Generic OIDC provider support #10152
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 tasks
offtherailz
added
the
BackportNeeded
offtherailz
commented
May 15, 2024
offtherailz
commented
May 15, 2024
tdipisa
added
C206-DEUTSCHE_BAHN-2024-SUPPORT
and removed
C206-DEUTSCHE_BAHN-2023-SUPPORT
labels
tdipisa
requested changes
May 16, 2024
There was a problem hiding this comment.
@offtherailz as discussed, I would like to add an entry point section in the documentation to provide an overall picture of available capabilities of the current OpenID support in MS across different OpenID clients / configuration methodologies we have (using old clients and the new one) such as:
- Available clients and what they can do
- Which limits they have
- How them can be combined to provide multiple auths
- Future steps also in term of deprecation of the old clients
I would like to provide only a brief preliminary indication of the above to allow readers to learn the details in the relevant sections of the documentation.
offtherailz
commented
May 16, 2024
tdipisa
requested changes
May 17, 2024
| !!! note | ||
| If only one OpenID entry is present in `authenticationProviders` (and no `geostore` entry available), clicking on login in the login menu will not show any intermediate window and you will be redirected directly to the OpenID provider configured. If more than one entry is present in `authenticationProviders` list, the user will have to choose one of them to be authenticated. | ||
| !!! info | ||
| If only one OpenID entry is present in `authenticationProviders` (and no `geostore` entry available), clicking on the login entry in the login menu will redirect directly to the OpenID provider login page configured, without showing the login window. If more than one entry is present in `authenticationProviders` list, the user will see the login window before to choose one of the services configured to be authenticated. |
There was a problem hiding this comment.
Suggested change
| If only one OpenID entry is present in `authenticationProviders` (and no `geostore` entry available), clicking on the login entry in the login menu will redirect directly to the OpenID provider login page configured, without showing the login window. If more than one entry is present in `authenticationProviders` list, the user will see the login window before to choose one of the services configured to be authenticated. | |
| If only one OpenID entry is present in `authenticationProviders` (and no `geostore` entry available), clicking on the login entry in the login menu will redirect directly to the OpenID provider login page configured, without showing the login window. If more than one entry is present in the `authenticationProviders` list, the the login window will be provided in the MapStore UI to be able choose the desired one for the authentication. |
|
|
||
| ## Supported OpenID services | ||
|
|
||
| MapStore allows to integrate with the following OpenID providers. | ||
| MapStore provides a generic OpenID connect provider (`oidc`) that can be used to configure any OpenID Connect service (Google, Microsoft, Keycloak, Facebook, Github ...). In addition, MapStore provides specific configurations for some services. This means that you can configure MapStore to use the following services out of the box: |
There was a problem hiding this comment.
Suggested change
| MapStore provides a generic OpenID connect provider (`oidc`) that can be used to configure any OpenID Connect service (Google, Microsoft, Keycloak, Facebook, Github ...). In addition, MapStore provides specific configurations for some services. This means that you can configure MapStore to use the following services out of the box: | |
| MapStore provides a generic OpenID connect provider (`oidc`) that can be used to configure any OpenID Connect service (Google, Microsoft, Keycloak, Facebook, Github, etc.). In addition, MapStore provides specific configurations for some services. This means that you can configure MapStore to use the following services out of the box: |
| - Keycloak | ||
| - OpenID connect | ||
| - Google (specific) | ||
| - Keycloak (specific) | ||
|
|
||
| For each service you want to add you have to: |
There was a problem hiding this comment.
Suggested change
| For each service you want to add you have to: | |
| For each service you want to include, you have to: |
|
|
||
| For each service you want to add you have to: | ||
|
|
||
| - properly configure the backend | ||
| - configure the service (e.g., create a new application on Google Console, create a new client on Keycloak, etc.) | ||
| - properly configure the backend (in `mapstore-ovr.properties`) | ||
| - modify `localConfig.json` adding a proper entry to the `authenticationProviders`. |
There was a problem hiding this comment.
Suggested change
| - modify `localConfig.json` adding a proper entry to the `authenticationProviders`. | |
| - modify the `localConfig.json` file by adding a proper entry to the `authenticationProviders` |
| - modify `localConfig.json` adding a proper entry to the `authenticationProviders`. | ||
|
|
||
| Morover the keycloak provider allows to configure advanced features like Single Sign On (SSO) with other applications and direct user database integration as well as for ldap. |
There was a problem hiding this comment.
Suggested change
| Morover the keycloak provider allows to configure advanced features like Single Sign On (SSO) with other applications and direct user database integration as well as for ldap. | |
| Moreover the keycloak provider allows to configure advanced features like the **Single Sign On (SSO)** with other applications and **direct user database integration** as for [LDAP](ldap.md#ldap-integration-with-mapstore). |
There was a problem hiding this comment.
@offtherailz please check if the hyperlink is correct.
| `mapstore-ovr.properties`: | ||
|
|
||
| ```properties | ||
| # enables the keycloak OpenID Connect filter |
There was a problem hiding this comment.
keycloak? That's a typo, I think
| #### Create Oauth 2.0 credentials on Google Console | ||
|
|
||
| In order to setup the openID connection you have to setup a project in Google API Console to obtain Oauth 2.0 credentials and configure them. | ||
| In order to setup the openID connection you have to setup a project in Google API Console to obtain Oauth 2.0 credentials and configure them. Here a quick summary of the steps to configure Google as an OpenID provider. For more details, please refer to the [Google documentation](https://developers.google.com/identity/openid-connect/openid-connect). | ||
|
|
||
| - Open Google developer console and, from credentials section, create a new credential of type **Oauth client ID** |
There was a problem hiding this comment.
Suggested change
| - Open Google developer console and, from credentials section, create a new credential of type **Oauth client ID** | |
| - Open the Google developer console and, from credentials section, create a new credential of type **Oauth client ID** |
| @@ -51,7 +200,9 @@ Please follow the [Google documentation](https://developers.google.com/identity/ | |||
|
|
|||
| After the setup, you will have to: | |||
|
|
|||
| - create/edit `mapstore-ovr.properties` file (in data-dir or class path) to configure the google provider this way: | |||
| - create/edit `mapstore-ovr.properties` file (in data-dir or class path) to configure the google OpenID integration by inserting in particular the `clientId` and `clientSecret` obtained from Google Console. You have also set the `autoCreateUser` to `true` to create the user if not present in the MapStore database: | |||
There was a problem hiding this comment.
Suggested change
| - create/edit `mapstore-ovr.properties` file (in data-dir or class path) to configure the google OpenID integration by inserting in particular the `clientId` and `clientSecret` obtained from Google Console. You have also set the `autoCreateUser` to `true` to create the user if not present in the MapStore database: | |
| - create/edit the `mapstore-ovr.properties` file (in data-dir or class path) to configure the Google OpenID integration by inserting in particular the `clientId` and the `clientSecret` obtained from Google Console. You have also to set the `autoCreateUser` to `true` to create the user if not present in the MapStore database: |
|
|
||
| A generic OpenID Connect (OIDC) authentication support has been introduced in MapStore. This feature allows to authenticate users using an OIDC provider, like Keycloak, Okta, Google, Azure, etc. | ||
|
|
||
| In order to have this feature working, you need to update in your project the `geostore-spring-security.xml` file in your project, if it has been customized and you are not using the default one. |
There was a problem hiding this comment.
Suggested change
| In order to have this feature working, you need to update in your project the `geostore-spring-security.xml` file in your project, if it has been customized and you are not using the default one. | |
| To provide this functionality, it is necessary to update the project's `geostore-spring-security.xml` file, if the default one is not used. |
| + <bean id="oidcSecurityConfiguration" class="it.geosolutions.geostore.services.rest.security.oauth2.openid_connect.OpenIdConnectSecurityConfiguration"/> <!-- add this bean to configure the integration --> | ||
|
|
||
| <bean id="googleSecurityConfiguration" class="it.geosolutions.geostore.services.rest.security.oauth2.google.OAuthGoogleSecurityConfiguration"/> | ||
|
|
There was a problem hiding this comment.
The diff section need to be properly closed here
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In draft waiting for fixes on geostore side, and to update doc in this PR too:
Description
This PR configures the integration of a generic OIDC provider (provided by geosolutions-it/geostore#330 ) in MapStore, documenting it.
Please check if the PR fulfills these requirements
What kind of change does this PR introduce? (check one with "x", remove the others)
Issue
#10151
What is the new behavior?
#10151 integrated (logout still to be impelmented on GeoStore, so not closing it).
Breaking change
Does this PR introduce a breaking change? (check one with "x", remove the other)
Other useful information