You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Lionel SCHWARZ <li...@in2p3.fr> on 2022/03/25 17:06:24 UTC
Using Syncope REST endpoints with a OIDC authorizationCode
Dear all,
Considering I have enabled the OIDC extension and properly configured my OIDC provider (keycloak), and considering I am able to retrieve from this provider an AuthorizationCode, how it is possible for me to use the REST endpoints using this authorization code?
Regards
Lionel
Re: Using Syncope REST endpoints with a OIDC authorizationCode
Posted by Lionel SCHWARZ <li...@in2p3.fr>.
Thanks Francesco for this very detailed answer. This is indeed what I suspected but I was not 100% sure
Best regards
Lionel
----- Le 26 Mar 22, à 6:55, Francesco Chicchiriccò ilgrosso@apache.org a écrit :
> On 25/03/22 18:06, Lionel SCHWARZ wrote:
>> Dear all,
>>
>> Considering I have enabled the OIDC extension and properly configured my OIDC
>> provider (keycloak), and considering I am able to retrieve from this provider
>> an AuthorizationCode, how it is possible for me to use the REST endpoints using
>> this authorization code?
>
> Hi Lionel,
> the OpenID Connect client extension [1] is designed to work for UI (Console,
> Enduser), not for REST endpoints.
>
> In fact, the extension adds some components that from one side implement the
> OIDC protocol communications in the UI itself, while using existing Syncope
> constructs and components on the other side.
> The overall OIDC client authentication process initiated by Syncope Console or
> Enduser ends up into getting an ordinary Syncope JWT to authenticate REST calls
> to Core.
>
> FYI, the SAML 2.0 extension [2] works in the same way.
>
> It is indeed possible to authenticate REST calls by passing JWT values different
> than the ones generated by Syncope itself after authentication, by providing
> JTWSSOProvider [3] implementations.
>
> Essentially, an implementation will need to provide at least two things:
>
> 1. the JWT issuer value to match, for which the class will be invoked by Syncope
>
> 2. a mean to resolve the JWT claims into and existing Syncope user
>
> It can also do other things, like using a different signature verification.
>
> Syncope itself is using an implementation as such for default JWT format [4].
> You can also look at an example in the test code [5].
>
> Hope this helps.
> Regards.
>
> [1]
> https://syncope.apache.org/docs/2.1/reference-guide.html#openid-connect-client
> [2]
> https://syncope.apache.org/docs/2.1/reference-guide.html#saml-2-0-service-provider
> [3] https://syncope.apache.org/docs/2.1/reference-guide.html#jwtssoprovider
> [4]
> https://github.com/apache/syncope/blob/syncope-2.1.11/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java
> [5]
> https://github.com/apache/syncope/blob/syncope-2.1.11/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/CustomJWTSSOProvider.java
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
Re: Using Syncope REST endpoints with a OIDC authorizationCode
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 25/03/22 18:06, Lionel SCHWARZ wrote:
> Dear all,
>
> Considering I have enabled the OIDC extension and properly configured my OIDC provider (keycloak), and considering I am able to retrieve from this provider an AuthorizationCode, how it is possible for me to use the REST endpoints using this authorization code?
Hi Lionel,
the OpenID Connect client extension [1] is designed to work for UI (Console, Enduser), not for REST endpoints.
In fact, the extension adds some components that from one side implement the OIDC protocol communications in the UI itself, while using existing Syncope constructs and components on the other side.
The overall OIDC client authentication process initiated by Syncope Console or Enduser ends up into getting an ordinary Syncope JWT to authenticate REST calls to Core.
FYI, the SAML 2.0 extension [2] works in the same way.
It is indeed possible to authenticate REST calls by passing JWT values different than the ones generated by Syncope itself after authentication, by providing JTWSSOProvider [3] implementations.
Essentially, an implementation will need to provide at least two things:
1. the JWT issuer value to match, for which the class will be invoked by Syncope
2. a mean to resolve the JWT claims into and existing Syncope user
It can also do other things, like using a different signature verification.
Syncope itself is using an implementation as such for default JWT format [4].
You can also look at an example in the test code [5].
Hope this helps.
Regards.
[1] https://syncope.apache.org/docs/2.1/reference-guide.html#openid-connect-client
[2] https://syncope.apache.org/docs/2.1/reference-guide.html#saml-2-0-service-provider
[3] https://syncope.apache.org/docs/2.1/reference-guide.html#jwtssoprovider
[4] https://github.com/apache/syncope/blob/syncope-2.1.11/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java
[5] https://github.com/apache/syncope/blob/syncope-2.1.11/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/CustomJWTSSOProvider.java
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/