Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EC528 Course: Login Access for Autopilot Dashboard #805

Closed
Anish701 opened this issue Nov 8, 2024 · 2 comments
Closed

EC528 Course: Login Access for Autopilot Dashboard #805

Anish701 opened this issue Nov 8, 2024 · 2 comments

Comments

@Anish701
Copy link

Anish701 commented Nov 8, 2024

Hi @naved001 and @computate, our team is currently working on setting up our login system for the Autopilot dashboard application. We are currently testing our login implementation using a locally hosted keycloak server. Would we be able to access/use NERC's OpenShift ID login system for our web application's login? If so, would there be a specific way you would recommend us to implement it?
@computate
Copy link
Member

computate commented Nov 8, 2024
edited
Loading

@Anish701 Is it a requirement for all the universities that NERC allows to log into your autopilot app? Or would you like to implement log in through a different identity provider like GitHub instead? This is a simpler use case that I recommend that is much simpler to grant your team access to what they need with RBAC.

Create a GitHub OAuth app

Application name: autopilot
Homepage URL: Route to app in OpenShift
Authorization callback URL: https://autopilot-keycloak-host/realms/AUTOPILOT/broker/github/endpoint

Here is an example Realm import that you can use to configure the identityProviders with GitHub based on the GITHUB_AUTH_CLIENT and GITHUB_AUTH_SECRET that you create. You would need to replace everything in {{ ... }} with something else.

id: {{ AUTH_REALM }}
realm: {{ AUTH_REALM }}
enabled: true
displayName: {{ AUTH_REALM }}
registrationAllowed: false
resetPasswordAllowed: true
editUsernameAllowed: false
rememberMe: true
verifyEmail: false
loginWithEmailAllowed: false
identityProviders:
  - displayName: GitHub
    enabled: true
    alias: github
    providerId: github
    updateProfileFirstLoginMode: "on"
    trustEmail: true
    storeToken: false
    addReadTokenRoleOnCreate: false
    authenticateByDefault: false
    linkOnly: false
    firstBrokerLoginFlowAlias: "first broker login"
    config:
      "syncMode": "IMPORT"
      "useJwksUrl": "true"
      "clientId": "{{ GITHUB_AUTH_CLIENT }}"
      "clientSecret": "{{ GITHUB_AUTH_SECRET }}"

groups: []
users: []
roles:
  realm: []
clientScopes:
  - id: {{ AUTH_CLIENT }}
    name: {{ AUTH_CLIENT }}
    description: A client scope for the {{ AUTH_CLIENT }} client
    protocol: openid-connect
    protocolMappers:
      - config:
          access.token.claim: 'true'
          id.token.claim: 'false'
          included.client.audience: '{{ AUTH_CLIENT }}'
        consentRequired: false
        id: {{ AUTH_CLIENT }}
        name: {{ AUTH_CLIENT }}
        protocol: openid-connect
        protocolMapper: oidc-audience-mapper
  - id: {{ AUTH_CLIENT }}-profile
    name: profile
    description: "OpenID Connect built-in scope: profile"
    protocol: openid-connect
    protocolMappers:
      - config:
          access.token.claim: 'true'
          claim.name: email_verified
          id.token.claim: 'true'
          jsonType.label: boolean
          user.attribute: emailVerified
          userinfo.token.claim: 'true'
        consentRequired: false
        id: {{ AUTH_CLIENT }}-email-verified
        name: email verified
        protocol: openid-connect
        protocolMapper: oidc-usermodel-property-mapper
      - config:
          access.token.claim: 'true'
          claim.name: preferred_username
          id.token.claim: 'true'
          jsonType.label: String
          user.attribute: username
          userinfo.token.claim: 'true'
        consentRequired: false
        id: {{ AUTH_CLIENT }}-username
        name: username
        protocol: openid-connect
        protocolMapper: oidc-usermodel-property-mapper
      - config:
          access.token.claim: 'true'
          claim.name: groups
          id.token.claim: 'true'
          jsonType.label: String
          multivalued: 'true'
          user.attribute: foo
        consentRequired: false
        id: {{ AUTH_CLIENT }}-groups
        name: groups
        protocol: openid-connect
        protocolMapper: oidc-usermodel-realm-role-mapper
      - config:
          access.token.claim: 'true'
          claim.name: family_name
          id.token.claim: 'true'
          jsonType.label: String
          user.attribute: lastName
          userinfo.token.claim: 'true'
        consentRequired: false
        id: {{ AUTH_CLIENT }}-family-name
        name: family name
        protocol: openid-connect
        protocolMapper: oidc-usermodel-property-mapper
      - config:
          access.token.claim: 'true'
          claim.name: given_name
          id.token.claim: 'true'
          jsonType.label: String
          user.attribute: firstName
          userinfo.token.claim: 'true'
        consentRequired: false
        id: {{ AUTH_CLIENT }}-given-name
        name: given name
        protocol: openid-connect
        protocolMapper: oidc-usermodel-property-mapper
      - config:
          access.token.claim: 'true'
          claim.name: email
          id.token.claim: 'true'
          jsonType.label: String
          user.attribute: email
          userinfo.token.claim: 'true'
        consentRequired: false
        id: {{ AUTH_CLIENT }}-email
        name: email
        protocol: openid-connect
        protocolMapper: oidc-usermodel-property-mapper
      - config:
          access.token.claim: 'true'
          claim.name: middle_name
          id.token.claim: 'true'
          jsonType.label: String
          user.attribute: middleName
          userinfo.token.claim: 'true'
        consentRequired: false
        id: {{ AUTH_CLIENT }}-middle-name
        name: middle name
        protocol: openid-connect
        protocolMapper: oidc-usermodel-attribute-mapper
      - config:
          access.token.claim: 'true'
          claim.name: locale
          id.token.claim: 'true'
          jsonType.label: String
          user.attribute: locale
          userinfo.token.claim: 'true'
        consentRequired: false
        id: {{ AUTH_CLIENT }}-locale
        name: locale
        protocol: openid-connect
        protocolMapper: oidc-usermodel-attribute-mapper
      - config:
          access.token.claim: 'true'
          claim.name: nickname
          id.token.claim: 'true'
          jsonType.label: String
          user.attribute: nickname
          userinfo.token.claim: 'true'
        consentRequired: false
        id: {{ AUTH_CLIENT }}-nickname
        name: nickname
        protocol: openid-connect
        protocolMapper: oidc-usermodel-attribute-mapper
      - config:
          access.token.claim: 'true'
          claim.name: updated_at
          id.token.claim: 'true'
          jsonType.label: long
          user.attribute: updatedAt
          userinfo.token.claim: 'true'
        consentRequired: false
        id: {{ AUTH_CLIENT }}-updated-at
        name: updated at
        protocol: openid-connect
        protocolMapper: oidc-usermodel-attribute-mapper
      - config:
          access.token.claim: 'true'
          id.token.claim: 'true'
          userinfo.token.claim: 'true'
        consentRequired: false
        id: {{ AUTH_CLIENT }}-full-name
        name: full name
        protocol: openid-connect
        protocolMapper: oidc-full-name-mapper
      - config:
          access.token.claim: 'true'
          claim.name: profile
          id.token.claim: 'true'
          jsonType.label: String
          user.attribute: profile
          userinfo.token.claim: 'true'
        consentRequired: false
        id: {{ AUTH_CLIENT }}-profile
        name: profile
        protocol: openid-connect
        protocolMapper: oidc-usermodel-attribute-mapper
      - config:
          access.token.claim: 'true'
          claim.name: resource_access.${client_id}.roles
          jsonType.label: String
          multivalued: 'true'
          user.attribute: foo
        consentRequired: false
        id: {{ AUTH_CLIENT }}-client-roles
        name: client roles
        protocol: openid-connect
        protocolMapper: oidc-usermodel-client-role-mapper
      - config:
          access.token.claim: 'true'
          claim.name: zoneinfo
          id.token.claim: 'true'
          jsonType.label: String
          user.attribute: zoneinfo
          userinfo.token.claim: 'true'
        consentRequired: false
        id: {{ AUTH_CLIENT }}-zoneinfo
        name: zoneinfo
        protocol: openid-connect
        protocolMapper: oidc-usermodel-attribute-mapper
      - config:
          access.token.claim: 'true'
          claim.name: realm_access.roles
          jsonType.label: String
          multivalued: 'true'
          user.attribute: foo
        consentRequired: false
        id: {{ AUTH_CLIENT }}-realm-roles
        name: realm roles
        protocol: openid-connect
        protocolMapper: oidc-usermodel-realm-role-mapper
defaultDefaultClientScopes:
  - {{ AUTH_CLIENT }}
clients:
  - id: {{ AUTH_CLIENT }}
    clientId: {{ AUTH_CLIENT }}
    standardFlowEnabled: true
    serviceAccountsEnabled: true
    authorizationServicesEnabled: true
    frontchannelLogout: true
    protocol: openid-connect
    redirectUris:
      - "{{ SITE_BASE_URL }}/callback"
      - "{{ SITE_BASE_URL }}/logout"
    defaultClientScopes:
      - profile
    authorizationSettings:
      decisionStrategy: AFFIRMATIVE

@Anish701
Copy link
Author

Thank you for the suggestion! We will go ahead and implement GitHub as our identity provider.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@computate @Anish701