-
New Feature
-
Resolution: Fixed
-
Neutral
-
None
-
None
-
None
-
-
Empty show more show less
-
AdminX 15, AdminX 16
-
5
Context:
- In SSO 3.0, we support multiple clients configuration includes the direct client which allows users to access the content/pages using Access Token. We provided 2 "fixed" authenticators to validate/grant access for given access token:
- clients.spa (mapped with ClientType.SPA enum): CustomUserInfoOidcAuthenticator rely on UserInfoOidcAuthenticator from Pac4j, actually returned the Pac4j’sJWTClaimsSet (put into UserProfile latter) with data same as Userinfo endpoint (http://localhost:8180/auth/realms/mgnl/protocol/openid-connect/userinfo)
- clients.e2e (mapped with ClientType.E2E enum): validate the token using Token Introspection endpoint, get the response and create OidcProfile from the response info.
- The SSO configuration depends on an Enum ClientType (or Map key, above) to distinguish them and create different Pac4j Clients from that.
- Check out these class:
- Pac4jConfigProvider#loadPac4jConfig
- SsoConfig#ClientType
- Check out these class:
ACs:
- Make the authenticator configurable for various providers cuz they're all different (some of them don't have Token introspection enpoint)
- create the Pac4j Clients in more dynamic way (get rid of the ClientType enum)
Notes:
- Adapt SSO config for SaaS if needed
- Reference: inspiring doc for improving the multi-client config https://www.pac4j.org/docs/config-module.html
Discovery
- Get inspired from the PropertiesConfigFactory from Pac4j https://www.pac4j.org/docs/config-module.html to refactor the clients configuration
- Separate the authorizationGenerators to same level of "clients", then reference to it in the client configuration
- Make the Authenticator configurable for DirectClient only, defines constant value like "userInfoAuthenticator" and "tokenIntrospectionAuthenticator" and create the authenticator programmatically when creating the directClient
- Attached example MpConfig for reference (not final version)
- Update documentation
Acceptance criteria
- relates to
-
MGNLSSO-96 Non-interactive SSO access to REST endpoints
- Closed
-
MGNLSSO-78 Rebase SSO cloud feature branch on top of SSO 2.0
- Closed
(1 mentioned in)
1.
|
Implementation | Completed | Nguyen Phung Chi | |
2.
|
Review | Closed | Unassigned | |
3.
|
PiQA | Closed | Nguyen Phung Chi | |
4.
|
Final QA | Closed | Evzen Fochr |