Skip to main content

OpenID Connect

DSF-TeamAbout 1 min

Overview

Access to the DSF BPE server user interface can be configured via access control roles. By default users are only authenticated using X.509 client certificates, but authentication for local users via OAuth 2.0 OpenID Connect can also be enabled.

The DSF BPE server supports Authorization Code Flowopen in new window for the user interface. Back-Channel Logoutopen in new window is also supported.

BPE Reverse Proxy

The DSF BPE reverse proxy requires client certificates by default. To use OpenID Connect authentication the configuration parameter SSL_VERIFY_CLIENT needs to be set to optional.

Authorization Code Flow

To enable authentication via OpenID Connect authorization code flow, set the configuration parameter DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW to true and specify the following parameters:

Optionally, back channel logout can be enabled by setting DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT to true. The DSF BPE server accepts logout tokens at DEV_DSF_BPE_SERVER_BASE_URL + /back-channel-logout. The path can be modified via DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH.

Additional ODIC Configuration Parameter

A number of additional DEV_DSF_SERVER_AUTH_OIDC ... configuration parameter are specify on the DSF BPE server configuration parameter page.

For example the configuration parameter DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS can be used to specify a PEM encoded file with trusted root certificates to be used when accessing the OpenID Connect provider. If not specify the JVM default trusted root certificates are used for this connection.

Example

services:
  app:
    image: ghcr.io/datasharingframework/bpe:1.5.2
    # ...
    secrets:
      - keycloak_root_ca.pem
      # ...
    environment:
      # ...
      DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW: 'true'
      DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT: 'true'
      DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN: 'true'
      DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL: https://keycloak.test.org/realms/dsf
      DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS: /run/secrets/keycloak_root_ca.pem
      DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID: dsf-bpe
      DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET: n9bCMtjugv3Y_.szktXyQ2RH5se+J%o3
    # ...
secrets:
  keycloak_root_ca.pem:
    file: ./secrets/keycloak_root_ca.pem