OpenID Connect support (#865)
* Added OpenID Connect support Utilized Spring Security's OAuth2 respectively OIDC support as another possibility to manage users and their permissions. Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Document OpenID Connect Support Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Updated license in OidcUserManagementAutoConfiguration.java Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Revert updated license notice and add Kiwigrid license file This reverts commit 23d36245 Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Resolve SonarQube issues - Explicitly import the needed specific classes - Document public methods - Add `static` to the constant `JwtAuthoritiesOidcUserService.INVALID_REQUEST` - Remove superfluous runtime exception `OAuth2AuthenticationException` Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Add OidcUser support in SpringSecurityAuditorAware Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com> * Secure Management API using OpenID Connect, too. Signed-off-by: Brandon Schmitt <Brandon.Schmitt@kiwigrid.com>
This commit is contained in:
committed by
Dominic Schabel
parent
38017ba7bc
commit
1bcced9838
@@ -7,7 +7,7 @@ weight: 52
|
||||
Authorization is handled separately for _Direct Device Integration (DDI) API_ and _Device Management Federation (DMF) API_ (where successful authentication includes full authorization) and _Management API_ and _UI_ which is based on Spring security [authorities](https://github.com/eclipse/hawkbit/blob/master/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/im/authentication/SpPermission.java).
|
||||
<!--more-->
|
||||
|
||||
However, keep in mind that hawkBit does not offer an off the shelf authentication provider to leverage these permissions and the underlying multi user/tenant capabilities of hawkBit. Check out [Spring security documentation](http://projects.spring.io/spring-security/) for further information. In hawkBit [SecurityAutoConfiguration](https://github.com/eclipse/hawkbit/blob/master/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityAutoConfiguration.java) is a good starting point for integration.
|
||||
However, keep in mind that hawkBit does not offer an off the shelf authentication provider to leverage these permissions and the underlying multi user/tenant capabilities of hawkBit but it supports authentication providers offering an OpenID Connect interface. Check out [Spring security documentation](http://projects.spring.io/spring-security/) for further information. In hawkBit [SecurityAutoConfiguration](https://github.com/eclipse/hawkbit/blob/master/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityAutoConfiguration.java) is a good starting point for integration.
|
||||
|
||||
The default implementation is single user/tenant with basic auth and the logged in user is provided with all permissions. Additionally, the application properties may be configured for multiple static users; see [Multiple Users](#multiple-users) for details.
|
||||
|
||||
@@ -41,6 +41,18 @@ An example configuration is given below.
|
||||
|
||||
A permissions value of `ALL` will provide that user with all possible permissions. Passwords need to be specified with the used password encoder in brackets. In this example, `noop` is used as the plaintext encoder. For production use, it is recommended to use a hash function designed for passwords such as *bcrypt*. See this [blog post](https://spring.io/blog/2017/11/01/spring-security-5-0-0-rc1-released#password-storage-format) for more information on password encoders in Spring Security.
|
||||
|
||||
### OpenID Connect
|
||||
hawkbit supports authentication providers which use the OpenID Connect standard, an authentication layer built on top of the OAuth 2.0 protocol.
|
||||
An example configuration is given below.
|
||||
|
||||
spring.security.oauth2.client.registration.oidc.client-id=clientID
|
||||
spring.security.oauth2.client.registration.oidc.client-secret=oidc-client-secret
|
||||
spring.security.oauth2.client.provider.oidc.issuer-uri=https://oidc-provider/issuer-uri
|
||||
spring.security.oauth2.client.provider.oidc.authorization-uri=https://oidc-provider/authorization-uri
|
||||
spring.security.oauth2.client.provider.oidc.token-uri=https://oidc-provider/token-uri
|
||||
spring.security.oauth2.client.provider.oidc.user-info-uri=https://oidc-provider/user-info-uri
|
||||
spring.security.oauth2.client.provider.oidc.jwk-set-uri=https://oidc-provider/jwk-set-uri
|
||||
|
||||
### Delivered Permissions
|
||||
- READ_/UPDATE_/CREATE_/DELETE_TARGETS for:
|
||||
- Target entities including metadata (that includes also the installed and assigned distribution sets)
|
||||
|
||||
Reference in New Issue
Block a user