Uploaded image for project: 'Single Sign On'
  1. Single Sign On
  2. MGNLSSO-132

Enhance multiple clients configuration and support configurable authenticator for direct client

    XMLWordPrintable

Details

    • New Feature
    • Resolution: Fixed
    • Neutral
    • 3.0.0
    • None
    • None
    • None
    • AdminX 15, AdminX 16
    • 5

    Description

      Context:

      1. In SSO 3.0, we support multiple clients configuration includes the direct client which allows users to access the content/pages using Access Token. We provided 2 "fixed" authenticators to validate/grant access for given access token:
        • clients.spa (mapped with ClientType.SPA enum): CustomUserInfoOidcAuthenticator rely on UserInfoOidcAuthenticator from Pac4j, actually returned the Pac4j’sJWTClaimsSet (put into UserProfile latter) with data same as Userinfo endpoint (http://localhost:8180/auth/realms/mgnl/protocol/openid-connect/userinfo)
        • clients.e2e (mapped with ClientType.E2E enum): validate the token using Token Introspection endpoint, get the response and create OidcProfile from the response info.
      2. The SSO configuration depends on an Enum ClientType (or Map key, above) to distinguish them and create different Pac4j Clients from that.
        • Check out these class:
          • Pac4jConfigProvider#loadPac4jConfig
          • SsoConfig#ClientType

      ACs:

      • Make the authenticator configurable for various providers cuz they're all different (some of them don't have Token introspection enpoint)
      • create the Pac4j Clients in more dynamic way (get rid of the ClientType enum)

      Notes:

      Discovery

      • Get inspired from the PropertiesConfigFactory from Pac4j https://www.pac4j.org/docs/config-module.html to refactor the clients configuration
      • Separate the authorizationGenerators to same level of "clients", then reference to it in the client configuration
      • Make the Authenticator configurable for DirectClient only, defines constant value like "userInfoAuthenticator" and "tokenIntrospectionAuthenticator" and create the authenticator programmatically when creating the directClient
      • Attached example MpConfig for reference (not final version) 
      • Update documentation

       

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            There are no Sub-Tasks for this issue.

            Activity

              People

                nguyen.phung Nguyen Phung Chi
                nguyen.phung Nguyen Phung Chi
                AdminX
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - Not Specified
                    Not Specified
                    Logged:
                    Time Spent - 12d 0.5h
                    12d 0.5h