpenID connect provider (`oidc`) that can be used to configure any OpenID Connect service (Google, Microsoft, Keycloak, Facebook, Github ...). In addition, MapStore provides specific configurations for some services. This means that you can configure MapStore to use the following services out of the box: | |
MapStore provides a generic OpenID connect provider (`oidc`) that can be used to configure any OpenID Connect service (Google, Microsoft, Keycloak, Facebook, Github, etc.). In addition, MapStore provides specific configurations for some services. This means that you can configure MapStore to use the following services out of the box: |
- Keycloak | ||
- OpenID connect | ||
- Google (specific) | ||
- Keycloak (specific) | ||
|
||
For each service you want to add you have to: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For each service you want to add you have to: | |
For each service you want to include, you have to: |
|
||
For each service you want to add you have to: | ||
|
||
- properly configure the backend | ||
- configure the service (e.g., create a new application on Google Console, create a new client on Keycloak, etc.) | ||
- properly configure the backend (in `mapstore-ovr.properties`) | ||
- modify `localConfig.json` adding a proper entry to the `authenticationProviders`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- modify `localConfig.json` adding a proper entry to the `authenticationProviders`. | |
- modify the `localConfig.json` file by adding a proper entry to the `authenticationProviders` |
- modify `localConfig.json` adding a proper entry to the `authenticationProviders`. | ||
|
||
Morover the keycloak provider allows to configure advanced features like Single Sign On (SSO) with other applications and direct user database integration as well as for ldap. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Morover the keycloak provider allows to configure advanced features like Single Sign On (SSO) with other applications and direct user database integration as well as for ldap. | |
Moreover the keycloak provider allows to configure advanced features like the **Single Sign On (SSO)** with other applications and **direct user database integration** as for [LDAP](ldap.md#ldap-integration-with-mapstore). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@offtherailz please check if the hyperlink is correct.
`mapstore-ovr.properties`: | ||
|
||
```properties | ||
# enables the keycloak OpenID Connect filter |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
keycloak? That's a typo, I think
#### Create Oauth 2.0 credentials on Google Console | ||
|
||
In order to setup the openID connection you have to setup a project in Google API Console to obtain Oauth 2.0 credentials and configure them. | ||
In order to setup the openID connection you have to setup a project in Google API Console to obtain Oauth 2.0 credentials and configure them. Here a quick summary of the steps to configure Google as an OpenID provider. For more details, please refer to the [Google documentation](https://developers.google.com/identity/openid-connect/openid-connect). | ||
|
||
- Open Google developer console and, from credentials section, create a new credential of type **Oauth client ID** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Open Google developer console and, from credentials section, create a new credential of type **Oauth client ID** | |
- Open the Google developer console and, from credentials section, create a new credential of type **Oauth client ID** |
@@ -51,7 +200,9 @@ Please follow the [Google documentation](https://developers.google.com/identity/ | |||
|
|||
After the setup, you will have to: | |||
|
|||
- create/edit `mapstore-ovr.properties` file (in data-dir or class path) to configure the google provider this way: | |||
- create/edit `mapstore-ovr.properties` file (in data-dir or class path) to configure the google OpenID integration by inserting in particular the `clientId` and `clientSecret` obtained from Google Console. You have also set the `autoCreateUser` to `true` to create the user if not present in the MapStore database: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- create/edit `mapstore-ovr.properties` file (in data-dir or class path) to configure the google OpenID integration by inserting in particular the `clientId` and `clientSecret` obtained from Google Console. You have also set the `autoCreateUser` to `true` to create the user if not present in the MapStore database: | |
- create/edit the `mapstore-ovr.properties` file (in data-dir or class path) to configure the Google OpenID integration by inserting in particular the `clientId` and the `clientSecret` obtained from Google Console. You have also to set the `autoCreateUser` to `true` to create the user if not present in the MapStore database: |
|
||
A generic OpenID Connect (OIDC) authentication support has been introduced in MapStore. This feature allows to authenticate users using an OIDC provider, like Keycloak, Okta, Google, Azure, etc. | ||
|
||
In order to have this feature working, you need to update in your project the `geostore-spring-security.xml` file in your project, if it has been customized and you are not using the default one. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In order to have this feature working, you need to update in your project the `geostore-spring-security.xml` file in your project, if it has been customized and you are not using the default one. | |
To provide this functionality, it is necessary to update the project's `geostore-spring-security.xml` file, if the default one is not used. |
+ <bean id="oidcSecurityConfiguration" class="it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.OpenIdConnectSecurityConfiguration"/> <!-- add this bean to configure the integration --> | ||
|
||
<bean id="googleSecurityConfiguration" class="it.geosolutions.geostore.services.rest.security.oauth2.google.OAuthGoogleSecurityConfiguration"/> | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The diff section need to be properly closed here
In draft waiting for fixes on geostore side, and to update doc in this PR too:
Description
This PR configures the integration of a generic OIDC provider (provided by geosolutions-it/geostore#330 ) in MapStore, documenting it.
Please check if the PR fulfills these requirements
What kind of change does this PR introduce? (check one with "x", remove the others)
Issue
#10151
What is the new behavior?
#10151 integrated (logout still to be impelmented on GeoStore, so not closing it).
Breaking change
Does this PR introduce a breaking change? (check one with "x", remove the other)
Other useful information