OpenID Connect
Overview
Access to the DSF BPE server user interface can be configured via access control roles. By default users are only authenticated using X.509 client certificates, but authentication for local users via OAuth 2.0 OpenID Connect can also be enabled.
The DSF BPE server supports Authorization Code Flow for the user interface. Back-Channel Logout is also supported.
BPE Reverse Proxy
The DSF BPE reverse proxy requires client certificates by default. To use OpenID Connect authentication the configuration parameter SSL_VERIFY_CLIENT needs to be set to optional
.
Authorization Code Flow
To enable authentication via OpenID Connect authorization code flow, set the configuration parameter DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW to true
and specify the following parameters:
- DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL
- DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID
- DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET
Optionally, back channel logout can be enabled by setting DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT to true
. The DSF BPE server accepts logout tokens at DEV_DSF_BPE_SERVER_BASE_URL + /back-channel-logout
. The path can be modified via DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH.
Additional ODIC Configuration Parameter
A number of additional DEV_DSF_SERVER_AUTH_OIDC ...
configuration parameter are specify on the DSF BPE server configuration parameter page.
For example the configuration parameter DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS can be used to specify a PEM encoded file with trusted root certificates to be used when accessing the OpenID Connect provider. If not specify the JVM default trusted root certificates are used for this connection.
Example
services:
app:
image: ghcr.io/datasharingframework/bpe:1.5.0
# ...
secrets:
- keycloak_root_ca.pem
# ...
environment:
# ...
DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW: 'true'
DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT: 'true'
DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN: 'true'
DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL: https://keycloak.test.org/realms/dsf
DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS: /run/secrets/keycloak_root_ca.pem
DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID: dsf-bpe
DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET: n9bCMtjugv3Y_.szktXyQ2RH5se+J%o3
# ...
secrets:
keycloak_root_ca.pem:
file: ./secrets/keycloak_root_ca.pem