fispace spt seyhun futaci. technology behind fispace authentication and authorization idm service of...
TRANSCRIPT
FIspaceSPT
Seyhun Futaci
Technology behind FIspace Authentication and Authorization
IDM service of Fispace provides SSO solution for web apps, mobile and RESTful web services. It is an authentication server where users can centrally login, logout, register, and manage their user accounts.
Security components provide federative IDM solution using separate domains. Each domain secures and manages security metadata for a set of users, applications, and registered oauth clients.
Access tokens are used to secure web invocations. Access tokens contains security metadata specifying the identity of the user as well as the role mappings for that user.
Features provided by FIspace
• SSO and Single Log Out for browser applications• Social Login using Google• User Registration• Forgot password support. User can have an email sent to them• User session management. Admin can view user sessions and what
applications/clients have an access token. Sessions can be invalidated per realm or per user.
• Integrated Browser App to REST Service token propagation• OAuth Bearer token auth for REST Services• OAuth 2.0 Grant requests• SAML Support.• Completely centrally managed user and role mapping metadata. Minimal
configuration at the application side
What happens?
Client
Resource Owner
Authentication Server
Resource Server
Authentication Request
Authentication Grant
Authentication Grant
Access Token
Access Token
Protected Resource
What do you need to Configure you App?
• Basic understanding of oauth• Registered user with an “app developer” role• Registered application on Keycloak• Proper keycloak.json file –unique to your
application-
Sample keycloak.json
{"realm": "fispace","realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB","auth-server-url": "https://37.131.251.129:8443/auth","ssl-required": "none","resource": "fispace-frontend","credentials": { "secret": "028d7825-2bb8-480d-ac0c-6c41e1aab6de”}}
Step by Step
• Create a new user• Request an “app developer” role using email
address [email protected]• Register your application using Developer zone
on FIspace frontend.• Retrieve keycloak.json file unique to your
application
Step by Step
Click “Login” and start with the authentication steps.
How to login FIspace platform using EE?
On IDM server either login with an already registered user or create a new one.
Accessing Developers Zone
Once your request is granted by the FIspace administration for accessing the Developers zone you will see the “Developers Zone” link on Frontend.
Register your Application
Simply enter the requested information and register your application.
Get keycloak.json file
Get the keycloak.json file for your registered application
Adapters
Keycloak can secure a wide variety of Java applications. However you need to use Keycloak adapters to secure your applications. • Adapters can be downloaded at Keycloak official website.• Adapters are unique to web server as well as the version of
Keycloak. – Experimentation Environment currently uses Keycloak
1.0.4.– In Preliminary Integration Environment FIspace team is
testing 1.1.0• Keycloak adapter needs to be defined as dependency for your
application. • For any programming language, an outh2 library would be
sufficient to create authentication for your application.
How to Integrate Widgets? Pre-requisites…
The Keycloak Server comes with a Javascript adapter which is a library you can use to secure pure HTML/Javascript applications. http://<keycloak server>/auth/js/keycloak.jsWhat do you need?• Basic understanding of Javascript and HTML• Keycloak.json file created using FIspace frontend. • Config.xml file created using FIspace Studio. • JQuery JS Library
How to Integrate Widgets?
After generating config.xml using FIspace Studio, create an HTML file like below to see if the user is authenticated.
Properties
Object• authenticated - true if the user is authenticated• token - the base64 encoded token that can be sent in the Authorization
header in requests to services• tokenParsed - the parsed token• subject - the user id
Parsed Token• name• nickname • preferred_username • Profile
More information can be found at https://bitbucket.org/fispace/core/wiki/Home
Thank you
Contributors:Serdar Arslan
Engin Dagdeviren