[MGNLSSO-132] Enhance multiple clients configuration and support configurable authenticator for direct client Created: 31/May/22  Updated: 18/Aug/22  Resolved: 17/Aug/22

Status: Closed
Project: Single Sign On
Component/s: None
Affects Version/s: None
Fix Version/s: 3.0.0

Type: New Feature Priority: Neutral
Reporter: Nguyen Phung Chi Assignee: Nguyen Phung Chi
Resolution: Fixed Votes: 0
Labels: None
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: 12d 0.5h Time Spent: 12d 0.5h
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Attachments: PNG File image-2022-07-20-13-28-53-973.png     File microprofile-config.yaml    
Issue Links:
Relates
relates to MGNLSSO-96 Non-interactive SSO access to REST en... Closed
relates to MGNLSSO-78 Rebase SSO cloud feature branch on to... Closed
Sub-Tasks:
Key
Summary
Type
Status
Assignee
MGNLSSO-158 Implementation Technical task Completed Nguyen Phung Chi  
MGNLSSO-159 Review Technical task Closed  
MGNLSSO-160 PiQA Technical task Closed Nguyen Phung Chi  
MGNLSSO-161 Final QA Technical task Closed Evzen Fochr  
Template:
Acceptance criteria:
Empty
Epic Link: SSO support for custom IdPs
Sprint: AdminX 15, AdminX 16
Story Points: 5
Team: AdminX

 Description   

Context:

  1. In SSO 3.0, we support multiple clients configuration includes the direct client which allows users to access the content/pages using Access Token. We provided 2 "fixed" authenticators to validate/grant access for given access token:
    • clients.spa (mapped with ClientType.SPA enum): CustomUserInfoOidcAuthenticator rely on UserInfoOidcAuthenticator from Pac4j, actually returned the Pac4j’sJWTClaimsSet (put into UserProfile latter) with data same as Userinfo endpoint (http://localhost:8180/auth/realms/mgnl/protocol/openid-connect/userinfo)
    • clients.e2e (mapped with ClientType.E2E enum): validate the token using Token Introspection endpoint, get the response and create OidcProfile from the response info.
  2. The SSO configuration depends on an Enum ClientType (or Map key, above) to distinguish them and create different Pac4j Clients from that.
    • Check out these class:
      • Pac4jConfigProvider#loadPac4jConfig
      • SsoConfig#ClientType

ACs:

  • Make the authenticator configurable for various providers cuz they're all different (some of them don't have Token introspection enpoint)
  • create the Pac4j Clients in more dynamic way (get rid of the ClientType enum)

Notes:

Discovery

  • Get inspired from the PropertiesConfigFactory from Pac4j https://www.pac4j.org/docs/config-module.html to refactor the clients configuration
  • Separate the authorizationGenerators to same level of "clients", then reference to it in the client configuration
  • Make the Authenticator configurable for DirectClient only, defines constant value like "userInfoAuthenticator" and "tokenIntrospectionAuthenticator" and create the authenticator programmatically when creating the directClient
  • Attached example MpConfig for reference (not final version) 
  • Update documentation

 


Generated at Mon Feb 12 10:51:24 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.