Pré. | Proc. |
Authorizing Users in a Model that Supports OpenID Authentication
OSLC implementation in ProCloud Server supports a type of OpenID authentication called 'Authentication using the Authorization Code Flow'. The process of authorizing the user has these steps:
- The user sends an authorization request to the Authorization Endpoint in the OpenID Server.
- OpenID Server authenticates the user and sends them an Authorization Code.
- The user POSTs the Authorization Code to OSLC using the /oslc/am/login/ call.
- OSLC validates the Authorization Code by contacting the OpenID Server.
- Successful validation returns XML containing the User Authentication Token (amongst other information) in the XML element 'ss:useridentifier'.
User Authentication Token in a Model that Supports OpenID Authentication
Step |
Action |
See also |
---|---|---|
1 |
Determine the Authorization Endpoint in the OpenID Server by retrieving the Service Provider Resource (using the /oslc/am/sp/ call). If the model supports OpenID Authentication, and if Pro Cloud Server is able to contact the OpenID Server, then the Authorization Endpoint will be available in the oslc:authorizationURI element. |
|
2 |
Send a GET request to the Authorization Endpoint, with these URL parameters to authorize the user via a Web Browser:
The authorization request will have this format: <AUTHORIZATION ENDPOINT>?response_type=code&client_id=<CLIENT ID>&scope=<SCOPE>&redirect_uri=<REDIRECT URI> For example: http://192.168.1.106:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=WebEA&scope=openid&redirect_uri=http://localhost/openid/callback |
|
3 |
When authenticated, the OpenID Server will send an Authorization Code back to the user as a URL parameter in the redirect URI. For example : http://localhost/openid/callback?session_state=18f42600&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..yP6Yee4H_4 |
|
4 |
Retrieve the value of the URL parameter code and send it to OSLC by POSTing it to: URL : <protocol>://<server>/<model_name>/oslc/am/login/ POST Body : sso=openid;code=<AUTHORIZATION CODE>;redirecturi=<REDIRECT URI> For example, the POST Body might be: sso=openid;code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..yP6Yee4H_4;redirecturi=http://localhost/openid/callback; |
|
5 |
OSLC validates the Authorization Code by contacting the OpenID Server and, if successful, returns a response XML that contains a User Authentication Token. Pass this User Authentication Token with every OSLC Resource/Resource Feature Create, Update, Retrieve and Delete request. |
Notes
- This facility is available through the Pro Cloud Server, with a valid license
- An OSLC request will not be processed by the Pro Cloud Server unless the User Authentication Token is passed in with the request on a security-enabled model
- 30 minutes of inactivity will log you out of a model; you will have to login again by POSTing to the credential validation URL
- In the Authorization Endpoint GET request, values for the URL parameters 'client_id', 'scope' and 'redirect_uri' will be defined/available in the OpenID Server configuration