You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Philipp Trenz <ma...@philipptrenz.de> on 2022/12/09 10:40:27 UTC
Bearer authentication for SCIM v2 extension endpoints?
Dear Syncope community,
I’m searching for a solution to provision users from Azure AD into a local Windows AD. Syncope looks very promising for this use case and I’m about to setup a Proof of Concept. For configuring Azure AD against the SCIMv2 extension, a static bearer authentication token is required. The default authentication method for the scim endpoints seem to be JWT, though.
TL;DR: How can I configure a static Bearer token for authentication against the SCIM v2 extension?
Many thanks
—
Philipp Trenz
Luisenplatz 3
14471 Potsdam
GERMANY
Mail: mail@philipptrenz.de
Phone: +49 176 44553932
Web: https://philipptrenz.de
Re: Bearer authentication for SCIM v2 extension endpoints?
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 09/12/22 11:40, Philipp Trenz wrote:
> Dear Syncope community,
>
> I’m searching for a solution to provision users from Azure AD into a local Windows AD. Syncope looks very promising for this use case and I’m about to setup a Proof of Concept. For configuring Azure AD against the SCIMv2 extension, a static bearer authentication token is required. The default authentication method for the scim endpoints seem to be JWT, though.
>
> TL;DR: How can I configure a static Bearer token for authentication against the SCIM v2 extension?
Hi Philipp,
glad of your interest in Apache Syncope.
The authentication configuration for all REST endpoints exposed by Core is defined by [1] so, in case you really want to dig into this topic or override some bean definition(s) into your project, that is definitely the starting point.
I am reading from [2] that Azure AD is using an OAuth 2.0 bearer token, which should still be in JWT format.
If this is the case, my suggestion is to add to your project an implementation of JWTSSOProvider [3].
The purpose of a JWTSSOProvider is to:
1. validate the provided "Authorization: Bearer" value, in the verify() method
2. resolve the extracted claims into an internal Syncope User, in the resolve() method
You can look at a sample implementation [4] or the one that is actually in use by default [5].
The typical use case for additional JWTSSOProvider implementations is to allow to use JWT values not generated by Syncope itself to authorize access to Syncope REST endpoints.
HTH
Regards.
[1] https://github.com/apache/syncope/blob/master/core/spring/src/main/java/org/apache/syncope/core/spring/security/WebSecurityContext.java
[2] https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#handling-endpoint-authentication
[3] https://syncope.apache.org/docs/3.0/reference-guide.html#jwtssoprovider
[4] https://github.com/apache/syncope/blob/master/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/CustomJWTSSOProvider.java
[5] https://github.com/apache/syncope/blob/master/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/