Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Page Properties
hiddentrue
idrLANGDONE

Product Version
Report Note
Assignee

Resources & Remarks

Always keep at the same state! enaio - official help: https://help.optimal-systems.com/enaio/v910/admin/administrator/en/dienste/idprovider.htm
... with first 3 sections of this page.

yuuvis Impulse: https://wiki.optimal-systems.de/pages/viewpage.action?spaceKey=MAN&title=Keycloak

yuuvis Momentum & enaio: https://wiki.optimal-systems.de/display/EnaioServices/Keycloak

  • Antje: page started as collection of existing information, has to be split later on in yuuvis and enaio part and translated.
  • Antje: installation guide copied from official enaio documentation (English version) and modified for yuuvis.
  • Antje: information for yuuvis added (from Oktopus wiki)

Modification History

NameDateProduct VersionAction
Antje08 FEB 20212.4New page properties macro.
Antje27 SEP 20212021 WinterImpersonation Section added.
Agnieszka04 OCT 20212021 WinterrLANG
Antje10 NOV 20212021 Winterremove roles from access tokens
Agnieszka10 NOV 20212021 WinterrLANG

Suppressing Duplicate Information on Roles

Per default, the access token generated by Keycloak contains the roles of the currently logged-in user. The AUTHENTICATION service creates an internal JSON Web Token (JWT) that includes the unchanged Keycloak access token. However, in order to allow a separate role management, the AUTHENTICATION service requests the roles of the corresponding in a separate request and adds them to the internal JWT in addition to the Keycloak access token. The roles stored in the original Keycloak access token are a duplicate of the information and are always ignored. In order to reduce the size of the JWT, their inclusion in the Keycloak access token can be suppressed by applying the configuration adjustment described below. Thus, for any request to the yuuvis® Momentum API, the request header size is reduced.

  • Call the Keycloak Admin Console: http://localhost:8080/auth/admin/ with administrator login.
  • Select the realm for which the configuration is to be changed.
  • Open the Client Scopes.
  • Open the roles scope.
  • In the Mappers tab, delete the entries realm roles and client.
These configuration steps have to be applied to each realm in each Keycloak instance in which to suppress the inclusion of role information in the Keycloak access token.



Excerpt

Guideline for manual installation and configuration of keycloak as an identity provider for yuuvis® Momentum.

...

  • Request a token for the administrative user with the impersonation authorization:

    Code Block
    languagebash
    curl -k ^
      -d "client_id=admin-cli" ^
      -d "username=root" ^
      -d "password=changeme" ^
      -d "grant_type=password" ^
      "http://localhost:8080/auth/realms/tenant1/protocol/openid-connect/token"


  • Request a token for the account of the target user where the login is needed. The previously retrieved token of the administrative user is referenced as subject_token whereas the ID of the target user is specified as requested_subject.

    Code Block
    languagebash
    curl -k ^
      -H "Content-Type: application/x-www-form-urlencoded" ^
      -d "client_id=admin-cli" ^
      -d "requested_subject=cc14e5d4-e8da-4108-92ad-c87066aed4c3" ^
      -d "subject_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJueEZ..." ^
      --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" ^
      "http://localhost:8080/auth/realms/tenant1/protocol/openid-connect/token"

    The retrieved token can be used by the administrative user root for authentication in yuuvis® Momentum with the account of the target user.

  • The following command retrieves user-specific information on the user who will be logged in with the token specified in the authorization header. Check whether the token retrieved before identifies the desired target user. Thus, in this example, the command should retrieve a data set for the user with ID cc14e5d4-e8da-4108-92ad-c87066aed4c3.

    Code Block
    languagebash
    curl -k ^
      --request GET ^
      --url "http://localhost:8080/auth/realms/tenant1/protocol/openid-connect/userinfo" ^
      --header "accept: application/json" ^
      --header "authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAi1dXVSZ3daQldhTTJZaXNlZElFXzg..."


Suppressing Duplicate Information on Roles

Per default, the access token generated by Keycloak contains the roles of the currently logged-in user. The AUTHENTICATION service creates an internal JSON Web Token (JWT) that includes the unchanged Keycloak access token. However, in order to allow a separate role management, the AUTHENTICATION service requests the roles of the corresponding in a separate request and adds them to the internal JWT in addition to the Keycloak access token. The roles stored in the original Keycloak access token are a duplicate of the information and are always ignored. In order to reduce the size of the JWT, their inclusion in the Keycloak access token can be suppressed by applying the configuration adjustment described below. Thus, for any request to the yuuvis® Momentum API, the request header size is reduced.

  • Call the Keycloak Admin Console: http://localhost:8080/auth/admin/ with administrator login.
  • Select the realm for which the configuration is to be changed.
  • Open the Client Scopes.
  • Open the roles scope.
  • In the Mappers tab, delete the entries realm roles and client.

These configuration steps have to be applied to each realm in each Keycloak instance in which to suppress the inclusion of role information in the Keycloak access token.

Summary

This article explained how to install and configure Keycloak as an identity provider and access management system for yuuvis® Momentum in a manual procedure.

...