computate
commented
1 week ago @Anish701 Is it a requirement for all the universities that NERC allows to log into your autopilot app? Or would you like to implement log in through a different identity provider like GitHub instead? This is a simpler use case that I recommend that is much simpler to grant your team access to what they need with RBAC.
Create a GitHub OAuth app
- Visit https://github.com/settings/developers
- Click "New OAuth App"
Application name: autopilot
Homepage URL: Route to app in OpenShift
Authorization callback URL: https://autopilot-keycloak-host/realms/AUTOPILOT/broker/github/endpointHere is an example Realm import that you can use to configure the identityProviders with GitHub based on the GITHUB_AUTH_CLIENT and GITHUB_AUTH_SECRET that you create. You would need to replace everything in {{ ... }} with something else.
id: {{ AUTH_REALM }}
realm: {{ AUTH_REALM }}
enabled: true
displayName: {{ AUTH_REALM }}
registrationAllowed: false
resetPasswordAllowed: true
editUsernameAllowed: false
rememberMe: true
verifyEmail: false
loginWithEmailAllowed: false
identityProviders:
- displayName: GitHub
enabled: true
alias: github
providerId: github
updateProfileFirstLoginMode: "on"
trustEmail: true
storeToken: false
addReadTokenRoleOnCreate: false
authenticateByDefault: false
linkOnly: false
firstBrokerLoginFlowAlias: "first broker login"
config:
"syncMode": "IMPORT"
"useJwksUrl": "true"
"clientId": "{{ GITHUB_AUTH_CLIENT }}"
"clientSecret": "{{ GITHUB_AUTH_SECRET }}"
groups: []
users: []
roles:
realm: []
clientScopes:
- id: {{ AUTH_CLIENT }}
name: {{ AUTH_CLIENT }}
description: A client scope for the {{ AUTH_CLIENT }} client
protocol: openid-connect
protocolMappers:
- config:
access.token.claim: 'true'
id.token.claim: 'false'
included.client.audience: '{{ AUTH_CLIENT }}'
consentRequired: false
id: {{ AUTH_CLIENT }}
name: {{ AUTH_CLIENT }}
protocol: openid-connect
protocolMapper: oidc-audience-mapper
- id: {{ AUTH_CLIENT }}-profile
name: profile
description: "OpenID Connect built-in scope: profile"
protocol: openid-connect
protocolMappers:
- config:
access.token.claim: 'true'
claim.name: email_verified
id.token.claim: 'true'
jsonType.label: boolean
user.attribute: emailVerified
userinfo.token.claim: 'true'
consentRequired: false
id: {{ AUTH_CLIENT }}-email-verified
name: email verified
protocol: openid-connect
protocolMapper: oidc-usermodel-property-mapper
- config:
access.token.claim: 'true'
claim.name: preferred_username
id.token.claim: 'true'
jsonType.label: String
user.attribute: username
userinfo.token.claim: 'true'
consentRequired: false
id: {{ AUTH_CLIENT }}-username
name: username
protocol: openid-connect
protocolMapper: oidc-usermodel-property-mapper
- config:
access.token.claim: 'true'
claim.name: groups
id.token.claim: 'true'
jsonType.label: String
multivalued: 'true'
user.attribute: foo
consentRequired: false
id: {{ AUTH_CLIENT }}-groups
name: groups
protocol: openid-connect
protocolMapper: oidc-usermodel-realm-role-mapper
- config:
access.token.claim: 'true'
claim.name: family_name
id.token.claim: 'true'
jsonType.label: String
user.attribute: lastName
userinfo.token.claim: 'true'
consentRequired: false
id: {{ AUTH_CLIENT }}-family-name
name: family name
protocol: openid-connect
protocolMapper: oidc-usermodel-property-mapper
- config:
access.token.claim: 'true'
claim.name: given_name
id.token.claim: 'true'
jsonType.label: String
user.attribute: firstName
userinfo.token.claim: 'true'
consentRequired: false
id: {{ AUTH_CLIENT }}-given-name
name: given name
protocol: openid-connect
protocolMapper: oidc-usermodel-property-mapper
- config:
access.token.claim: 'true'
claim.name: email
id.token.claim: 'true'
jsonType.label: String
user.attribute: email
userinfo.token.claim: 'true'
consentRequired: false
id: {{ AUTH_CLIENT }}-email
name: email
protocol: openid-connect
protocolMapper: oidc-usermodel-property-mapper
- config:
access.token.claim: 'true'
claim.name: middle_name
id.token.claim: 'true'
jsonType.label: String
user.attribute: middleName
userinfo.token.claim: 'true'
consentRequired: false
id: {{ AUTH_CLIENT }}-middle-name
name: middle name
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
- config:
access.token.claim: 'true'
claim.name: locale
id.token.claim: 'true'
jsonType.label: String
user.attribute: locale
userinfo.token.claim: 'true'
consentRequired: false
id: {{ AUTH_CLIENT }}-locale
name: locale
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
- config:
access.token.claim: 'true'
claim.name: nickname
id.token.claim: 'true'
jsonType.label: String
user.attribute: nickname
userinfo.token.claim: 'true'
consentRequired: false
id: {{ AUTH_CLIENT }}-nickname
name: nickname
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
- config:
access.token.claim: 'true'
claim.name: updated_at
id.token.claim: 'true'
jsonType.label: long
user.attribute: updatedAt
userinfo.token.claim: 'true'
consentRequired: false
id: {{ AUTH_CLIENT }}-updated-at
name: updated at
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
- config:
access.token.claim: 'true'
id.token.claim: 'true'
userinfo.token.claim: 'true'
consentRequired: false
id: {{ AUTH_CLIENT }}-full-name
name: full name
protocol: openid-connect
protocolMapper: oidc-full-name-mapper
- config:
access.token.claim: 'true'
claim.name: profile
id.token.claim: 'true'
jsonType.label: String
user.attribute: profile
userinfo.token.claim: 'true'
consentRequired: false
id: {{ AUTH_CLIENT }}-profile
name: profile
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
- config:
access.token.claim: 'true'
claim.name: resource_access.${client_id}.roles
jsonType.label: String
multivalued: 'true'
user.attribute: foo
consentRequired: false
id: {{ AUTH_CLIENT }}-client-roles
name: client roles
protocol: openid-connect
protocolMapper: oidc-usermodel-client-role-mapper
- config:
access.token.claim: 'true'
claim.name: zoneinfo
id.token.claim: 'true'
jsonType.label: String
user.attribute: zoneinfo
userinfo.token.claim: 'true'
consentRequired: false
id: {{ AUTH_CLIENT }}-zoneinfo
name: zoneinfo
protocol: openid-connect
protocolMapper: oidc-usermodel-attribute-mapper
- config:
access.token.claim: 'true'
claim.name: realm_access.roles
jsonType.label: String
multivalued: 'true'
user.attribute: foo
consentRequired: false
id: {{ AUTH_CLIENT }}-realm-roles
name: realm roles
protocol: openid-connect
protocolMapper: oidc-usermodel-realm-role-mapper
defaultDefaultClientScopes:
- {{ AUTH_CLIENT }}
clients:
- id: {{ AUTH_CLIENT }}
clientId: {{ AUTH_CLIENT }}
standardFlowEnabled: true
serviceAccountsEnabled: true
authorizationServicesEnabled: true
frontchannelLogout: true
protocol: openid-connect
redirectUris:
- "{{ SITE_BASE_URL }}/callback"
- "{{ SITE_BASE_URL }}/logout"
defaultClientScopes:
- profile
authorizationSettings:
decisionStrategy: AFFIRMATIVE
Anish701
Hi @naved001 and @computate, our team is currently working on setting up our login system for the Autopilot dashboard application. We are currently testing our login implementation using a locally hosted keycloak server. Would we be able to access/use NERC's OpenShift ID login system for our web application's login? If so, would there be a specific way you would recommend us to implement it?